<!DOCTYPE html><html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body> <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: InterVariable, Twemoji_DISABLED, sans-serif; font-size: 15px; font-style: normal; font-variant-caps: normal; font-weight: 420; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration: none; display: inline !important; float: none;">Hi, I'm currently trying to execute systemd-dissect from within a quite sandboxed service. I've set PrivateDevices = "no" and DeviceAllow to block-loop and loop-control. However, systemd-dissect still runs into an error when trying to talk to the loop device: ioctl(6, BLKPG, ***op=BLKPG_DEL_PARTITION, flags=0, datalen=152, data=***start=0, length=0, pno=1, devname="/dev/loop0p1", volname=""***) = -1 EACCES (Permission denied) Do you guys have any pointers on which other sandboxing settings I need to tweak? I've fiddled around with capabilities and syscall filters (which both shouldn't be a problem), but no luck. For reference, the (presumably) relevant parts of the service config: SecureBits=0 User=root DynamicUser=no SetLoginEnvironment=no RemoveIPC=yes PrivateTmp=yes PrivateDevices=no ProtectClock=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectKernelLogs=yes ProtectControlGroups=yes PrivateNetwork=no PrivateUsers=yes PrivateMounts=yes PrivateIPC=no ProtectHome=yes ProtectSystem=strict SameProcessGroup=no UtmpMode=init IgnoreSIGPIPE=yes NoNewPrivileges=yes MemoryDenyWriteExecute=no RestrictRealtime=yes RestrictSUIDSGID=yes RestrictNamespaces=yes ProtectProc=invisible ProcSubset=all ProtectHostname=yes Moritz Sanft </body> </html>