# vim: set ft=systemd :
[Unit]
Description=BURP client
After=network-online.target
Wants=network-online.target

[Service]
Type=exec
ExecStart=/usr/sbin/burp -a t -Q
SuccessExitStatus=3
CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
CapabilityBoundingSet=CAP_FOWNER CAP_LEASE CAP_SETGID CAP_SETUID
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=noaccess
ProtectSystem=full
SystemCallArchitectures=native
SystemCallFilter=@system-service @privileged @mount
SystemCallFilter=~@clock @debug @module @reboot @swap