linux:notes:systemd_script_sandbox
Table of Contents
Information
Relatively Safe
- These shouldn't break anything, but check
MemoryDenyWriteExecute
andRestrictNamespaces
first should something break
ProtectSystem=true ProtectHome=true PrivateTmp=true PrivateDevices=true ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true RestrictNamespaces=true MemoryDenyWriteExecute=true RestrictRealtime=true
Service-Specific
ReadOnlyPaths
andReadWritePaths
are space-separated
NoNewPrivileges=true
PrivateUsers=true
PrivateNetwork=true
ReadOnlyPaths='x' 'x'
ReadWritePaths='x' 'x'
LockPersonality=true
/usr/local/www/wiki/data/pages/linux/notes/systemd_script_sandbox.txt · Last modified: by 127.0.0.1