cap-bs-keep CAP_NET_BIND_SERVICE,CAP_SYSLOG,CAP_SETGID
no-new-privs
protect-home
private-tmp
ro-sys
ro-etc
dev-null
