From 953e7cde90e3220849af329ba5f194b6d14277a4 Mon Sep 17 00:00:00 2001
From: "Alex Xu (Hello71)" <alex_y_xu@yahoo.ca>
Date: Wed, 11 Nov 2020 21:57:03 -0500
Subject: systemd: improve sandboxing

SystemCallErrorNumber=EPERM is semantically wrong
---
 syntax-highlighting.service.in | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/syntax-highlighting.service.in b/syntax-highlighting.service.in
index cd90546..38faaa8 100644
--- a/syntax-highlighting.service.in
+++ b/syntax-highlighting.service.in
@@ -10,8 +10,10 @@ IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+CapabilityBoundingSet=
 PrivateDevices=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
@@ -24,7 +26,6 @@ RestrictNamespaces=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
 SystemCallFilter=@system-service
 
 [Install]
-- 
cgit v1.2.3