[mholt]

If you want a sandboxed unit file, why not just sandbox it yourself?

[cyrnel]

Sandboxing it yourself is fraught because any new feature could cause things like a syscall filter to crash the app. It has to be part of the application build/test/release process to prevent that, like it is in SWS.

Besides, we should be creating and using software that is secure by default: https://www.cisa.gov/sites/default/files/2023-06/principles_...

[mholt]

Ah yes, I agree Linux should not let processes have a set of permissions that large by default.