From 7486f305cd5a7e91716544c84d7ab363ad7660b0 Mon Sep 17 00:00:00 2001
From: Ansgar Burchardt <ansgar@debian.org>
Date: Thu, 24 Jul 2014 19:38:07 +0200
Subject: [PATCH] Include additional directories in ProtectSystem

---
 src/core/namespace.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 5d092488bd4..876faa7f558 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -148,6 +148,12 @@ static const MountEntry protect_system_yes_table[] = {
         { "/usr",                READONLY,     false },
         { "/boot",               READONLY,     true  },
         { "/efi",                READONLY,     true  },
+#if HAVE_SPLIT_USR
+        { "/lib",                READONLY,     true  },
+        { "/lib64",              READONLY,     true  },
+        { "/bin",                READONLY,     true  },
+        { "/sbin",               READONLY,     true  },
+#endif
 };
 
 /* ProtectSystem=full includes ProtectSystem=yes */
@@ -156,6 +162,12 @@ static const MountEntry protect_system_full_table[] = {
         { "/boot",               READONLY,     true  },
         { "/efi",                READONLY,     true  },
         { "/etc",                READONLY,     false },
+#if HAVE_SPLIT_USR
+        { "/lib",                READONLY,     true  },
+        { "/lib64",              READONLY,     true  },
+        { "/bin",                READONLY,     true  },
+        { "/sbin",               READONLY,     true  },
+#endif
 };
 
 /*
-- 
2.47.3