fstrim: Add hardening settings to fstrim.service

This limits what the fstrim process has access to when it runs.

PrivateUsers can't be enabled because of:
"If this mode is enabled, all unit processes are run without privileges
in the host user namespace[...]"

Further improving this with additional option or making
things even tighter is most likely possible.

Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/sys-utils/fstrim.service.in b/sys-utils/fstrim.service.in
index fb5a831ff55184787ab22dc590b2549fd642a96f..d58accd7f4a67b3f33b2700392ab58fac9ed77a1 100644 (file)
--- a/sys-utils/fstrim.service.in
+++ b/sys-utils/fstrim.service.in
@@ -5,3 +5,13 @@ Documentation=man:fstrim(8)
 [Service]
 Type=oneshot
 ExecStart=@sbindir@/fstrim --fstab --verbose
+ProtectSystem=strict
+ProtectHome=yes
+PrivateDevices=no
+PrivateNetwork=yes
+PrivateUsers=no
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+MemoryDenyWriteExecute=yes
+SystemCallFilter=@default @file-system @basic-io @system-service