ericonr
/
util-linux
mirror of https://github.com/ericonr/util-linux.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fstrim: Add hardening settings to fstrim.service 

This limits what the fstrim process has access to when it runs.

PrivateUsers can't be enabled because of:
"If this mode is enabled, all unit processes are run without privileges
in the host user namespace[...]"

Further improving this with additional option or making
things even tighter is most likely possible.

Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Signed-off-by: Karel Zak <kzak@redhat.com>
This commit is contained in:
Andreas Henriksson 2018-11-22 11:13:58 +01:00 committed by Karel Zak
parent 3fa06e0490
commit 8f3d2d76aa
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
sys-utils/fstrim.service.in
View File

@ -5,3 +5,13 @@ Documentation=man:fstrim(8)
[Service]
Type=oneshot
ExecStart=@sbindir@/fstrim --fstab --verbose
ProtectSystem=strict
ProtectHome=yes
PrivateDevices=no
PrivateNetwork=yes
PrivateUsers=no
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
MemoryDenyWriteExecute=yes
SystemCallFilter=@default @file-system @basic-io @system-service