Yes I do actually. I thought I reverted them, but I didn’t. I was preparing for when systemd-analyze security
hit my flavour of Ubuntu. Here’s my sonarr.service:
[Unit]
Description=Sonarr Daemon
Wants=network-online.target
After=network.target network-online.target
[Service]
User=sonarr
Group=sonarr
StandardOutput=null
Type=simple
ExecStart=/usr/bin/mono /opt/NzbDrone/NzbDrone.exe -nobrowser
TimeoutStopSec=20
KillMode=process
Restart=on-failure
# Sandboxing features
PrivateTmp=yes
NoNewPrivileges=true
ProtectSystem=strict
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
RestrictNamespaces=uts ipc pid user cgroup
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
PrivateDevices=yes
RestrictSUIDSGID=true
IPAddressAllow=192.168.0.0/24
[Install]
WantedBy=multi-user.target
After playing around with it, it’s the ProtectSystem=strict
that results in those errors. The guide I used for the systemd hardening was https://github.com/alegrey91/systemd-service-hardening .
From the man page ProtectSystem:
Takes a boolean argument or the special values "full" or
"strict". If true, mounts the /usr and the boot loader
directories (/boot and /efi) read-only for processes invoked by
this unit. If set to "full", the /etc directory is mounted
read-only, too. If set to "strict" the entire file system
hierarchy is mounted read-only, except for the API file system
subtrees /dev, /proc and /sys (protect these directories using
PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=).
This setting ensures that any modification of the vendor-supplied
operating system (and optionally its configuration, and local
mounts) is prohibited for the service. It is recommended to
enable this setting for all long-running services, unless they
are involved with system updates or need to modify the operating
system in other ways. If this option is used, ReadWritePaths= may
be used to exclude specific directories from being made
read-only. This setting is implied if DynamicUser= is set. This
setting cannot ensure protection in all cases. In general it has
the same limitations as ReadOnlyPaths=, see below. Defaults to
off.