Hello Chris,

Downstream didn't really do anything so far on this topic.
I also can only reproduce this issue on Kernel 5.15 and higher. 

I don't know whether setting / as ReadOnly directly or using
ProtectSystem=strict along with PrivateDevices=true,
ProtectKernelTunables=true and ProtectControlGroups=true is the more
secure configuration. 

as for reproducing, I can reproduce it pretty consistently on LXC
containers on new kernels, but not on 5.10 or 5.12.

This is probably going to lead to a dead end

Best Regards,

Johannes

Reply via email to