1 # The "nonetwork" security profile for services, i.e. like "default" but without networking
5 BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
6 BindReadOnlyPaths=/etc/machine-id
7 BindReadOnlyPaths=/run/dbus/system_bus_socket
10 CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \
11 CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_SETGID CAP_SETPCAP \
12 CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE
18 ProtectKernelTunables=yes
19 ProtectKernelModules=yes
20 ProtectControlGroups=yes
21 RestrictAddressFamilies=AF_UNIX AF_NETLINK
23 MemoryDenyWriteExecute=yes
25 RestrictNamespaces=yes
26 SystemCallFilter=@system-service
27 SystemCallErrorNumber=EPERM
28 SystemCallArchitectures=native