mounts the <filename>/usr</filename>
directory read-only for processes
invoked by this unit. If set to
mounts the <filename>/usr</filename>
directory read-only for processes
invoked by this unit. If set to
- <literal>full</literal> the
- <filename>/etc</filename> is mounted
+ <literal>full</literal>, the
+ <filename>/etc</filename> directory is mounted
read-only, too. This setting ensures
that any modification of the vendor
supplied operating system (and
read-only, too. This setting ensures
that any modification of the vendor
supplied operating system (and
all long-running services, unless they
are involved with system updates or
need to modify the operating system in
all long-running services, unless they
are involved with system updates or
need to modify the operating system in
processes retaining the CAP_SYS_ADMIN
capability can undo the effect of this
setting. This setting is hence
processes retaining the CAP_SYS_ADMIN
capability can undo the effect of this
setting. This setting is hence
<filename>/run/user</filename> are
made inaccessible and empty for
processes invoked by this unit. If set
<filename>/run/user</filename> are
made inaccessible and empty for
processes invoked by this unit. If set
two directores are made read-only
instead. It is recommended to enable
this setting for all long-running
two directores are made read-only
instead. It is recommended to enable
this setting for all long-running
ones), to ensure they cannot get access
to private user data, unless the
services actually require access to
ones), to ensure they cannot get access
to private user data, unless the
services actually require access to
that processes retaining the
CAP_SYS_ADMIN capability can undo the
effect of this setting. This setting
that processes retaining the
CAP_SYS_ADMIN capability can undo the
effect of this setting. This setting