LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
+ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
+ProtectKernelLogs=yes
ProtectSystem=strict
Restart=on-failure
RestartSec=0
-RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET AF_ALG
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes