Hi Lennart, Thanks for your reply! After some struggles I managed to figure out that I was missing the SECCOMP in systemd 244 that I was running. Once I have enabled SECCOMP and managed to build systemd with it then all the below options except for UMask was available for me. I will leave UMask for now, no need to use it at this moment. Best regards, Christopher Wong ________________________________________ From: Lennart Poettering <lennart@xxxxxxxxxxxxxx> Sent: Saturday, December 19, 2020 11:28 To: Christopher Wong Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Sandboxing options On Mo, 28.09.20 17:00, Christopher Wong (Christopher.Wong@xxxxxxxx) wrote: > Hi, > > > There are a bunch of sandboxing options that I am trying to enable > but I got no effects when I am setting them. Below are the options > that I am trying to set, but I can't seem to turn them on. > > LockPersonality=true > MemoryDenyWriteExecute=true > RestrictRealtime=true > RestrictSUIDSGID=true > RestrictNamespaces= > SystemCallArchitectures=native > #SystemCallArchitectures=option > UMask=0000 > #UMask=0033 > > I have enabled the following kernel configurations: > > CONFIG_NAMESPACES=y > CONFIG_NET_NS=y > CONFIG_USER_NS=y > CONFIG_SECCOMP=y > > Is there anything that I am missing? Maybe start with saying which distro you are using, which kernel, which systemd version. Give an example of the unit file you are using. Are you using this in --user or --system mode? (Note that a bunch of sandboxing settings are only available for --system). Have you checked the logs? In particular after enabling debug logging (systemd-analyze log-level debug). Lennart -- Lennart Poettering, Berlin _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel