-
Notifications
You must be signed in to change notification settings - Fork 141
/
Copy pathirqbalance.service
42 lines (40 loc) · 1.07 KB
/
irqbalance.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
[Unit]
Description=irqbalance daemon
Documentation=man:irqbalance(1)
Documentation=https://github.com/Irqbalance/irqbalance
ConditionVirtualization=!container
ConditionCPUs=>1
[Service]
EnvironmentFile=-/usr/lib/irqbalance/defaults.env
EnvironmentFile=-/path/to/irqbalance.env
ExecStart=/usr/sbin/irqbalance $IRQBALANCE_ARGS
CapabilityBoundingSet=CAP_SETPCAP
NoNewPrivileges=yes
ProtectSystem=strict
ReadOnlyPaths=/
ReadWritePaths=/proc/irq
RestrictAddressFamilies=AF_UNIX AF_NETLINK
RuntimeDirectory=irqbalance/
IPAddressDeny=any
ProtectHome=true
PrivateTmp=yes
PrivateNetwork=yes
PrivateUsers=true
ProtectHostname=yes
ProtectClock=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
PrivateMounts=yes
SystemCallFilter=@cpu-emulation @privileged @system-service
SystemCallFilter=~@clock @module @mount @obsolete @raw-io @reboot @resources @swap
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target