forked from rfjakob/earlyoom
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathearlyoom.service.in
51 lines (45 loc) · 1.3 KB
/
earlyoom.service.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
[Unit]
Description=Early OOM Daemon
Documentation=man:earlyoom(1) https://github.com/rfjakob/earlyoom
[Service]
EnvironmentFile=-:SYSCONFDIR:/default/earlyoom
ExecStart=:TARGET:/earlyoom $EARLYOOM_ARGS
# Allow killing processes and calling mlockall()
AmbientCapabilities=CAP_KILL CAP_IPC_LOCK
CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK
# Give priority to our process
Nice=-20
# Avoid getting killed by OOM
OOMScoreAdjust=-100
# earlyoom never exits on it's own, so have systemd
# restart it should it get killed for some reason.
Restart=always
# set memory limits and max tasks number
TasksMax=10
MemoryMax=50M
# Hardening. Deny everything we don't use.
# Run as an unprivileged user with random user id.
DynamicUser=true
# We don't need write access anywhere.
ProtectSystem=strict
# We don't need /home at all, make it inaccessible.
ProtectHome=true
PrivateDevices=true
ProtectClock=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictNamespaces=true
RestrictRealtime=true
LockPersonality=true
PrivateNetwork=true
IPAddressDeny=true
# Unix socket is used by dbus-send.
RestrictAddressFamilies=AF_UNIX
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@resources @privileged
[Install]
WantedBy=multi-user.target