ansible-playbooks/roles/qubes-f41-gnome/etc/systemd/system/NetworkManager.service.d/99-brace.conf

[Service]
# Hardening
CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
LockPersonality=true
MemoryDenyWriteExecute=true
#PrivateDevices=true #breaks tun usage
#ProtectProc=invisible
PrivateTmp=yes
ProtectClock=true
ProtectControlGroups=true
ProtectHome=read-only
ProtectKernelLogs=true
#ProtectKernelModules=true
#ProtectSystem=strict
#ReadOnlyPaths=/etc/NetworkManager
ReadOnlyPaths=-/home
#ReadWritePaths=-/etc/NetworkManager/system-connections
ReadWritePaths=-/etc/sysconfig/network-scripts
ReadWritePaths=/var/lib/NetworkManager
ReadWritePaths=-/var/run/NetworkManager
ReadWritePaths=-/run/NetworkManager
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
UMask=0077