Hello, I want to harden my systemd-nspawn container. Let's say we have a service like this: # cat /etc/systemd/system/test.service [Unit] Description=Test DynamicUser= with StateDirectory= [Service] ExecStart=id ExecStart=echo 1 ExecStart=test -w /var/lib/foobar ExecStart=echo 2 ExecStart=test -w /var/lib/private/foobar ExecStart=echo 3 ExecStart=touch /var/lib/foobar/yay ExecStart=echo 4 ExecStart=test -f /var/lib/foobar/yay ExecStart=echo 5 ExecStart=test -f /var/lib/private/foobar/yay Type=oneshot DynamicUser=yes StateDirectory=foobar When I start a systemd-nspawn container without "-U" parameter and put this service file inside of it and start it everything will works fine. But with "-U" paramketer it fails. My Question: How can I use the "-U" parameter for my systemd-nspawn container _and_ the above hardening features like "DynamicUser" and "StateDirectory"? If this is not possible. What would be the least intrusive way to get this service working with maximum security features enabled? Best regards Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180723/6ca1fd1b/attachment.sig>
systemd-nspawn: State Directories with -U?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: systemd-nspawn: State Directories with -U?
- From: Chris.Rebischke@xxxxxxxxxxxxx (Christian Rebischke)
- Date: Mon, 23 Jul 2018 23:46:27 +0200
- Prev by Date: Howto find sshfp records?
- Next by Date: systemctl show outputs incorrect MemoryCurrent value
- Previous by thread: Howto find sshfp records?
- Next by thread: systemctl show outputs incorrect MemoryCurrent value
- Index(es):
 |