Differences

This shows you the differences between two versions of the page.

--- notes:systemd_script_sandboxing [2018/04/03 09:13] – created Sean Rhone
+++ notes:systemd_script_sandboxing [2018/04/03 09:16] (current) – [Service-Specific] Sean Rhone
@@ Line 1: / Line 1: @@
+====== Information ======
+  * https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+====== Relatively Safe ======
+  * These shouldn't break anything, but check ''MemoryDenyWriteExecute'' and ''RestrictNamespaces'' first should something break
+<code>
+ProtectSystem=true
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictNamespaces=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true</code>
+====== Service-Specific ======
+  * ''ReadOnlyPaths'' and ''ReadWritePaths'' are space-separated
+  NoNewPrivileges=true
+  PrivateUsers=true
+  PrivateNetwork=true
+  ReadOnlyPaths='x' 'x'
+  ReadWritePaths='x' 'x'
+  LockPersonality=true