no-new-privs
cpu-scheduler idle
cap-bs-keep CAP_SETUID,CAP_SETGID,CAP_NET_BIND_SERVICE,CAP_NET_RAW
new-root
ro-sys
ro-etc
private-tmp
protect-home
