File: systemd-sandboxing.txt

package info (click to toggle)
snapper 0.10.6-1.2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 4,072 kB
  • sloc: cpp: 24,846; ansic: 1,466; sh: 1,410; makefile: 514; python: 127; ruby: 90
file content (31 lines) | stat: -rw-r--r-- 829 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 

Notes about systemd sandboxing
------------------------------

CapabilityBoundingSet=CAP_SYS_ADMIN is needed to get the btrfs default
subvolume id.

ProtectClock=true breaks LVM - strange.

CAP_SYS_MODULE is needed for LVM (creating snapshots, loads
dm_snapshot).

ProtectKernelModules=true breaks LVM.

CapabilityBoundingSet=CAP_SYS_NICE is also needed by LVM.

ProtectHome=true, ProtectControlGroups=true, ProtectKernelLogs=true
and ProtectKernelTunables=true breaks diff for LVM.

SystemCallFilter=@mount breaks almost everything with older systemd,
e.g. on SLE15 SP1.

CapabilityBoundingSet=CAP_FOWNER is needed if for home directories.

CapabilityBoundingSet=CAP_DAC_OVERRIDE is needed for directory
comparison (in some cases) - but not if using btrfs send/receive.

Finally do not forget the hooks.

Have a lot of fun...