Please consider enabling systemd hardening features in provided service files. See http://0pointer.de/blog/projects/security.html and systemd.service(5) for available facilities. Examples of these are blocking network access, private /tmp directories, making directories read-only, or hiding directories.
Other then the premise of declaring minimal required dependencies, it seems like it might be useful to enforce best practises such as never defragmenting snapshots. eg: specify a list of directories that hold snapshots in the config file, and then block access and/or writes to them. Granted, I'm not convinced this is the best approach, and am merely providing it as an example.
Please consider enabling systemd hardening features in provided service files. See http://0pointer.de/blog/projects/security.html and systemd.service(5) for available facilities. Examples of these are blocking network access, private /tmp directories, making directories read-only, or hiding directories.
Other then the premise of declaring minimal required dependencies, it seems like it might be useful to enforce best practises such as never defragmenting snapshots. eg: specify a list of directories that hold snapshots in the config file, and then block access and/or writes to them. Granted, I'm not convinced this is the best approach, and am merely providing it as an example.