notes:systemd_script_sandboxing
Differences
This shows you the differences between two versions of the page.
notes:systemd_script_sandboxing [2018/04/03 09:13] – created Sean Rhone | notes:systemd_script_sandboxing [2018/04/03 09:16] (current) – [Service-Specific] Sean Rhone | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Information ====== | ||
+ | * https:// | ||
+ | |||
+ | ====== Relatively Safe ====== | ||
+ | |||
+ | * These shouldn' | ||
+ | |||
+ | < | ||
+ | ProtectSystem=true | ||
+ | ProtectHome=true | ||
+ | PrivateTmp=true | ||
+ | PrivateDevices=true | ||
+ | ProtectKernelTunables=true | ||
+ | ProtectKernelModules=true | ||
+ | ProtectControlGroups=true | ||
+ | RestrictNamespaces=true | ||
+ | MemoryDenyWriteExecute=true | ||
+ | RestrictRealtime=true</ | ||
+ | |||
+ | ====== Service-Specific ====== | ||
+ | |||
+ | * '' | ||
+ | |||
+ | NoNewPrivileges=true | ||
+ | |||
+ | PrivateUsers=true | ||
+ | |||
+ | PrivateNetwork=true | ||
+ | |||
+ | ReadOnlyPaths=' | ||
+ | |||
+ | ReadWritePaths=' | ||
+ | |||
+ | LockPersonality=true |