diff options
| -rw-r--r-- | dist/scrapbook.service | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/dist/scrapbook.service b/dist/scrapbook.service index c12ed45..a4871a9 100644 --- a/dist/scrapbook.service +++ b/dist/scrapbook.service @@ -7,5 +7,29 @@ Group=scrapbook Restart=always ExecStart=/usr/local/bin/scrapbook +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +NoNewPrivileges=true +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM + +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +TemporaryFileSystem=/var:ro /etc:ro +BindReadOnlyPaths=/etc/scrapbook +BindPaths=/var/lib/scrapbook +NoExecPaths=/ +ExecPaths=/usr/local/bin/scrapbook + +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +ProtectClock=true +RestrictRealtime=true +RestrictSUIDSGID=true + [Install] WantedBy=multi-user.target |