blob: bab721dde04202ba0395b604b0ce135c7fc54c42 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
# You should not need to edit this file. Instead, use a drop-in file:
# systemctl edit kanidm-unixd-tasks.service
[Unit]
Description=Kanidm Local Tasks
After=chronyd.service ntpd.service network-online.target kanidm-unixd.service
[Service]
User=root
Type=simple
ExecStart=/usr/bin/kanidm_unixd_tasks
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
# SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync
ProtectSystem=strict
ReadWritePaths=/home /var/run/kanidm-unixd
RestrictAddressFamilies=AF_UNIX
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
PrivateNetwork=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true
[Install]
WantedBy=multi-user.target
|