|
@@ -32,16 +32,16 @@ RestrictSUIDSGID=yes
|
|
|
SystemCallArchitectures=native
|
|
SystemCallArchitectures=native
|
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=@system-service
|
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallErrorNumber=EPERM
|
|
|
-# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
|
|
|
|
|
-# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
|
|
|
|
|
-# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
|
|
|
|
|
-# leaves most of the filesystem read-only to borgmatic.
|
|
|
|
|
|
|
+# To restrict write access further, change "ProtectSystem" to "strict" and
|
|
|
|
|
+# uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and
|
|
|
|
|
+# "BindReadOnlyPaths". Then add any local repository paths to the list of
|
|
|
|
|
+# "ReadWritePaths". This leaves most of the filesystem read-only to borgmatic.
|
|
|
ProtectSystem=full
|
|
ProtectSystem=full
|
|
|
# ReadWritePaths=-/mnt/my_backup_drive
|
|
# ReadWritePaths=-/mnt/my_backup_drive
|
|
|
-# ReadOnlyPaths=-/var/lib/my_backup_source
|
|
|
|
|
# This will mount a tmpfs on top of /root and pass through needed paths
|
|
# This will mount a tmpfs on top of /root and pass through needed paths
|
|
|
-# ProtectHome=tmpfs
|
|
|
|
|
|
|
+# TemporaryFileSystem=/root:ro
|
|
|
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
|
|
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
|
|
|
|
|
+# BindReadOnlyPaths=-/root/.ssh
|
|
|
|
|
|
|
|
# May interfere with running external programs within borgmatic hooks.
|
|
# May interfere with running external programs within borgmatic hooks.
|
|
|
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
|
|
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
|
Dan Helfman