code.delx.au - monosys/blob - etc/systemd/system/my-overrides/10-security.conf

   1 [Service]
   2 # Never accessible to any services
   3 InaccessiblePaths=/mnt
   4
   5 # By default inaccessible, may be overriden with BindPaths/BindReadOnlyPaths
   6 TemporaryFileSystem=/home:ro
   7
   8 NoNewPrivileges=yes
   9
  10 MountFlags=private
  11 ProtectSystem=strict
  12 ProtectKernelTunables=yes
  13 ProtectKernelModules=yes
  14 ProtectControlGroups=yes
  15 PrivateTmp=yes
  16 PrivateDevices=yes
  17
  18 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
  19 RestrictRealtime=yes
  20 RestrictNamespaces=yes
  21 MemoryDenyWriteExecute=yes
  22 RestrictSUIDSGID=yes
  23
  24 CapabilityBoundingSet=~CAP_SYS_ADMIN
  25 SystemCallFilter=@system-service
  26 SystemCallErrorNumber=EPERM
  27 SystemCallArchitectures=native