notes:systemd_script_sandboxing
Table of Contents
Information
Relatively Safe
- These shouldn't break anything, but check
MemoryDenyWriteExecute
andRestrictNamespaces
first should something break
ProtectSystem=true ProtectHome=true PrivateTmp=true PrivateDevices=true ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true RestrictNamespaces=true MemoryDenyWriteExecute=true RestrictRealtime=true
Service-Specific
ReadOnlyPaths
andReadWritePaths
are space-separated
NoNewPrivileges=true
PrivateUsers=true
PrivateNetwork=true
ReadOnlyPaths='x' 'x'
ReadWritePaths='x' 'x'
LockPersonality=true
/var/www/wiki/data/pages/notes/systemd_script_sandboxing.txt · Last modified: 2018/04/03 09:16 by Sean Rhone