[Service]
ReadOnlyDirectories=/
ReadWriteDirectories=/var /run /proc /sys/fs/cgroup /dev/pts
PrivateTmp=true