| ▲ | cipherself 3 days ago | |
I have used systemd services before to do this to run an application, I had a user created specifically for the application, and I defined the capabilities the application needed via CapabilityBoundingSet and AmbientCapabilities [0] and I used a lot of stuff from [1] to restrict the application e.g. the sandboxing facilities, restricting the allowed syscalls [2], ...etc. systemd also comes with a useful command systemd analyze security [3] [0] https://www.freedesktop.org/software/systemd/man/latest/syst... [1] https://www.freedesktop.org/software/systemd/man/latest/syst... [2] https://www.freedesktop.org/software/systemd/man/latest/syst... [3] https://www.freedesktop.org/software/systemd/man/latest/syst... | ||