Skip to content

Instantly share code, notes, and snippets.

@raggi
Created January 20, 2020 02:58
Show Gist options
  • Save raggi/c5f7a15f1eb1c582423f6e9a42cf5ac9 to your computer and use it in GitHub Desktop.
Save raggi/c5f7a15f1eb1c582423f6e9a42cf5ac9 to your computer and use it in GitHub Desktop.
service unit file sample
[Unit]
Description=/opt/bin/%N
After=network.target
[Service]
SecureBits=no-setuid-fixup-locked noroot-locked keep-caps
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
SystemCallFilter=@basic-io @network-io @io-event
Restart=always
RestartSec=0
ExecStart=/opt/bin/%N
# Slurp environment variables up from this file
EnvironmentFile=/etc/default/%N
# These define: ${TYPE}_DIRECTORY for the unit
CacheDirectory=%N
ConfigurationDirectory=%N
StateDirectory=%N
RuntimeDirectory=%N
# DynamicUser implies much of what follows
DynamicUser=true
# Security bits
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RemoveIPC=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
KeyringMode=private
ProtectSystem=strict
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
[Install]
WantedBy=multi-user.target
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment