[Unit]
Description=Update gVisor

[Service]
Type=oneshot
RuntimeDirectory=gvisor-updater
WorkingDirectory=/run/gvisor-updater
        
ExecStart=/usr/bin/sleep 5
ExecStart=curl -sS --remote-name-all 'https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc' 'https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512'
ExecStart=sha512sum -c runsc.sha512
ExecStart=+chown root:root runsc
ExecStart=+chmod a+rx runsc
ExecStart=+mv -Z runsc /usr/local/bin/

DynamicUser=true
CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateIPC=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
RuntimeDirectoryMode=700
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@obsolete