systemd.services.<name>.confinement.mode
The value full-apivfs (the default) sets up
private /dev, /proc,
/sys, /tmp and /var/tmp file systems
in a separate user name space.
If this is set to chroot-only, only the file
system name space is set up along with the call to
chroot(2).
In all cases, unless serviceConfig.PrivateTmp=true is set,
both /tmp and /var/tmp paths are added to InaccessiblePaths=.
This is to overcome options like DynamicUser=true
implying PrivateTmp=true without letting it being turned off.
Beware however that giving processes the CAP_SYS_ADMIN and @mount privileges
can let them undo the effects of InaccessiblePaths=.
This doesn't cover network namespaces and is solely for file system level isolation.
- Type
one of "full-apivfs", "chroot-only"- Default
"full-apivfs"- Declared
- <nixpkgs/nixos/modules/security/systemd-confinement.nix>