63 lines
1.3 KiB
Desktop File
63 lines
1.3 KiB
Desktop File
[Unit]
|
|
Description=Ananicy-Cpp - ANother Auto NICe daemon in C++
|
|
After=local-fs.target
|
|
StartLimitIntervalSec=0
|
|
StartLimitBurst=10
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart=/usr/bin/ananicy-cpp start
|
|
ExecReload=/usr/bin/ananicy-cpp --reload
|
|
Nice=-5
|
|
SuccessExitStatus=143
|
|
OOMScoreAdjust=-999
|
|
Restart=always
|
|
RestartSec=10
|
|
CPUAccounting=true
|
|
MemoryHigh=16M
|
|
MemoryMax=64M
|
|
|
|
# Hardening
|
|
ProtectSystem=true
|
|
ProtectHome=true
|
|
PrivateTmp=yes
|
|
PrivateDevices=true
|
|
ProtectClock=true
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
|
|
CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SETUID CAP_SETGID CAP_SETPCAP
|
|
ProcSubset=pid
|
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
|
NoNewPrivileges=true
|
|
|
|
RestrictSUIDSGID=true
|
|
RestrictNamespaces=cgroup
|
|
ProtectHostname=true
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
|
|
# Filter system calls to those absolutely requrired for correct functioning.
|
|
#SystemCallErrorNumber=EPERM
|
|
#SystemCallFilter=@system-service
|
|
#SystemCallFilter=~@debug @module @mount @reboot @swap @clock @obsolete @cpu-emulation
|
|
|
|
|
|
# Required to see other processes
|
|
PrivateUsers=false
|
|
ProtectProc=default
|
|
|
|
# Required for the process-listener socket to work
|
|
PrivateNetwork=false
|
|
|
|
|
|
# Required for control groups (obviously)
|
|
ProtectControlGroups=false
|
|
|
|
# Required for future use.
|
|
RestrictRealtime=false
|
|
|
|
[Install]
|
|
WantedBy=local-fs.target
|