[Unit]
Description=TEST

[Service]
Type=oneshot
ExecStart=/opt/test

TemporaryFileSystem=/

BindReadOnlyPaths=/opt/test /bin /lib /lib64 /usr



UMask=077
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
IPAddressDeny=any
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=none
RestrictFileSystems=ext4 tmpfs zfs
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
PrivateMounts=yes
SystemCallFilter=~@swap
SystemCallFilter=~@resources
SystemCallFilter=~@reboot
SystemCallFilter=~@raw-io
SystemCallFilter=~@privileged
SystemCallFilter=~@obsolete
SystemCallFilter=~@mount
SystemCallFilter=~@module
SystemCallFilter=~@debug
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@clock
CapabilityBoundingSet=
ProtectProc=invisible
ProcSubset=pid
NoNewPrivileges=yes
SystemCallArchitectures=native


[Install]
WantedBy=multi-user.target