Restricts write access to system directories using ProtectSystem=. Stronger values provide stricter filesystem protection.

true makes core system directories such as /usr and /boot read-only. full also protects /etc. strict makes the filesystem broadly read-only except for API filesystems and paths explicitly made writable.

Use ReadWritePaths= for directories the service still needs to modify.