RoE | Wiki

User Tools

Site Tools

Trace: systemd_script_sandbox
linux:notes:systemd_script_sandbox

This is an old revision of the document!

Table of Contents

Information

Relatively Safe

  • These shouldn't break anything, but check MemoryDenyWriteExecute and RestrictNamespaces first should something break
ProtectSystem=true
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictNamespaces=true
MemoryDenyWriteExecute=true
RestrictRealtime=true

Service-Specific

  • ReadOnlyPaths and ReadWritePaths are space-separated
NoNewPrivileges=true
PrivateUsers=true
PrivateNetwork=true
ReadOnlyPaths='x' 'x'
ReadWritePaths='x' 'x'
LockPersonality=true
/usr/local/www/wiki/data/attic/linux/notes/systemd_script_sandbox.1723589270.txt.gz · Last modified: by Sean Rhone
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki