systemd: disable non-working remaining sandboxing options (#2205)

* systemd: use PrivateUsers= in user unit

ProtectSystem= and other sandboxing options require a user namespace in
order to work as user units (the user manager does not run as root and
thus without a user namespace it is unable to perform mounts).
This commit is contained in:
Luca Boccassi 2022-11-09 21:15:11 +01:00 committed by GitHub
parent 4a6c78a7a6
commit 39a0048445
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 2 deletions

View File

@ -5,9 +5,11 @@ After=network-online.target
Wants=network-online.target
[Service]
# Commented out hardenings are disabled because they don't work out of the box.
# Commented out hardenings are disabled because they may not work out of the box on your distribution
# If you know what you are doing please try to enable them.
ProtectSystem=full
PrivateUsers=true
#PrivateDevices=true
ProtectHostname=true
#ProtectClock=true
@ -22,4 +24,4 @@ RestartSec=3
RestartPreventExitStatus=3
[Install]
WantedBy=default.target
WantedBy=default.target