Btw, I think we are lacking a good systemd sandboxing howto/tutorial. The one linked from fdo (http://0pointer.de/blog/projects/security.html) is pretty dated and the systemd.exec man page is not coherent enough with regards to security/sandboxing.
Related to that, I think it would be good if we would annotate in the man page, which sandboxing features work for user services and which don't. It's not always immediately obvious which feature requires root privileges. Michael 2016-12-09 1:46 GMT+01:00 Michael Biebl <mbi...@gmail.com>: > Reading Lennarts recent blog post, I just wanted to make people aware > that the RestrictAddressFamilies= feature is currently broken on > several architectures, including i386. So be careful for now until > https://github.com/systemd/systemd/issues/4575 > has been fixed > > -- > Why is it that all of the instruments seeking intelligent life in the > universe are pointed away from Earth? -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel