From c7fb922d6250543ba5462fa7a6ff03cc8f628e94 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 9 Feb 2017 10:58:28 +0100
Subject: units: switch on ProtectSystem=strict for our long running services

Let's step up the protection a notch
---
 units/systemd-journal-remote.service.in | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'units/systemd-journal-remote.service.in')

diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index cab7778ddc..323e308871 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -18,7 +18,7 @@ WatchdogSec=3min
 PrivateTmp=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
@@ -27,6 +27,7 @@ RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
+ReadWritePaths=/var/log/journal/remote
 
 [Install]
 Also=systemd-journal-remote.socket
-- 
cgit v1.2.3