Overview

File ip-blocklist-update.service of Package ip-blocklist

[Unit]
Description=Update IP blocklist
AssertFileNotEmpty=/etc/ip-blocklist/blocklists.toml

[Service]
User=ip-blocklist
Group=ip-blocklist
DynamicUser=true
CapabilityBoundingSet=CAP_NET_ADMIN
AmbientCapabilities=CAP_NET_ADMIN
PrivateDevices=true
ProtectClock=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectKernelModules=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
RestrictNamespaces=true
ProtectHostname=true
LockPersonality=true
ProtectKernelTunables=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
RestrictRealtime=true
ProtectHome=true
ProtectProc=invisible
ProcSubset=pid
SystemCallFilter=@system-service
SystemCallFilter=~@resources @privileged
UMask=0066
ConfigurationDirectory=ip-blocklist
StateDirectory=ip-blocklist
SyslogIdentifier=ip-blocklist-update
ExecStart=/usr/bin/ip-blocklist-update.py
openSUSE Build Service is sponsored by
Places