Dissecting a coredump is possibly risky and might take a while, hence
lock down the unit as much as we can.
ExecStart=-@rootlibexecdir@/systemd-coredump
Nice=9
OOMScoreAdjust=500
+RuntimeMaxSec=5min
+PrivateTmp=yes
+PrivateDevices=yes
PrivateNetwork=yes
ProtectSystem=strict
-RuntimeMaxSec=5min
+ProtectHome=yes
+ProtectControlGroups=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
ReadWritePaths=/var/lib/systemd/coredump
-ProtectKernelModules=yes