|
|
Upstream issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002738
For me the workaround was to set "ProtectSystem=strict" and to comment out "ReadOnlyDirectories=/".
This seems to also be the way systemd recommends protecting the root directory: (manpage systemd.exec)
ProtectSystem=
Takes a boolean argument or the special values "full" or "strict".
If true, mounts the /usr/ and the boot loader directories (/boot
and /efi) read-only for processes invoked by this unit. If set to
"full", the /etc/ directory is mounted read-only, too. If set to
"strict" the entire file system hierarchy is mounted read-only,
except for the API file system subtrees /dev/, /proc/ and /sys/
(protect these directories using PrivateDevices=,
ProtectKernelTunables=, ProtectControlGroups=). This setting
ensures that any modification of the vendor-supplied operating
system (and optionally its configuration, and local mounts) is
prohibited for the service. It is recommended to enable this
setting for all long-running services, unless they are involved
with system updates or need to modify the operating system in other
ways. If this option is used, ReadWritePaths= may be used to
exclude specific directories from being made read-only. This
setting is implied if DynamicUser= is set. This setting cannot
ensure protection in all cases. In general it has the same
limitations as ReadOnlyPaths=, see below. Defaults to off.
|
