[Unit]
Description=Script protections to enhance VM security
After=qubes-sysinit.service
Before=qubes-mount-dirs.service
ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect
ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-root
ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-cli
DefaultDependencies=false
OnFailure=shutdown.target
OnFailureJobMode=replace-irreversibly

[Service]
Type=oneshot
RemainAfterExit=no
#Environment="privdirs=/rw/config /rw/usrlocal /rw/bind-dirs"
ExecStart=/usr/lib/qubes/init/vm-sudo-protect.sh

[Install]
WantedBy=sysinit.target