-
Notifications
You must be signed in to change notification settings - Fork 9
/
prelockd.service.in
34 lines (32 loc) · 820 Bytes
/
prelockd.service.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[Unit]
Description=Daemon that locks executables/libraries in memory
Documentation=man:prelockd(8) https://github.com/hakavlad/prelockd
[Service]
ExecStart=:TARGET_SBINDIR:/prelockd -c :TARGET_SYSCONFDIR:/prelockd.conf
User=prelockd
Slice=unevictable.slice
TasksMax=1
UMask=0166
OOMScoreAdjust=-100
LimitNOFILE=8192
AmbientCapabilities=CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_OVERRIDE
ReadWritePaths=/var/lib/prelockd
ProtectSystem=strict
PrivateDevices=true
PrivateNetwork=true
ProtectHome=true
RestrictRealtime=yes
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
MemoryDenyWriteExecute=yes
RestrictNamespaces=yes
LockPersonality=yes
ProtectHostname=true
ProtectClock=true
ProtectKernelLogs=true
NoNewPrivileges=yes
RestrictSUIDSGID=yes
[Install]
WantedBy=multi-user.target