TIL about #systemd's TemporaryFileSystem, ProtectSystem, ProtectHome, InaccessiblePaths, ReadOnlyPaths and a bunch more related options, which allow you to easily set up a #chroot style environment for a service, simply by defining what directories it should have access to right there in the unit file.
Depending on what you need, you can use an allowlist-based approach using TemporaryFileSystem & ReadWritePaths, or a blocklist-based one with InaccessiblePaths.
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html
#Linux
scy /
npub15p…khvce
2024-06-21 15:17:41
Author Public Key
npub15pc5vt5kqgr60g389gl4n5zzuktz8wezz76klym9ew3puy3p8clqckhvcePublished at
2024-06-21 15:17:41Event JSON
{
"id": "abe8225fc830574b568c51a385ef3a0c0c799a7c9b7dc7e3660a0a168c16ed22",
"pubkey": "a071462e960207a7a2272a3f59d042e59623bb2217b56f9365cba21e12213e3e",
"created_at": 1718983061,
"kind": 1,
"tags": [
[
"proxy",
"https://chaos.social/@scy/112655273946643004",
"web"
],
[
"t",
"chroot"
],
[
"t",
"linux"
],
[
"t",
"systemd"
],
[
"proxy",
"https://chaos.social/users/scy/statuses/112655273946643004",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://chaos.social/users/scy/statuses/112655273946643004",
"pink.momostr"
]
],
"content": "TIL about #systemd's TemporaryFileSystem, ProtectSystem, ProtectHome, InaccessiblePaths, ReadOnlyPaths and a bunch more related options, which allow you to easily set up a #chroot style environment for a service, simply by defining what directories it should have access to right there in the unit file.\n\nDepending on what you need, you can use an allowlist-based approach using TemporaryFileSystem \u0026 ReadWritePaths, or a blocklist-based one with InaccessiblePaths.\n\nhttps://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html\n\n#Linux",
"sig": "0ae989510ca70339caf83974c4af285ea15f008d572e13b86929e8aa12eb3b26e9456ada2ba8c47ca8239b38ccacf40851a27f89ba578ad4189ca1eacfb8f9c3"
}