Apply systemd sandboxing by default to some services

@Patrick opened https://github.com/Whonix/sdwdate/pull/29 - this is working on arm64. Will handle onion-grater next.



Could you please try sudo systemctl restart sdwdate after it succeeded once? Because first time its sets time using date, subsequent ones using sclockadj. Therefore it might work the first time but break later due to missing secomp whiltelisted syscalls.

I am not also wondering if removing/changing SystemCallArchitectures setting would have been easier.

Also generally wondering if SystemCallFilter is maintainable or will keep breaking when porting to the next version of Debian (bullseye) or other platforms.

Oh, good catch, sorry for not checking that.

Opened another PR which now also works after restarting the service.

1 Like

No worries.

This is hard to expect. :slight_smile:

Merged, and uploaded to Whonix developers repository.

1 Like

@Patrick finally got time to check onion-grater :slight_smile:

I did restart this a few time also. Anything else I should check?

1 Like

Awesome, no, this one is straight forward to test.

1 Like

@Patrick I realised that I missed one for sdwdate. The service started but the time never synched, now it does:

1 Like


1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]