blob: 8b6bc7771c91dee14e785f4352781a469c8a4b25 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
[Unit]
Description = XMLTV grabber tool using Gracenote's TMS API
After=network.target
[Service]
ExecStart = /usr/bin/easyepg-lite-git
User = easyepg-lite-git
WorkingDirectory = %S/easyepg-lite-git
StateDirectory = easyepg-lite-git
StateDirectoryMode = 0700
DynamicUser = yes
CapabilityBoundingSet =
RestrictAddressFamilies = AF_INET6 AF_INET
RestrictNamespaces = yes
NoNewPrivileges = yes
PrivateDevices = yes
PrivateMounts = yes
PrivateTmp = yes
PrivateUsers = yes
ProtectClock = yes
ProtectControlGroups = yes
ProtectHome = yes
ProtectKernelLogs = yes
ProtectKernelModules = yes
ProtectKernelTunables = yes
ProtectProc = invisible
ProtectSystem = strict
RestrictSUIDSGID = yes
SystemCallArchitectures = native
SystemCallFilter = @system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
RestrictRealtime = yes
LockPersonality = yes
MemoryDenyWriteExecute = yes
RemoveIPC = yes
UMask = 077
ProtectHostname = yes
ProcSubset = pid
[Install]
WantedBy=multi-user.target
|