I am currently running the following hardening settings:
LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectProc=invisible ProcSubset=pid ProtectSystem=strict StateDirectory=quassel LogsDirectory=quassel RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallArchitectures=native RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallFilter=@system-service CapabilityBoundingSet= p.s.: Additionally I am also building quassl with Control Flow Integrity enabled, see https://salsa.debian.org/qt-kde-team/extras/quassel/-/merge_requests/12
