[Unit]
Description=KMS Emulator Per-Connection

[Service]
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
CapabilityBoundingSet=
NoNewPrivileges=true
LockPersonality=true
RestrictRealtime=true
MemoryDenyWriteExecute=true

ProtectHome=true
ProtectSystem=strict
PrivateDevices=true
PrivateUsers=true
ProtectClock=true
ProtectProc=invisible
ProcSubset=pid
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
DevicePolicy=closed

PrivateNetwork=true
RestrictAddressFamilies=~AF_INET AF_INET6
IPAddressDeny=any

DynamicUser=true

StandardInput=socket
StandardOutput=socket
ExecStart=/usr/bin/vlmcsd