[systemd-devel] systemd-nspawn: State Directories with -U?

Christian Rebischke Chris.Rebischke at archlinux.org
Mon Jul 23 21:46:27 UTC 2018


Hello,
I want to harden my systemd-nspawn container. Let's say we have a
service like this:

# cat /etc/systemd/system/test.service
[Unit]
Description=Test DynamicUser= with StateDirectory=
[Service]
ExecStart=id
ExecStart=echo 1
ExecStart=test -w /var/lib/foobar
ExecStart=echo 2
ExecStart=test -w /var/lib/private/foobar
ExecStart=echo 3
ExecStart=touch /var/lib/foobar/yay
ExecStart=echo 4
ExecStart=test -f /var/lib/foobar/yay
ExecStart=echo 5
ExecStart=test -f /var/lib/private/foobar/yay
Type=oneshot
DynamicUser=yes
StateDirectory=foobar


When I start a systemd-nspawn container without "-U" parameter and put
this service file inside of it and start it everything will works fine.
But with "-U" paramketer it fails.

My Question: How can I use the "-U" parameter for my systemd-nspawn
container _and_ the above hardening features like "DynamicUser" and
"StateDirectory"?

If this is not possible. What would be the least intrusive way to get
this service working with maximum security features enabled?

Best regards

Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180723/6ca1fd1b/attachment.sig>


More information about the systemd-devel mailing list