src/portable/profile/nonetwork/service.conf

   1 # The "nonetwork" security profile for services, i.e. like "default" but without networking
   2
   3 [Service]
   4 MountAPIVFS=yes
   5 BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
   6 BindReadOnlyPaths=/etc/machine-id
   7 BindReadOnlyPaths=/run/dbus/system_bus_socket
   8 DynamicUser=yes
   9 RemoveIPC=yes
  10 CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \
  11         CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_SETGID CAP_SETPCAP \
  12         CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE
  13 PrivateTmp=yes
  14 PrivateDevices=yes
  15 PrivateUsers=yes
  16 ProtectSystem=strict
  17 ProtectHome=yes
  18 ProtectKernelTunables=yes
  19 ProtectKernelModules=yes
  20 ProtectControlGroups=yes
  21 RestrictAddressFamilies=AF_UNIX AF_NETLINK
  22 LockPersonality=yes
  23 MemoryDenyWriteExecute=yes
  24 RestrictRealtime=yes
  25 RestrictNamespaces=yes
  26 SystemCallFilter=@system-service
  27 SystemCallErrorNumber=EPERM
  28 SystemCallArchitectures=native
  29 PrivateNetwork=yes
  30 IPAddressDeny=any