Willy, Am 27.02.2018 um 18:33 schrieb Willy Tarreau: > I think it could make sense to add such lines as a comment to the existing > files so that they serve as illustration of what can be done for users who > want to go further. Or maybe this is already well-known from systemd users, > I don't know. >
Based on what I've seen the only services that use these in-depth sandboxing features are SystemD's own various daemons. One notable exception is the Debian packaging for Redis: https://github.com/lamby/pkg-redis/blob/1e044e79f26f85a4510c19883336a4fd2952dd9d/debian/bin/generate-systemd-service-files#L85-L103 I'm also totally fine with shipping these settings commented out to bring them to maintainer's attention. If you consider them useful as an example I would prepare patches that add example lines for modern SystemD versions as well as "safe" ones that should be compatible with almost any SystemD out there. Best regards Tim Düsterhus
