bundlewrap/test.service

[Unit]
Description=TEST

[Service]
Type=oneshot
ExecStart=/opt/test

ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateUsers=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=none
RestrictFileSystems=ext4 tmpfs zfs
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
PrivateMounts=yes
SystemCallFilter=
SystemCallArchitectures=native
CapabilityBoundingSet=
ProtectProc=invisible

ReadOnlyPaths=/

NoExecPaths=/
ExecPaths=/opt/test /bin/bash /lib

[Install]
WantedBy=multi-user.target