xchpst (extended chpst) for Debian
----------------------------------

The xchpst package for debian enables runscripts provided for system
services to launch those service with hardening options not available
from the chpst tool normally used with runscripts. See the man page
xchpst(8) for details.

An example invocation within a runscript:

exec xchpst --cpu-scheduler=idle --cap-bs-keep=CAP_NET_BIND_SERVICE,CAP_NET_RAW \
  --new-root --ro-sys --private-tmp --protect-home --no-new-privs \
  -n 19 -- /usr/sbin/radvd --nodaemon --username radvd \
  --logmethod stderr_clean --config /etc/radvd.conf