[Unit]
Description=ClamAV virus database updater in chroot
Documentation=man:freshclam(1) man:freshclam.conf(5) https://www.clamav.net/documents
# If user wants it run from cron, don't start the daemon.
ConditionPathExists=!/etc/cron.d/clamav-freshclam-chroot
BindsTo=chr-maild.target

[Service]
RootDirectory=/chroot/maild
RootDirectoryStartOnly=no

ExecStart=/usr/bin/freshclam -d --foreground=true
StandardOutput=journal

PrivateTmp=true
MountAPIVFS=true
NoNewPrivileges=true
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
ProtectHome=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
#MemoryDenyWriteExecute=yes
#LockPersonality=yes
#ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/maild/bin /chroot/maild/sbin /chroot/maild/lib /chroot/maild/lib64 /chroot/maild/usr /chroot/maild/etc
InaccessiblePaths=/chroot/maild/boot /chroot/maild/sys /chroot/maild/proc

# run
BindPaths=/chroot/maild/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind

[Install]
#WantedBy=multi-user.target
WantedBy=chr-maild.target