···

       
68
       
68
       
 
       
          ProtectControlGroups = true;

     

       
69
       
69
       
 
       
          LockPersonality = true;

     

       
70
       
70
       
 
       
          RestrictRealtime = true;

     

       
71
       
71
       
+
       
          RuntimeDirectory = "clash-verge-rev";

     

       
71
       
72
       
 
       
          ProtectClock = true;

     

       
72
       
73
       
 
       
          MemoryDenyWriteExecute = true;

     

       
73
       
74
       
 
       
          RestrictSUIDSGID = true;

     

       
74
       
74
       
-
       
          RestrictNamespaces = [ "~user cgroup ipc mnt uts" ];

     

       
75
       
75
       
+
       
          RestrictNamespaces = [ "~user cgroup mnt uts" ];

     

       
75
       
76
       
 
       
          RestrictAddressFamilies = [

     

       
76
       
76
       
-
       
            "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_RAW"

     

       
77
       
77
       
+
       
            "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_UNIX"

     

       
77
       
78
       
 
       
          ];

     

       
78
       
79
       
 
       
          CapabilityBoundingSet = [

     

       
79
       
80
       
 
       
            "CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_CHOWN CAP_MKNOD"