[01HNNWZ0MV43FF]

Oops

-- A developer whose app needs to run as root (for a well-documented reason, and with a tight systemd sandbox hiding most of the filesystem from it)

[NewJazz]

If it is running as root, can't it just manipulate its mount namespace at will? Mount devtmpfs, then mount user partitions.

[hackernudes]

I believe one can use "capabilities" and seccomp to lock down a superuser process.

[superb_dev]

Systemd can put it in its own namespaces, like a container