This limits what the fstrim process has access to when it runs. PrivateUsers can't be enabled because of: "If this mode is enabled, all unit processes are run without privileges in the host user namespace[...]" Further improving this with additional option or making things even tighter is most likely possible. Signed-off-by: Andreas Henriksson <andreas@xxxxxxxx> --- sys-utils/fstrim.service.in | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/sys-utils/fstrim.service.in b/sys-utils/fstrim.service.in index 2d5daf99d..0bab91a9c 100644 --- a/sys-utils/fstrim.service.in +++ b/sys-utils/fstrim.service.in @@ -5,3 +5,13 @@ Documentation=man:fstrim(8) [Service] Type=oneshot ExecStart=@sbindir@/fstrim -Av +ProtectSystem=strict +ProtectHome=yes +PrivateDevices=no +PrivateNetwork=yes +PrivateUsers=no +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +MemoryDenyWriteExecute=yes +SystemCallFilter=@default @file-system @basic-io @system-service -- 2.19.1
