Re: [systemd-devel] Sandboxing options
Hi Lennart, Thanks for your reply! After some struggles I managed to figure out that I was missing the SECCOMP in systemd 244 that I was running. Once I have enabled SECCOMP and managed to build systemd with it then all the below options except for UMask was available for me. I will leave UMask for now, no need to use it at this moment. Best regards, Christopher Wong From: Lennart Poettering Sent: Saturday, December 19, 2020 11:28 To: Christopher Wong Cc: systemd-devel@lists.freedesktop.org Subject: Re: [systemd-devel] Sandboxing options On Mo, 28.09.20 17:00, Christopher Wong (christopher.w...@axis.com) wrote: > Hi, > > > There are a bunch of sandboxing options that I am trying to enable > but I got no effects when I am setting them. Below are the options > that I am trying to set, but I can't seem to turn them on. > > LockPersonality=true > MemoryDenyWriteExecute=true > RestrictRealtime=true > RestrictSUIDSGID=true > RestrictNamespaces= > SystemCallArchitectures=native > #SystemCallArchitectures=option > UMask= > #UMask=0033 > > I have enabled the following kernel configurations: > > CONFIG_NAMESPACES=y > CONFIG_NET_NS=y > CONFIG_USER_NS=y > CONFIG_SECCOMP=y > > Is there anything that I am missing? Maybe start with saying which distro you are using, which kernel, which systemd version. Give an example of the unit file you are using. Are you using this in --user or --system mode? (Note that a bunch of sandboxing settings are only available for --system). Have you checked the logs? In particular after enabling debug logging (systemd-analyze log-level debug). Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Sandboxing options
On Mo, 28.09.20 17:00, Christopher Wong (christopher.w...@axis.com) wrote: > Hi, > > > There are a bunch of sandboxing options that I am trying to enable > but I got no effects when I am setting them. Below are the options > that I am trying to set, but I can't seem to turn them on. > > LockPersonality=true > MemoryDenyWriteExecute=true > RestrictRealtime=true > RestrictSUIDSGID=true > RestrictNamespaces= > SystemCallArchitectures=native > #SystemCallArchitectures=option > UMask= > #UMask=0033 > > I have enabled the following kernel configurations: > > CONFIG_NAMESPACES=y > CONFIG_NET_NS=y > CONFIG_USER_NS=y > CONFIG_SECCOMP=y > > Is there anything that I am missing? Maybe start with saying which distro you are using, which kernel, which systemd version. Give an example of the unit file you are using. Are you using this in --user or --system mode? (Note that a bunch of sandboxing settings are only available for --system). Have you checked the logs? In particular after enabling debug logging (systemd-analyze log-level debug). Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Sandboxing options
Hi, There are a bunch of sandboxing options that I am trying to enable but I got no effects when I am setting them. Below are the options that I am trying to set, but I can't seem to turn them on. LockPersonality=true MemoryDenyWriteExecute=true RestrictRealtime=true RestrictSUIDSGID=true RestrictNamespaces= SystemCallArchitectures=native #SystemCallArchitectures=option UMask= #UMask=0033 I have enabled the following kernel configurations: CONFIG_NAMESPACES=y CONFIG_NET_NS=y CONFIG_USER_NS=y CONFIG_SECCOMP=y Is there anything that I am missing? Best Regards, Christopher Wong ? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel