1 # The "strict" security profile for services, all options turned on
5 BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
6 BindReadOnlyPaths=/etc/machine-id
15 ProtectKernelTunables=yes
16 ProtectKernelModules=yes
17 ProtectControlGroups=yes
18 RestrictAddressFamilies=AF_UNIX
21 MemoryDenyWriteExecute=yes
23 RestrictNamespaces=yes
24 SystemCallFilter=@system-service
25 SystemCallErrorNumber=EPERM
26 SystemCallArchitectures=native