pesign/trunk/pesign.service

   1 [Unit]
   2 Description=Pesign signing daemon
   3 Documentation=man:pesign(1)
   4 Wants=pesign-create-db.service
   5 After=pesign-create-db.service
   6
   7 [Service]
   8 User=pesign
   9 Group=pesign
  10 PIDFile=/run/pesign/pesign.pid
  11 ExecStart=/usr/bin/pesign --daemonize --nofork
  12 ProtectSystem=strict
  13 ProtectHome=true
  14 PrivateTmp=true
  15 PrivateDevices=true
  16 ProtectKernelTunables=true
  17 ProtectControlGroups=true
  18 NoNewPrivileges=true
  19 MemoryDenyWriteExecute=true
  20 LockPersonality=true
  21 ProtectHostname=true
  22 ProtectKernelLogs=true
  23 ProtectKernelModules=true
  24 RemoveIPC=true
  25 RestrictNamespaces=true
  26 RestrictRealtime=true
  27 RestrictSUIDSGID=true
  28 SystemCallArchitectures=native
  29 SystemCallFilter=@system-service
  30 SystemCallFilter=~@resources
  31 ReadWritePaths=/run/pesign
  32 RuntimeDirectory=pesign
  33 StateDirectory=pesign
  34 LogsDirectory=pesign
  35
  36 [Install]
  37 WantedBy=multi-user.target