blob: 0cdfca022c628f2c7a3195aabad296a8d7b9bf7a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
[Unit]
Description=Lightweight UPnP IGD daemon
Documentation=man:miniupnpd(8)
After=network.target network-online.target nftables.service
Wants=network-online.target
[Service]
Type=exec
StateDirectory=miniupnpd
ExecStartPre=/etc/miniupnpd/nft_init.sh
ExecStart=/usr/bin/miniupnpd -f /etc/miniupnpd/miniupnpd.conf
ExecStopPost=/etc/miniupnpd/nft_flush.sh
PrivateTmp=true
PrivateDevices=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectHostname=true
RestrictNamespaces=true
SystemCallArchitectures=native
ProtectClock=true
ProtectKernelLogs=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
LockPersonality=true
CapabilityBoundingSet=CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_RAW CAP_SETPCAP
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @resources @swap
[Install]
WantedBy=multi-user.target
|