On Wed, Apr 20, 2016 at 11:19:46PM +0200, Ansgar Burchardt wrote: > I think using mount namespaces is a bit nicer solution for the problem: ... > I'm not sure you can achieve this via systemd's .mount units, although > systemd itself also makes use of mount namespaces. For example, systemd > uses them to provide a per-service /tmp, make /home unaccessible or only > allowing read-only access to /usr or /etc for individual service. See > the PrivateTmp=, ProtectHome=, ProtectSystem=, PrivateDevices=, > ReadOnlyDirectories=, InaccessibleDirectories= and ReadWriteDirectories= > in man:systemd.exec(5).
Thanks, that does look useful. I will look into this some more.
