From 77325b42d6cdace9cb93bbb5c84b3f887c3db48a Mon Sep 17 00:00:00 2001
From: Alexey Avramov <hakavlad@gmail.com>
Date: Sat, 5 Oct 2019 02:28:20 +0900
Subject: [PATCH] update nohang.service

---
 nohang/nohang.service.in | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/nohang/nohang.service.in b/nohang/nohang.service.in
index 2b2d53b..c7bb616 100644
--- a/nohang/nohang.service.in
+++ b/nohang/nohang.service.in
@@ -17,8 +17,9 @@ ProtectKernelModules=true
 SystemCallArchitectures=native
 ReadOnlyPaths=/
 ReadWritePaths=/tmp /var /run /dev/shm
-CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_LINUX_IMMUTABLE CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_TIME CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND CAP_NET_ADMIN CAP_MKNOD CAP_AUDIT_CONTROL
-AmbientCapabilities=~CAP_SYS_ADMIN CAP_LINUX_IMMUTABLE CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_TIME CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND CAP_NET_ADMIN CAP_MKNOD CAP_AUDIT_CONTROL
+PrivateTmp=true
+CapabilityBoundingSet=CAP_KILL CAP_AUDIT_WRITE CAP_DAC_READ_SEARCH CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_SYS_PTRACE CAP_CHOWN
+AmbientCapabilities=CAP_KILL CAP_AUDIT_WRITE CAP_DAC_READ_SEARCH CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_SYS_PTRACE
 
 [Install]
 WantedBy=multi-user.target