[systemd-devel] Sandboxing options
Lennart Poettering
lennart at poettering.net
Sat Dec 19 10:28:01 UTC 2020
On Mo, 28.09.20 17:00, Christopher Wong (Christopher.Wong at axis.com) wrote:
> Hi,
>
>
> There are a bunch of sandboxing options that I am trying to enable
> but I got no effects when I am setting them. Below are the options
> that I am trying to set, but I can't seem to turn them on.
>
> LockPersonality=true
> MemoryDenyWriteExecute=true
> RestrictRealtime=true
> RestrictSUIDSGID=true
> RestrictNamespaces=
> SystemCallArchitectures=native
> #SystemCallArchitectures=option
> UMask=0000
> #UMask=0033
>
> I have enabled the following kernel configurations:
>
> CONFIG_NAMESPACES=y
> CONFIG_NET_NS=y
> CONFIG_USER_NS=y
> CONFIG_SECCOMP=y
>
> Is there anything that I am missing?
Maybe start with saying which distro you are using, which kernel,
which systemd version.
Give an example of the unit file you are using.
Are you using this in --user or --system mode? (Note that a bunch of
sandboxing settings are only available for --system).
Have you checked the logs? In particular after enabling debug logging
(systemd-analyze log-level debug).
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list