Marco d'Itri <m...@linux.it> writes: > This is a good example of what an almost fully sandboxed service looks like: > https://salsa.debian.org/md/rpki-client/-/blob/master/debian/rpki-client.service
My best score is a little better :-) On Debian 11 (systemd v247): → Overall exposure level for collection4.service: 0.2 SAFE 😀 → Overall exposure level for rpki-client.service: 1.7 OK 🙂 On Sid (systemd v253): → Overall exposure level for collection4.service: 0.4 SAFE 😀 → Overall exposure level for rpki-client.service: 1.8 OK 🙂 https://github.com/trentbuck/collection4/blob/main/debian/service PS: I worked out to invoke it in offline mode (for lintian) you do this: systemd-analyze --offline=yes ./path/to/foo.service I didn't understand (from the manpage) that I could pass a file instead of a unit name, so I wasted a lot of time trying to make a minimal --root=tmpdir work. Also it won't accept "./debian/service", nor a symlink to same.
