[Service]
# Hardening
NoNewPrivileges=yes
ProtectHome=read-only
ProtectSystem=strict
ReadWriteDirectories=/var/lib/bacula
PrivateTmp=yes
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
CapabilityBoundingSet=CAP_DAC_READ_SEARCH