diff options
Diffstat (limited to 'vlmcsd@.service')
| -rw-r--r-- | vlmcsd@.service | 34 |
1 files changed, 32 insertions, 2 deletions
diff --git a/vlmcsd@.service b/vlmcsd@.service index 94e50e58e09e..1a23d7e1f406 100644 --- a/vlmcsd@.service +++ b/vlmcsd@.service @@ -2,7 +2,37 @@ Description=KMS Emulator Per-Connection [Service] -User=nobody -ExecStart=/usr/bin/vlmcsd +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +SystemCallArchitectures=native +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +CapabilityBoundingSet= +NoNewPrivileges=true +LockPersonality=true +RestrictRealtime=true +MemoryDenyWriteExecute=true + +ProtectHome=true +ProtectSystem=strict +PrivateDevices=true +PrivateUsers=true +ProtectClock=true +ProtectProc=invisible +ProcSubset=pid +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +DevicePolicy=closed + +PrivateNetwork=true +RestrictAddressFamilies=~AF_INET AF_INET6 +IPAddressDeny=any + +DynamicUser=true + StandardInput=socket StandardOutput=socket +ExecStart=/usr/bin/vlmcsd |