RootDirectory=/mnt/clerkMountFlags=privateTemporaryFileSystem=/run:roBin

1. RootDirectory=/mnt/clerk
2.  
3. MountFlags=private
4. TemporaryFileSystem=/run:ro
5. BindPaths=/run/clerk
6. BindPaths=/data/clerk:/data
7. BindReadOnlyPaths=/sys:/sys
8. BindReadOnlyPaths=/proc:/proc:norbind
9. BindReadOnlyPaths=/dev:/dev:norbind
10. BindReadOnlyPaths=/run/dspd
11. BindReadOnlyPaths=/run/updater
12. BindReadOnlyPaths=/usr/share/zoneinfo
13. BindReadOnlyPaths=/etc/passwd
14. BindReadOnlyPaths=/etc/group
15. BindReadOnlyPaths=/personality
16. BindReadOnlyPaths=/run/systemd/journal/socket
17. BindReadOnlyPaths=/run/systemd/notify
18. BindReadOnlyPaths=/run/systemd/resolve
19. BindReadOnlyPaths=/run/dbus
20.  
21. DevicePolicy=closed
22. DeviceAllow=/dev/uio/adc-buffer r
23.  
24. NoNewPrivileges=yes
25.  
26. CapabilityBoundingSet=CAP_NET_BIND_SERVICE
27. AmbientCapabilities=CAP_NET_BIND_SERVICE
28.  
29. User=clerk
30. Group=clerk
31. SupplementaryGroups=dspd updater