Kernel Modules
ProtectKernelModules setting
Restrict systemd units to load kernel modules with the ProtectKernelModules unit setting.
Summary
Explanation
Kernel modules can provide additional functionality when using a modular Linux kernel, which is applicable to most systems. When this setting is set to yes, it tries to prevent the unit from loading kernel modules. This is achieved by removing the CAP_SYS_MODULE from the capability bounding set.
Generic advice
Most units do not need the permission to load kernel modules, so typically a unit can be configured with ProtectKernelModules=true.