diff options
Diffstat (limited to 'vlmcsd.service')
-rw-r--r-- | vlmcsd.service | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/vlmcsd.service b/vlmcsd.service index e499d0880938..8eaf331274b0 100644 --- a/vlmcsd.service +++ b/vlmcsd.service @@ -2,8 +2,34 @@ Description=KMS Emulator [Service] +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +SystemCallArchitectures=native +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +CapabilityBoundingSet= +NoNewPrivileges=true +LockPersonality=true +RestrictRealtime=true +MemoryDenyWriteExecute=true + +ProtectHome=true +ProtectSystem=strict +PrivateDevices=true +PrivateUsers=true +ProtectClock=true +ProtectProc=invisible +ProcSubset=pid +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +DevicePolicy=closed + +DynamicUser=true + Type=forking -User=nobody ExecStart=/usr/bin/vlmcsd [Install] |