On Sat, Apr 10, Michael Ströder wrote:
IMO systemd.exec(5) SystemCallFilter= is not crude at all. For me it's a low-hanging fruit. But differences in systemd versions in Leap and Tumbleweed are an obstacle.
If you use systemd sandboxing, your system is only protected against the app if you start it via systemd service file. If you start your app directly, your system is no longer protected. AppArmor and SELinux both protect your system, independent of how you start the app. That's why systemd sandboxing is no real generic solution.