CapabilityBoundingSet
CAP_BLOCK_SUSPEND
CAP_BPF
CAP_CHOWN
CAP_MKNOD
CAP_NET_RAW
CAP_PERFMON
CAP_SYS_BOOT
CAP_SYS_CHROOT
CAP_SYS_MODULE
CAP_SYS_NICE
CAP_SYS_PACCT
CAP_SYS_PTRACE
CAP_SYS_TIME
CAP_SYS_TTY_CONFIG
CAP_SYSLOG
CAP_WAKE_ALARM
LockPersonality
true
MemoryDenyWriteExecute
true
PrivateDevices
true
PrivateNetwork
true
PrivateTmp
true
ProtectClock
true
ProtectControlGroups
true
ProtectHome
read-only
true
tmpfs
ProtectKernelLogs
true
ProtectKernelModules
true
ProtectKernelTunables
true
ProtectProc
ptraceable
ProtectSystem
true
full
strict
RestrictAddressFamilies
AF_ALG
AF_APPLETALK
AF_ATMPVC
AF_ATMSVC
AF_AX25
AF_BLUETOOTH
AF_BRIDGE
AF_CAIF
AF_CAN
AF_DECnet
AF_ECONET
AF_IB
AF_IEEE802154
AF_INET
AF_INET6
AF_IPX
AF_IRDA
AF_ISDN
AF_IUCV
AF_KCM
AF_KEY
AF_LLC
AF_LOCAL
AF_MPLS
AF_NETBEUI
AF_NETLINK
AF_NETROM
AF_PACKET
AF_PHONET
AF_PPPOX
AF_QIPCRTR
AF_RDS
AF_ROSE
AF_RXRPC
AF_SECURITY
AF_SMC
AF_TIPC
AF_UNIX
AF_VSOCK
AF_WANPIPE
AF_X25
AF_XDP
RestrictRealtime
true
SocketBindDeny
ipv4:tcp
ipv4:udp
ipv6:tcp
ipv6:udp
SystemCallArchitectures
native
SystemCallFilter
@aio:EPERM
@basic-io:EPERM
@chown:EPERM
@clock:EPERM
@cpu-emulation:EPERM
@debug:EPERM
@file-system:EPERM
@io-event:EPERM
@ipc:EPERM
@keyring:EPERM
@memlock:EPERM
@module:EPERM
@mount:EPERM
@network-io:EPERM
@obsolete:EPERM
@pkey:EPERM
@privileged:EPERM
@process:EPERM
@raw-io:EPERM
@reboot:EPERM
@resources:EPERM
@sandbox:EPERM
@setuid:EPERM
@signal:EPERM
@swap:EPERM
@sync:EPERM
@timer:EPERM