src/portable/profile/strict/service.conf

   1 # The "strict" security profile for services, all options turned on
   2
   3 [Service]
   4 MountAPIVFS=yes
   5 BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
   6 BindReadOnlyPaths=/etc/machine-id
   7 DynamicUser=yes
   8 RemoveIPC=yes
   9 CapabilityBoundingSet=
  10 PrivateTmp=yes
  11 PrivateDevices=yes
  12 PrivateUsers=yes
  13 ProtectSystem=strict
  14 ProtectHome=yes
  15 ProtectKernelTunables=yes
  16 ProtectKernelModules=yes
  17 ProtectControlGroups=yes
  18 RestrictAddressFamilies=AF_UNIX
  19 LockPersonality=yes
  20 NoNewPrivileges=yes
  21 MemoryDenyWriteExecute=yes
  22 RestrictRealtime=yes
  23 RestrictNamespaces=yes
  24 SystemCallFilter=@system-service
  25 SystemCallErrorNumber=EPERM
  26 SystemCallArchitectures=native
  27 PrivateNetwork=yes
  28 IPAddressDeny=any
  29 TasksMax=4