systemd: use PrivateUsers= in user unit
ProtectSystem= and other sandboxing options require a user namespace in order to work as user units (the user manager does not run as root and thus without a user namespace it is unable to perform mounts).
This commit is contained in:
Luca Boccassi
parent
0efbd4df8b
commit
714bb991aa
|
|
@ -19,6 +19,8 @@ LimitRTTIME=infinity
|
||||||
# for io_uring
|
# for io_uring
|
||||||
LimitMEMLOCK=64M
|
LimitMEMLOCK=64M
|
||||||
|
|
||||||
|
# Required in order for ProtectSystem= (and other sandboxing) to work
|
||||||
|
PrivateUsers=yes
|
||||||
# disallow writing to /usr, /bin, /sbin, ...
|
# disallow writing to /usr, /bin, /sbin, ...
|
||||||
ProtectSystem=yes
|
ProtectSystem=yes
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue