|
|
|
|
@ -13,7 +13,35 @@ RemainAfterExit=yes
|
|
|
|
|
|
|
|
|
|
WorkingDirectory=%E/wireguard
|
|
|
|
|
ConfigurationDirectory=wireguard
|
|
|
|
|
ConfigurationDirectoryMode=700
|
|
|
|
|
ConfigurationDirectoryMode=0700
|
|
|
|
|
ReadOnlyPaths=%E/wireguard
|
|
|
|
|
ReadWritePaths=%E/netns
|
|
|
|
|
|
|
|
|
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN
|
|
|
|
|
LimitNOFILE=4096
|
|
|
|
|
LimitNPROC=512
|
|
|
|
|
LockPersonality=true
|
|
|
|
|
MemoryDenyWriteExecute=true
|
|
|
|
|
NoNewPrivileges=true
|
|
|
|
|
PrivateDevices=true
|
|
|
|
|
PrivateMounts=true
|
|
|
|
|
PrivateTmp=true
|
|
|
|
|
ProcSubset=pid
|
|
|
|
|
ProtectClock=true
|
|
|
|
|
ProtectControlGroups=true
|
|
|
|
|
ProtectHome=true
|
|
|
|
|
ProtectHostname=true
|
|
|
|
|
ProtectKernelLogs=true
|
|
|
|
|
ProtectKernelModules=true
|
|
|
|
|
ProtectKernelTunables=true
|
|
|
|
|
ProtectProc=noaccess
|
|
|
|
|
ProtectSystem=strict
|
|
|
|
|
RemoveIPC=true
|
|
|
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
|
|
|
|
|
RestrictNamespaces=mnt net
|
|
|
|
|
RestrictRealtime=true
|
|
|
|
|
RestrictSUIDSGID=true
|
|
|
|
|
SystemCallArchitectures=native
|
|
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
|
WantedBy=multi-user.target
|
|
|
|
|
|
Marek Küthe
12 months ago
committed by
dadevel