[Unit] Description=Bind mount /etc/hosts over itself as read-only (friction layer) After=local-fs.target Before=network.target [Service] Type=oneshot ExecStart=/bin/mount --bind /etc/hosts /etc/hosts ExecStart=/bin/mount -o remount,ro,bind /etc/hosts ExecStartPost=/usr/bin/logger -t hosts-bind-mount "Hosts file bind-mounted read-only" RemainAfterExit=yes [Install] WantedBy=multi-user.target