diff options
author | Andreas Henriksson | 2018-11-22 11:13:58 +0100 |
---|---|---|
committer | Karel Zak | 2018-11-22 11:13:58 +0100 |
commit | 8f3d2d76aa3f5e20313362db6669dcd001bff26c (patch) | |
tree | c1bb2cf0839f54566df396a0a88b68fe622be2a3 /sys-utils/fstrim.service.in | |
parent | setarch: fix obscure sparc32bash use-case (diff) | |
download | kernel-qcow2-util-linux-8f3d2d76aa3f5e20313362db6669dcd001bff26c.tar.gz kernel-qcow2-util-linux-8f3d2d76aa3f5e20313362db6669dcd001bff26c.tar.xz kernel-qcow2-util-linux-8f3d2d76aa3f5e20313362db6669dcd001bff26c.zip |
fstrim: Add hardening settings to fstrim.service
This limits what the fstrim process has access to when it runs.
PrivateUsers can't be enabled because of:
"If this mode is enabled, all unit processes are run without privileges
in the host user namespace[...]"
Further improving this with additional option or making
things even tighter is most likely possible.
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'sys-utils/fstrim.service.in')
-rw-r--r-- | sys-utils/fstrim.service.in | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/sys-utils/fstrim.service.in b/sys-utils/fstrim.service.in index fb5a831ff..d58accd7f 100644 --- a/sys-utils/fstrim.service.in +++ b/sys-utils/fstrim.service.in @@ -5,3 +5,13 @@ Documentation=man:fstrim(8) [Service] Type=oneshot ExecStart=@sbindir@/fstrim --fstab --verbose +ProtectSystem=strict +ProtectHome=yes +PrivateDevices=no +PrivateNetwork=yes +PrivateUsers=no +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +MemoryDenyWriteExecute=yes +SystemCallFilter=@default @file-system @basic-io @system-service |