Let's lock things down further.
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
LockPersonality=yes
+IPAddressDeny=any
StateDirectory=systemd/coredump
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
LockPersonality=yes
+IPAddressDeny=any
ReadWritePaths=/etc
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
LockPersonality=yes
+IPAddressDeny=any
# Increase the default a bit in order to allow many simultaneous
# services being run since we keep one fd open per service. Also, when
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
LockPersonality=yes
+IPAddressDeny=any
ReadWritePaths=/etc
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
LockPersonality=yes
+IPAddressDeny=any
FileDescriptorStoreMax=512
# Increase the default a bit in order to allow many simultaneous
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
LockPersonality=yes
+IPAddressDeny=any
# Note that machined cannot be placed in a mount namespace, since it
# needs access to the host's mount namespace in order to implement the
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
LockPersonality=yes
+IPAddressDeny=any
ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallArchitectures=native
LockPersonality=yes
+IPAddressDeny=any