прикрепляйте, отсоединяйте или проверяйте портативные сервисные образы (Attach, detach or inspect portable service images)
Профили (Profiles)
When portable service images are attached a "profile" drop-in is
linked in, which may be used to enforce additional security (and
other) restrictions locally. Four profile drop-ins are defined by
default, and shipped in /usr/lib/systemd/portable/profile/.
Additional, local profiles may be defined by placing them in
/etc/systemd/portable/profile/. The default profiles are:
Table 2. Profiles
┌──────────┬──────────────────────────┐
│Name │ Description │
├──────────┼──────────────────────────┤
│default │ This is the default │
│ │ profile if no other │
│ │ profile name is set via │
│ │ the --profile= (see │
│ │ above). It's fairly │
│ │ restrictive, but should │
│ │ be useful for common, │
│ │ unprivileged system │
│ │ workloads. This includes │
│ │ write access to the │
│ │ logging framework, as │
│ │ well as IPC access to │
│ │ the D-Bus system. │
├──────────┼──────────────────────────┤
│nonetwork │ Very similar to default, │
│ │ but networking is turned │
│ │ off for any services of │
│ │ the portable service │
│ │ image. │
├──────────┼──────────────────────────┤
│strict │ A profile with very │
│ │ strict settings. This │
│ │ profile excludes IPC │
│ │ (D-Bus) and network │
│ │ access. │
├──────────┼──────────────────────────┤
│trusted │ A profile with very │
│ │ relaxed settings. In │
│ │ this profile the │
│ │ services run with full │
│ │ privileges. │
└──────────┴──────────────────────────┘
For details on these profiles and their effects see their precise
definitions, e.g.
/usr/lib/systemd/portable/profile/default/service.conf and
similar.
