Re: Sandboxing options

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mo, 28.09.20 17:00, Christopher Wong (Christopher.Wong@xxxxxxxx) wrote:

> Hi,
>
>
> There are a bunch of sandboxing options that I am trying to enable
> but I got no effects when I am setting them. Below are the options
> that I am trying to set, but I can't seem to turn them on.
>
> LockPersonality=true
> MemoryDenyWriteExecute=true
> RestrictRealtime=true
> RestrictSUIDSGID=true
> RestrictNamespaces=
> SystemCallArchitectures=native
> #SystemCallArchitectures=option
> UMask=0000
> #UMask=0033
>
> I have enabled the following kernel configurations:
>
> CONFIG_NAMESPACES=y
> CONFIG_NET_NS=y
> CONFIG_USER_NS=y
> CONFIG_SECCOMP=y
>
> Is there anything that I am missing?

Maybe start with saying which distro you are using, which kernel,
which systemd version.

Give an example of the unit file you are using.

Are you using this in --user or --system mode? (Note that a bunch of
sandboxing settings are only available for --system).

Have you checked the logs? In particular after enabling debug logging
(systemd-analyze log-level debug).

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux