| blob | 8e21f096416e8be972121bd588cb378ccd36a885 |
1 [Unit]
2 Description=piping-server
3 Documentation=https://github.com/nwtgck/piping-server-rust
5 [Service]
6 ExecStart=/usr/bin/piping-server --http-port 8181
8 DynamicUser=yes
9 CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_SYS_TIME CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYS_RESOURCE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_SYS_BOOT CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE CAP_SYS_PACCT CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
10 LockPersonality=true
11 MemoryDenyWriteExecute=true
12 NoNewPrivileges=true
13 DevicePolicy=closed
14 PrivateDevices=true
15 PrivateTmp=true
16 PrivateUsers=true
17 ProtectClock=true
18 ProtectControlGroups=true
19 ProtectHome=read-only
20 ProtectHostname=true
21 ProtectKernelTunables=true
22 ProtectKernelLogs=true
23 ProtectKernelModules=true
24 ProtectSystem=strict
25 RemoveIPC=true
26 RestrictAddressFamilies=~AF_AX25 AF_IPX AF_APPLETALK AF_X25 AF_DECnet AF_KEY AF_NETLINK AF_PACKET AF_RDS AF_PPPOX AF_LLC AF_IB AF_MPLS AF_CAN AF_TIPC AF_BLUETOOTH AF_ALG AF_VSOCK AF_KCM AF_UNIX AF_XDP
27 RestrictNamespaces=true
28 RestrictRealtime=true
29 RestrictSUIDSGID=true
30 SystemCallArchitectures=native
31 SystemCallFilter=@system-service
32 SystemCallFilter=~@resources @privileged
34 Restart=on-failure
36 [Install]
37 WantedBy=default.target