diff options
| -rw-r--r-- | src/upower.service.in | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/upower.service.in b/src/upower.service.in index 16dcee5..f4c6b88 100644 --- a/src/upower.service.in +++ b/src/upower.service.in @@ -20,6 +20,7 @@ PrivateTmp=true # Network # PrivateNetwork=true would block udev's netlink socket +IPAddressDeny=any RestrictAddressFamilies=AF_UNIX AF_NETLINK # Execute Mappings @@ -34,5 +35,21 @@ RestrictRealtime=true # Privilege escalation NoNewPrivileges=true +# Capabilities +CapabilityBoundingSet= + +# System call interfaces +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=ioprio_get + +# Namespaces +PrivateUsers=yes +RestrictNamespaces=yes + +# Locked memory +LimitMEMLOCK=0 + [Install] WantedBy=graphical.target |