You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the solution you'd like
I'd like to have an option or type of unit which would drop privileges as much as possible. No filesystem, no network, no devices, no nothing.
In other words - I'd like to see a whitelist policy instead of a blacklist (much like OCI containers)
Describe alternatives you've considered
Creating some sort of builder with certain defaults.
The systemd version you checked that didn't have the feature you are asking for
v249
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
Hardening services is complicated due to amount of options there are. Here is an example: https://github.com/NixOS/nixpkgs/blob/nixos-21.05/nixos/modules/services/continuous-integration/github-runner.nix#L259-L296
Describe the solution you'd like
I'd like to have an option or type of unit which would drop privileges as much as possible. No filesystem, no network, no devices, no nothing.
In other words - I'd like to see a whitelist policy instead of a blacklist (much like OCI containers)
Describe alternatives you've considered
Creating some sort of builder with certain defaults.
The systemd version you checked that didn't have the feature you are asking for
v249
The text was updated successfully, but these errors were encountered: