[Service]
# Never accessible to any services
InaccessiblePaths=/mnt

# By default inaccessible, may be overriden with BindPaths/BindReadOnlyPaths
TemporaryFileSystem=/home:ro

NoNewPrivileges=yes

MountFlags=private
ProtectSystem=strict
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
PrivateTmp=yes
PrivateDevices=yes

RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictRealtime=yes
RestrictNamespaces=yes
MemoryDenyWriteExecute=yes
RestrictSUIDSGID=yes

CapabilityBoundingSet=~CAP_SYS_ADMIN
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native