linux:notes:systemd_script_sandbox

Table of Contents

Information
Relatively Safe
Service-Specific

Information

https://www.freedesktop.org/software/systemd/man/systemd.exec.html

Relatively Safe

These shouldn't break anything, but check MemoryDenyWriteExecute and RestrictNamespaces first should something break

ProtectSystem=true
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictNamespaces=true
MemoryDenyWriteExecute=true
RestrictRealtime=true

Service-Specific

ReadOnlyPaths and ReadWritePaths are space-separated

NoNewPrivileges=true

PrivateUsers=true

PrivateNetwork=true

ReadOnlyPaths='x' 'x'

ReadWritePaths='x' 'x'

LockPersonality=true

/var/www/wiki/data/pages/linux/notes/systemd_script_sandbox.txt · Last modified: 2024/08/13 18:47 by 127.0.0.1