Changed ProtectHome to "read-only";. Mounted folders in /home were not viewed.

Added "CAP_FOWNER" capabilities, need to correct work freeipmi plugun.

@joelhans Is this something upstream would be interested in? If those sandboxing options would be bundled with netdata itself every systemd-based distributions would adopt it.

@Mic92 This definitely could be of interest! I'll send this on to our packaging team so they can investigate what the work you've done here. Hopefully you'll hear from them soon, or from me if they have an update I can pass along. Thanks for the ping.

@Mic92 I can't speak for our whole packaging team, but I suspect the answer is likely to be yes, we would be interested in this. I'll make a point to bring it up with the rest of the team during our daily sync and hopefully have a more conclusive answer for you some time next week.

@Mic92 Based on discussion with the rest of the packaging and SRE team, we are potentially interested having this sandboxing upstream, but don't currently have the time to add it ourselves. If you (or one of the other NixOS contributors) want to open a PR to add it (ideally with info about minimum required version of systemd and other such things), we'll be happy to review it and will probably merge it unless we determine that it would be too much effort to maintain on our end.

@Izorkin Would you be interested in upstreaming this? They have merchandise: netdata/netdata#7133

Created PR.

I would like to get at least one review round on netdata/netdata#9234 before merging this.

@Izorkin can you also apply https://github.com/netdata/netdata/pull/9569/files ?

In the next release we should just switch to the upstream systemd file to receive sandbox fixes in future.

Updated.