1# The "nonetwork" security profile for services, i.e. like "default" but without networking 2 3[Service] 4MountAPIVFS=yes 5BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout 6BindReadOnlyPaths=/etc/machine-id 7BindReadOnlyPaths=/run/dbus/system_bus_socket 8DynamicUser=yes 9RemoveIPC=yes 10CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \ 11 CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_SETGID CAP_SETPCAP \ 12 CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE 13PrivateTmp=yes 14PrivateDevices=yes 15PrivateUsers=yes 16ProtectSystem=strict 17ProtectHome=yes 18ProtectKernelTunables=yes 19ProtectKernelModules=yes 20ProtectControlGroups=yes 21RestrictAddressFamilies=AF_UNIX AF_NETLINK 22LockPersonality=yes 23MemoryDenyWriteExecute=yes 24RestrictRealtime=yes 25RestrictNamespaces=yes 26SystemCallFilter=@system-service 27SystemCallErrorNumber=EPERM 28SystemCallArchitectures=native 29PrivateNetwork=yes 30IPAddressDeny=any 31