46 lines
1.1 KiB
Desktop File
46 lines
1.1 KiB
Desktop File
[Unit]
|
|
Description=qrbill
|
|
|
|
[Service]
|
|
ExecStart=/usr/local/bin/qrbill-api
|
|
|
|
# See also http://0pointer.net/blog/dynamic-users-with-systemd.html
|
|
DynamicUser=yes
|
|
|
|
# Remove all capabilities(7), this is a stateless web server:
|
|
CapabilityBoundingSet=
|
|
|
|
# Ensure the service can never gain new privileges:
|
|
NoNewPrivileges=yes
|
|
|
|
# Prohibit access to any kind of namespacing:
|
|
RestrictNamespaces=yes
|
|
|
|
# Make home directories inaccessible:
|
|
ProtectHome=true
|
|
|
|
# Make device nodes except for /dev/null, /dev/zero, /dev/full,
|
|
# /dev/random and /dev/urandom inaccessible:
|
|
PrivateDevices=yes
|
|
|
|
# Make users other than root and the user for this daemon inaccessible:
|
|
PrivateUsers=yes
|
|
|
|
# Make cgroup file system hierarchy inaccessible:
|
|
ProtectControlGroups=yes
|
|
|
|
# Deny kernel module loading:
|
|
ProtectKernelModules=yes
|
|
|
|
# Make kernel variables (e.g. /proc/sys) read-only:
|
|
ProtectKernelTunables=yes
|
|
|
|
# Filter dangerous system calls. The following is listed as safe basic choice
|
|
# in systemd.exec(5):
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
SystemCallErrorNumber=EPERM
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|