diff options
author | Luca Boccassi <bluca@debian.org> | 2022-03-12 21:16:32 +0000 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2022-03-18 10:09:56 +0100 |
commit | 1219bd430675b09a89de3c235a76e12c6d68276a (patch) | |
tree | db8be97008da33c63c2601f9c9bb3e65204e6a9f /man/systemd.exec.xml | |
parent | 4355c04fef3e5217944e481456ce9c3839f66fda (diff) | |
download | systemd-1219bd430675b09a89de3c235a76e12c6d68276a.tar.gz |
Add tests and documentation for all remaining sandboxing in user manager
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r-- | man/systemd.exec.xml | 42 |
1 files changed, 23 insertions, 19 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index f182919673..6f1fa6338a 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -143,7 +143,9 @@ <title>Mounting logging sockets into root environment</title> <programlisting>BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout</programlisting> - </example></listitem> + </example> + + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> @@ -480,7 +482,9 @@ <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> <para>Note that usage from user units requires overlayfs support in unprivileged user namespaces, - which was first introduced in kernel v5.11.</para></listitem> + which was first introduced in kernel v5.11.</para> + + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> </variablelist> </refsect1> @@ -625,7 +629,7 @@ <refsect1> <title>Capabilities</title> - <xi:include href="system-only.xml" xpointer="plural"/> + <xi:include href="system-or-user-ns.xml" xpointer="plural"/> <variablelist class='unit-directives'> @@ -1254,7 +1258,7 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> <varname>DynamicUser=</varname> is set. This setting cannot ensure protection in all cases. In general it has the same limitations as <varname>ReadOnlyPaths=</varname>, see below.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> @@ -1508,7 +1512,7 @@ NoExecPaths=/ ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64 </programlisting></para> - <xi:include href="system-only.xml" xpointer="plural"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="plural"/></listitem> </varlistentry> <varlistentry> @@ -1533,7 +1537,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> then the invoked processes by the unit cannot see any files or directories under <filename>/var/</filename> except for <filename>/var/lib/systemd</filename> or its contents.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> @@ -1561,7 +1565,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> available), and the unit should be written in a way that does not solely rely on this setting for security.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> @@ -1595,7 +1599,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> namespaces are not available), and the unit should be written in a way that does not solely rely on this setting for security.</para> - <xi:include href="system-only.xml" xpointer="singular"/> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/> <para>When access to some but not all devices must be possible, the <varname>DeviceAllow=</varname> setting might be used instead. See @@ -1629,7 +1633,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> <varname>JoinsNamespaceOf=</varname> to listen on sockets inside of network namespaces of other services.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> @@ -1648,7 +1652,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> <para>When this option is used on a socket unit any sockets bound on behalf of this unit will be bound within the specified network namespace.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> @@ -1679,7 +1683,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> not available), and the unit should be written in a way that does not solely rely on this setting for security.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> @@ -1695,7 +1699,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> <varname>IPCNamespacePath=</varname> configured, as otherwise the network namespace of those units is reused.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> @@ -1749,7 +1753,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> capability (e.g. services for which <varname>User=</varname> is set), <varname>NoNewPrivileges=yes</varname> is implied.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> @@ -1766,7 +1770,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> doesn't have the <constant>CAP_SYS_ADMIN</constant> capability (e.g. services for which <varname>User=</varname> is set), <varname>NoNewPrivileges=yes</varname> is implied.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> @@ -1790,7 +1794,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> inaccessible. If <varname>ProtectKernelTunables=</varname> is set, <varname>MountAPIVFS=yes</varname> is implied.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> @@ -1811,7 +1815,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> but the unit doesn't have the <constant>CAP_SYS_ADMIN</constant> capability (e.g. services for which <varname>User=</varname> is set), <varname>NoNewPrivileges=yes</varname> is implied.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> @@ -1830,7 +1834,7 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> capability (e.g. services for which <varname>User=</varname> is set), <varname>NoNewPrivileges=yes</varname> is implied.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> @@ -2134,7 +2138,7 @@ RestrictNamespaces=~cgroup net</programlisting> option. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are used.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> <varlistentry> @@ -2164,7 +2168,7 @@ RestrictNamespaces=~cgroup net</programlisting> <para>Usually, it is best to leave this setting unmodified, and use higher level file system namespacing options instead, in particular <varname>PrivateMounts=</varname>, see above.</para> - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <xi:include href="system-or-user-ns.xml" xpointer="singular"/></listitem> </varlistentry> </variablelist> |