## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

[Unit]
Description=Mounts /proc with hidepid=2
Documentation=https://github.com/Whonix/security-misc
Requires=local-fs.target
After=local-fs.target

[Service]
Type=oneshot
ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc

## Disabled since not working in Qubes.
#ProtectSystem=strict
#ProtectHome=true
#ProtectKernelTunables=true
#ProtectKernelModules=true
#ProtectControlGroups=true
#PrivateTmp=true
#PrivateMounts=true
#PrivateDevices=true
#MemoryDenyWriteExecute=true
#NoNewPrivileges=true
#RestrictRealtime=true
#SystemCallArchitectures=native
#RestrictNamespaces=true
#SystemCallFilter=mount munmap access read open close stat fstat lstat mmap mprotect brk rt_sigaction rt_sigprocmask execve readlink getrlimit getuid getgid geteuid getegid statfs prctl arch_prctl set_tid_address newfstatat set_robust_list openat mkdir

PrivateNetwork=true

[Install]
WantedBy=multi-user.target