xref: /systemd-251/src/portable/profile/strict/service.conf
  • Home
  • History
  • Annotate
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# The "strict" security profile for services, all options turned on
2
3[Service]
4MountAPIVFS=yes
5BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
6BindReadOnlyPaths=/etc/machine-id
7DynamicUser=yes
8RemoveIPC=yes
9CapabilityBoundingSet=
10PrivateTmp=yes
11PrivateDevices=yes
12PrivateUsers=yes
13ProtectSystem=strict
14ProtectHome=yes
15ProtectKernelTunables=yes
16ProtectKernelModules=yes
17ProtectControlGroups=yes
18RestrictAddressFamilies=AF_UNIX
19LockPersonality=yes
20NoNewPrivileges=yes
21MemoryDenyWriteExecute=yes
22RestrictRealtime=yes
23RestrictNamespaces=yes
24SystemCallFilter=@system-service
25SystemCallErrorNumber=EPERM
26SystemCallArchitectures=native
27PrivateNetwork=yes
28IPAddressDeny=any
29TasksMax=4
30

served by {OpenGrok

Last Index Update: Sat Nov 23 23:13:57 UTC 2024