Automatic systemd service hardening guided by strace profiling
https://github.com/desbma/shh
A nice thing I found is that if you do (which I see they did not in the examples)
# ProtectSystem=
TemporaryFileSystem=/:ro BindReadOnly=/usr/bin/binary /lib /lib64 /usr/lib usr/lib64 <paths you want to read>
EDIT: More info here: https://github.com/systemd/systemd/issues/33688
Seems that might be an issue for something that wants to e.g. send an e-mail when an error occurs?
A nice thing I found is that if you do (which I see they did not in the examples)
you can do And essentially just including the binary and the path you want available. ProtectSystem= is currently not compatible with this behavior.EDIT: More info here: https://github.com/systemd/systemd/issues/33688
Seems that might be an issue for something that wants to e.g. send an e-mail when an error occurs?