diff options
| author | Lennart Poettering <lennart@poettering.net> | 2018-05-24 16:49:13 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-05-24 16:49:13 +0200 |
| commit | cdc0f9be925c79f52452938f39013062325da27a (patch) | |
| tree | dfd01079f60ca2b6cc85baa298911a7bb375dae9 /man/systemd.exec.xml | |
| parent | cea79e664394d4ca89016919cef36a55dc51a369 (diff) | |
| parent | b086654c6a75119b660235ffb08bb4963835fc7c (diff) | |
| download | systemd-cdc0f9be925c79f52452938f39013062325da27a.tar.gz | |
Merge pull request #8817 from yuwata/cleanup-nsflags
core: allow to specify RestrictNamespaces= multiple times
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index fc12c25729..b21c5aa104 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -313,7 +313,7 @@ inverted. Note that this option also affects the respective capabilities in the effective, permitted and inheritable capability sets. If this option is not used, the capability bounding set is not modified on process execution, hence no limits on the capabilities of the process are enforced. This option may appear more than - once, in which case the bounding sets are merged by <constant>AND</constant>, or by <constant>OR</constant> if + once, in which case the bounding sets are merged by <constant>OR</constant>, or by <constant>AND</constant> if the lines are prefixed with <literal>~</literal> (see below). If the empty string is assigned to this option, the bounding set is reset to the empty capability set, and all prior settings have no effect. If set to <literal>~</literal> (without any further argument), the bounding set is reset to the full set of available @@ -1152,7 +1152,9 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> prohibited (whitelisting). By prepending the list with a single tilde character (<literal>~</literal>) the effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied, - which is equivalent to false. Internally, this setting limits access to the + which is equivalent to false. This option may appear more than once, in which case the namespace types are + merged by <constant>OR</constant>, or by <constant>AND</constant> if the lines are prefixed with + <literal>~</literal> (see examples below). Internally, this setting limits access to the <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking @@ -1162,7 +1164,16 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> supported on x86, x86-64, mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32, ppc64, ppc64-le, s390 and s390x, and enforces no restrictions on other architectures. If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>), - <varname>NoNewPrivileges=yes</varname> is implied. </para></listitem> + <varname>NoNewPrivileges=yes</varname> is implied.</para> + + <para>Example: if a unit has the following, + <programlisting>RestrictNamespaces=cgroup ipc +RestrictNamespaces=cgroup net</programlisting> + then <constant>cgroup</constant>, <constant>ipc</constant>, and <constant>net</constant> are set. + If the second line is prefixed with <literal>~</literal>, e.g., + <programlisting>RestrictNamespaces=cgroup ipc +RestrictNamespaces=~cgroup net</programlisting> + then, only <constant>ipc</constant> is set.</para></listitem> </varlistentry> <varlistentry> |