|
|
@@ -10,5 +10,27 @@ ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELL
|
|
|
Restart = on-failure
|
|
|
TimeoutSec = 15
|
|
|
|
|
|
+NoNewPrivileges=true
|
|
|
+SystemCallArchitectures=native
|
|
|
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
|
|
+ProtectKernelModules=True
|
|
|
+SystemCallFilter=~@clock
|
|
|
+SystemCallFilter=~@aio
|
|
|
+SystemCallFilter=~@chown
|
|
|
+SystemCallFilter=~@cpu-emulation
|
|
|
+SystemCallFilter=~@debug
|
|
|
+SystemCallFilter=~@keyring
|
|
|
+SystemCallFilter=~@memlock
|
|
|
+SystemCallFilter=~@module
|
|
|
+SystemCallFilter=~@mount
|
|
|
+SystemCallFilter=~@obsolete
|
|
|
+SystemCallFilter=~@privileged
|
|
|
+SystemCallFilter=~@raw-io
|
|
|
+SystemCallFilter=~@reboot
|
|
|
+SystemCallFilter=~@setuid
|
|
|
+SystemCallFilter=~@swap
|
|
|
+SystemCallErrorNumber=EPERM
|
|
|
+
|
|
|
+
|
|
|
[Install]
|
|
|
WantedBy = multi-user.target
|
Julien Voisin