From 5d13c13821870206eab1c8ef19b89ff5cfe1e1d4 Mon Sep 17 00:00:00 2001 From: Florian Schlichting Date: Tue, 11 Aug 2015 19:00:21 +0200 Subject: [PATCH] systemd: protect /usr when running under systemd --- systemd/mpd.service.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/systemd/mpd.service.in b/systemd/mpd.service.in index bb7b5802a..c4600406d 100644 --- a/systemd/mpd.service.in +++ b/systemd/mpd.service.in @@ -19,6 +19,9 @@ ControlGroup=cpu:/mpd # assign a real-time budget ControlGroupAttribute=cpu.rt_runtime_us 500000 +# disallow writing to /usr, /bin, /sbin, ... +ProtectSystem=yes + [Install] WantedBy=multi-user.target Also=mpd.socket