[Unit]
Description=Sophisticated low memory handler
Documentation=man:nohang(1) https://github.com/hakavlad/nohang
Conflicts=nohang-desktop.service
After=system.slice

[Service]
ExecStart=:TARGET_SBINDIR:/nohang --monitor --config :TARGET_SYSCONFDIR:/nohang/nohang.conf
SyslogIdentifier=nohang
KillMode=mixed
Restart=always
RestartSec=0

CPUSchedulingResetOnFork=true
RestrictRealtime=yes

TasksMax=20
MemoryMax=100M
MemorySwapMax=100M

UMask=0027
ProtectSystem=strict
ReadWritePaths=/var/log
InaccessiblePaths=/home /root
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateDevices=true
MemoryDenyWriteExecute=yes
RestrictNamespaces=yes
LockPersonality=yes

# Capabilities whitelist:
# CAP_KILL is required to send signals
# CAP_IPC_LOCK  is required to mlockall()
# CAP_SYS_PTRACE is required to check /proc/[pid]/exe realpathes
# CAP_DAC_READ_SEARCH is required to read /proc/[pid]/environ files
# CAP_DAC_OVERRIDE fixes #94
# CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE are required to send GUI notifications
CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE

# `PrivateNetwork=true` breaks GUI notifications on oldstable distros (Debian 8, CentOS 7, Linux Mint 18)
# On modern distros you can set PrivateNetwork=true for security reasons
PrivateNetwork=false

[Install]
WantedBy=multi-user.target