From da0ab53fd3bb8f3598ff8f95f72b7861bdab487e Mon Sep 17 00:00:00 2001
From: Dct Mei <dctxmei@gmail.com>
Date: Wed, 1 Apr 2020 21:15:38 +0800
Subject: [PATCH] Increase permission control

---
 systemd/system/v2ray.service  | 3 ++-
 systemd/system/v2ray@.service | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/systemd/system/v2ray.service b/systemd/system/v2ray.service
index dcb877e..3cbb4bc 100644
--- a/systemd/system/v2ray.service
+++ b/systemd/system/v2ray.service
@@ -5,8 +5,9 @@ After=network.target network-online.target nss-lookup.target
 [Service]
 Type=simple
 User=nobody
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
 ExecStart=/usr/local/bin/v2ray -confdir /usr/local/etc/v2ray/
 
 [Install]
diff --git a/systemd/system/v2ray@.service b/systemd/system/v2ray@.service
index 2ffc8e2..0473923 100644
--- a/systemd/system/v2ray@.service
+++ b/systemd/system/v2ray@.service
@@ -5,8 +5,9 @@ After=network.target network-online.target nss-lookup.target
 [Service]
 Type=simple
 User=nobody
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
 ExecStart=/usr/local/bin/v2ray -config /usr/local/etc/v2ray/%i.json
 
 [Install]