On Fri, 09.12.16 02:01, Reindl Harald (h.rei...@thelounge.net) wrote: > > > Am 09.12.2016 um 01:56 schrieb Michael Biebl: > > Btw, I think we are lacking a good systemd sandboxing howto/tutorial. > > The one linked from fdo > > (http://0pointer.de/blog/projects/security.html) is pretty dated and > > the systemd.exec man page is not coherent enough with regards to > > security/sandboxing. > > > > Related to that, I think it would be good if we would annotate in the > > man page, which sandboxing features work for user services and which > > don't. It's not always immediately obvious which feature requires root > > privileges > > "requires root privileges" - a question here > > in my understaing that features are applied *before* drop the privileges to > "User" and "Group"
All sandboxing features should work for services run by systemd running as PID 1, regardless if in combination with User=, or not. Services of the systemd --user instances have a more limited set. There pretty much only the options basedon seccomp are available, as that's the only interface that doesn't require privileges. Specifically that's RestrictNamespaces=, RestrictAddressFamilies=, SystemCallArchitectures=, SystemCallFilter=. And yes, this could use some better documentation, and there's a bug open about it. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
