First Commit
This commit is contained in:
62
usr/lib/systemd/system/ananicy-cpp.service
Normal file
62
usr/lib/systemd/system/ananicy-cpp.service
Normal file
@@ -0,0 +1,62 @@
|
||||
[Unit]
|
||||
Description=Ananicy-Cpp - ANother Auto NICe daemon in C++
|
||||
After=local-fs.target
|
||||
StartLimitIntervalSec=0
|
||||
StartLimitBurst=10
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/bin/ananicy-cpp start
|
||||
ExecReload=/usr/bin/ananicy-cpp --reload
|
||||
Nice=-5
|
||||
SuccessExitStatus=143
|
||||
OOMScoreAdjust=-999
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
CPUAccounting=true
|
||||
MemoryHigh=16M
|
||||
MemoryMax=64M
|
||||
|
||||
# Hardening
|
||||
ProtectSystem=true
|
||||
ProtectHome=true
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=true
|
||||
ProtectClock=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
|
||||
CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SETUID CAP_SETGID CAP_SETPCAP
|
||||
ProcSubset=pid
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
||||
NoNewPrivileges=true
|
||||
|
||||
RestrictSUIDSGID=true
|
||||
RestrictNamespaces=cgroup
|
||||
ProtectHostname=true
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
|
||||
# Filter system calls to those absolutely requrired for correct functioning.
|
||||
#SystemCallErrorNumber=EPERM
|
||||
#SystemCallFilter=@system-service
|
||||
#SystemCallFilter=~@debug @module @mount @reboot @swap @clock @obsolete @cpu-emulation
|
||||
|
||||
|
||||
# Required to see other processes
|
||||
PrivateUsers=false
|
||||
ProtectProc=default
|
||||
|
||||
# Required for the process-listener socket to work
|
||||
PrivateNetwork=false
|
||||
|
||||
|
||||
# Required for control groups (obviously)
|
||||
ProtectControlGroups=false
|
||||
|
||||
# Required for future use.
|
||||
RestrictRealtime=false
|
||||
|
||||
[Install]
|
||||
WantedBy=local-fs.target
|
||||
Reference in New Issue
Block a user