Hello, I want to harden my systemd-nspawn container. Let's say we have a service like this:
# cat /etc/systemd/system/test.service [Unit] Description=Test DynamicUser= with StateDirectory= [Service] ExecStart=id ExecStart=echo 1 ExecStart=test -w /var/lib/foobar ExecStart=echo 2 ExecStart=test -w /var/lib/private/foobar ExecStart=echo 3 ExecStart=touch /var/lib/foobar/yay ExecStart=echo 4 ExecStart=test -f /var/lib/foobar/yay ExecStart=echo 5 ExecStart=test -f /var/lib/private/foobar/yay Type=oneshot DynamicUser=yes StateDirectory=foobar When I start a systemd-nspawn container without "-U" parameter and put this service file inside of it and start it everything will works fine. But with "-U" paramketer it fails. My Question: How can I use the "-U" parameter for my systemd-nspawn container _and_ the above hardening features like "DynamicUser" and "StateDirectory"? If this is not possible. What would be the least intrusive way to get this service working with maximum security features enabled? Best regards Chris
signature.asc
Description: PGP signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel