fstrim: Add hardening settings to fstrim.service
This limits what the fstrim process has access to when it runs. PrivateUsers can't be enabled because of: "If this mode is enabled, all unit processes are run without privileges in the host user namespace[...]" Further improving this with additional option or making things even tighter is most likely possible. Signed-off-by: Andreas Henriksson <andreas@fatal.se> Signed-off-by: Karel Zak <kzak@redhat.com>
This commit is contained in:
parent
3fa06e0490
commit
8f3d2d76aa
|
@ -5,3 +5,13 @@ Documentation=man:fstrim(8)
|
|||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=@sbindir@/fstrim --fstab --verbose
|
||||
ProtectSystem=strict
|
||||
ProtectHome=yes
|
||||
PrivateDevices=no
|
||||
PrivateNetwork=yes
|
||||
PrivateUsers=no
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectControlGroups=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
SystemCallFilter=@default @file-system @basic-io @system-service
|
||||
|
|
Loading…
Reference in New Issue