From 8f3d2d76aa3f5e20313362db6669dcd001bff26c Mon Sep 17 00:00:00 2001
From: Andreas Henriksson
Date: Thu, 22 Nov 2018 11:13:58 +0100
Subject: fstrim: Add hardening settings to fstrim.service

This limits what the fstrim process has access to when it runs.

PrivateUsers can't be enabled because of:
"If this mode is enabled, all unit processes are run without privileges
in the host user namespace[...]"

Further improving this with additional option or making
things even tighter is most likely possible.

Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Signed-off-by: Karel Zak <kzak@redhat.com>
---
 sys-utils/fstrim.service.in | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'sys-utils/fstrim.service.in')

diff --git a/sys-utils/fstrim.service.in b/sys-utils/fstrim.service.in
index fb5a831ff..d58accd7f 100644
--- a/sys-utils/fstrim.service.in
+++ b/sys-utils/fstrim.service.in
@@ -5,3 +5,13 @@ Documentation=man:fstrim(8)
 [Service]
 Type=oneshot
 ExecStart=@sbindir@/fstrim --fstab --verbose
+ProtectSystem=strict
+ProtectHome=yes
+PrivateDevices=no
+PrivateNetwork=yes
+PrivateUsers=no
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+MemoryDenyWriteExecute=yes
+SystemCallFilter=@default @file-system @basic-io @system-service
-- 
cgit v1.2.3-55-g7522