src/analyze/analyze-security.c

@@ -746,7 +746,7 @@ static const struct security_assessor security_assessor_table[] = {
         {
                 .id = "ProtectControlGroups=",
                 .description_good = "Service cannot modify the control group file system",
-                .description_bad = "Service may modify the control group file system",
+                .description_bad = "Service may modify to the control group file system",
                 .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectControlGroups=",
                 .weight = 1000,
                 .range = 1,

src/core/load-fragment.c

@@ -4703,9 +4703,7 @@ int unit_load_fragment(Unit *u) {
                         return r;
 
                 if (null_or_empty(&st)) {
-                        /* Unit file is masked */
-
-                        u->load_state = u->perpetual ? UNIT_LOADED : UNIT_MASKED; /* don't allow perpetual units to ever be masked */
+                        u->load_state = UNIT_MASKED;
                         u->fragment_mtime = 0;
                 } else {
                         u->load_state = UNIT_LOADED;

src/core/mount.c

@@ -537,9 +537,10 @@ static int mount_verify(Mount *m) {
         }
 
         p = get_mount_parameters_fragment(m);
-        if (p && !p->what && !UNIT(m)->perpetual)
-                return log_unit_error_errno(UNIT(m), SYNTHETIC_ERRNO(ENOEXEC),
-                                            "What= setting is missing. Refusing.");
+        if (p && !p->what) {
+                log_unit_error(UNIT(m), "What= setting is missing. Refusing.");
+                return -ENOEXEC;
+        }
 
         if (m->exec_context.pam_name && m->kill_context.kill_mode != KILL_CONTROL_GROUP) {
                 log_unit_error(UNIT(m), "Unit has PAM enabled. Kill mode must be set to control-group'. Refusing.");