Comment 3 for bug 1823051

Sponsored in 'Eoan'

Proposal patch LGTM.

https://www.freedesktop.org/software/systemd/man/systemd.exec.html
...
ProtectSystem=
... If true, mounts the /usr and /boot directories read-only for processes invoked by this unit. If set to "full", the /etc directory is mounted read-only, too

I don't see any debian bug against 'knockd'. Could you please make sure to forward the patch to debian as well for future sync/merge.

- Eric