Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Can you recommend any distros that use it extensively, or is it too early?


Ideally upstreams, rather than distributions, should sandbox their own projects.

However, Debian is shipping a number of hardened systemd unit files.

To see some examples on how the sandboxing is being set up you can grep for SystemCallFilter, CapabilityBoundingSet, ProtectSystem, ProtectHome in /lib/systemd/system/*.service




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: