1 files changed, 26 insertions, 1 deletions

diff --git a/bandwidthd-webui.service b/bandwidthd-webui.service
index b77740cdd931..919fb42d5242 100644
--- a/bandwidthd-webui.service
+++ b/bandwidthd-webui.service
@@ -8,8 +8,33 @@ User=bandwidthd
 Group=bandwidthd
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+PrivateDevices=true
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+StateDirectory=bandwidthd
+RuntimeDirectory=bandwidthd
+ConfigurationDirectory=bandwidthd
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+RestrictRealtime=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+UMask=066
+ProtectHostname=true
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
 ExecStart=/usr/bin/nginx -c /etc/bandwidthd/bandwidthd-webui.conf
-PIDFile=/run/bandwidthd/bandwidthd-webui.pid
+PIDFile=bandwidthd/bandwidthd-webui.pid
 
 [Install]
 WantedBy=bandwidthd.service