[GoLUG] Bottles

[Ron]

Kyle Terrien wrote on 2025-02-22 15:20:

> Anyway, sooner or later, more people will realize that Plan 9 had the
> right model---per process mountspaces.  If you want to isolate a
> process (or a group of processes), simply unmount the resources you
> don’t want it to access.

Those seem like interesting options.


Maybe something like some of these options can achieve similar (or 
probably more):

PrivateDevices=
	To run the service with a private, minimal version of /dev/

PrivateTmp=
	If true, sets up a new file system
	namespace for the executed processes and mounts private /tmp/
	and /var/tmp/ directories inside it that are not shared by
	processes outside of the namespace.

PrivateUsers=
	If true, sets up a new user namespace for the executed processes
	and configures a minimal user and group mapping, that maps the
	"root" user and group as well as the unit's own user and group
	to themselves and everything else to the "nobody" user and
	group.

ProtectSystem=
	If true, mounts the /usr/ and the boot loader directories (/boot
	and /efi) read-only for processes invoked by this unit.

ProtectHome=
	If true, the directories /home/, /root, and /run/user are
	made inaccessible and empty for processes invoked by this unit.