Hi, In addition to what Russ proposed to add, I've been running with those additional restrictions:
SystemCallArchitectures=native # note: AF_NETLINK is needed for getifaddrs(3) RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK They are available on older systemd versions so they shouldn't cause problems with backports. I tested with systemd 229 (Xenial). Regards, Simon P.S: flags=(attach_disconnected) is still needed for Apparmor.
signature.asc
Description: OpenPGP digital signature