The value <code>full-apivfs</code> (the default) sets up private /dev, /proc, /sys, /tmp and /var/tmp file systems in a separate user name space.If this is set to <code>chroot-only</code>, only the file system name space is set up along with the call to <a href="https://www.mankier.com/2/chroot" rel="nofollow"><a href="https://www.mankier.com/2/chroot" rel="nofollow">chroot(2)</a></a>.In all cases, unless <code>serviceConfig.PrivateTmp=true</code> is set, both /tmp and /var/tmp paths are added to <code>InaccessiblePaths=</code>. This is to overcome options like <code>DynamicUser=true</code> implying <code>PrivateTmp=true</code> without letting it being turned off. Beware however that giving processes the <code>CAP_SYS_ADMIN</code> and <code>@mount</code> privileges can let them undo the effects of <code>InaccessiblePaths=</code>.<div class="mnos-note">This doesn't cover network namespaces and is solely for file system level isolation.</div>

systemd.services.<name>.confinement.mode

The value full-apivfs (the default) sets up private /dev, /proc, /sys, /tmp