systemd: improve sandboxing

SystemCallErrorNumber=EPERM is semantically wrong
author: Alex Xu (Hello71) <alex_y_xu@yahoo.ca> 2020-11-11 21:57:03 -0500
committer: Alex Xu (Hello71) <alex_y_xu@yahoo.ca> 2020-11-11 21:57:03 -0500
commit: 953e7cde90e3220849af329ba5f194b6d14277a4 (patch)
tree: 9ca6e9ea19908109ba458e97fcfa3a97fae17b91
parent: 283508b8a77496abea6aa85f3536016716077c85 (diff)
download: cgit-syntax-highlighting-953e7cde90e3220849af329ba5f194b6d14277a4.tar.xz
cgit-syntax-highlighting-953e7cde90e3220849af329ba5f194b6d14277a4.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/syntax-highlighting.service.in b/syntax-highlighting.service.in
index cd90546..38faaa8 100644
--- a/syntax-highlighting.service.in
+++ b/syntax-highlighting.service.in
@@ -10,8 +10,10 @@ IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+CapabilityBoundingSet=
 PrivateDevices=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
@@ -24,7 +26,6 @@ RestrictNamespaces=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
 SystemCallFilter=@system-service
 
 [Install]
author	Alex Xu (Hello71) <alex_y_xu@yahoo.ca>	2020-11-11 21:57:03 -0500
committer	Alex Xu (Hello71) <alex_y_xu@yahoo.ca>	2020-11-11 21:57:03 -0500
commit	953e7cde90e3220849af329ba5f194b6d14277a4 (patch)
tree	9ca6e9ea19908109ba458e97fcfa3a97fae17b91
parent	283508b8a77496abea6aa85f3536016716077c85 (diff)
download	cgit-syntax-highlighting-953e7cde90e3220849af329ba5f194b6d14277a4.tar.xz cgit-syntax-highlighting-953e7cde90e3220849af329ba5f194b6d14277a4.zip