[Service]
LimitNOFILE=100000
ProtectSystem=strict
PrivateTmp=true
NoNewPrivileges=true
ProtectHome=true
PrivateDevices=true
PrivateUsers=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
SystemCallArchitectures=native
BindPaths=-/var/log/mysql/
BindPaths=-/var/lib/mysql/
BindPaths=-/var/run/mysqld/
BindPaths=-/run/mysqld/
InaccessiblePaths=/var/www/