1# The "default" security profile for services, i.e. a number of useful restrictions 2 3[Service] 4MountAPIVFS=yes 5BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout 6BindReadOnlyPaths=/etc/machine-id 7BindReadOnlyPaths=/etc/resolv.conf 8BindReadOnlyPaths=/run/dbus/system_bus_socket 9DynamicUser=yes 10RemoveIPC=yes 11CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \ 12 CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_NET_ADMIN \ 13 CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_SETGID CAP_SETPCAP \ 14 CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE 15PrivateTmp=yes 16PrivateDevices=yes 17PrivateUsers=yes 18ProtectSystem=strict 19ProtectHome=yes 20ProtectKernelTunables=yes 21ProtectKernelModules=yes 22ProtectControlGroups=yes 23RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 24LockPersonality=yes 25MemoryDenyWriteExecute=yes 26RestrictRealtime=yes 27RestrictNamespaces=yes 28SystemCallFilter=@system-service 29SystemCallErrorNumber=EPERM 30SystemCallArchitectures=native 31