| Dir : /lib/systemd/portable/profile/default/ |
| Server: Linux cloud.virginhosting.lk 4.18.0-477.27.2.lve.el8.x86_64 #1 SMP Wed Oct 11 12:32:56 UTC 2023 x86_64 IP: 128.140.68.198 |
| Dir : //lib/systemd/portable/profile/default/service.conf |
# The "default" security profile for services, i.e. a number of useful restrictions [Service] MountAPIVFS=yes TemporaryFileSystem=/run BindReadOnlyPaths=/run/systemd/notify BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout BindReadOnlyPaths=/etc/machine-id BindReadOnlyPaths=/etc/resolv.conf BindReadOnlyPaths=/run/dbus/system_bus_socket DynamicUser=yes RemoveIPC=yes CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \ CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_NET_ADMIN \ CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_SETGID CAP_SETPCAP \ CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE PrivateTmp=yes PrivateDevices=yes PrivateUsers=yes ProtectSystem=strict ProtectHome=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectControlGroups=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 LockPersonality=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes SystemCallFilter=@system-service SystemCallErrorNumber=EPERM SystemCallArchitectures=native