diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-09-08 15:46:17 +0200 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-09-27 09:19:02 +0200 |
| commit | a14e028e869739021482c86ef3aeb861b0342dd4 (patch) | |
| tree | 4cb4d13a48efca79be6d62fcbf1185189b622bda /man/systemd.resource-control.xml | |
| parent | ce0458be09911e75bfd3b4d802c9594c55a9c98d (diff) | |
| download | systemd-a14e028e869739021482c86ef3aeb861b0342dd4.tar.gz | |
man: cross-reference DeviceAllow= and PrivateDevices=
They are somewhat similar, but not easy to discover, esp. considering that
they are described in different pages.
For PrivateDevices=, split out the first paragraph that gives the high-level
overview. (The giant second paragraph could also use some heavy editing to break
it up into more digestible chunks, alas.)
Diffstat (limited to 'man/systemd.resource-control.xml')
| -rw-r--r-- | man/systemd.resource-control.xml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index ea728dff33..b21f8575a0 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -928,6 +928,11 @@ RestrictNetworkInterfaces=~eth1</programlisting> url="https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/devices.html">Device Whitelist Controller</ulink>. In the unified cgroup hierarchy this functionality is implemented using eBPF filtering.</para> + <para>When access to <emphasis>all</emphasis> physical devices should be disallowed, + <varname>PrivateDevices=</varname> may be used instead. See + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + </para> + <para>The device node specifier is either a path to a device node in the file system, starting with <filename>/dev/</filename>, or a string starting with either <literal>char-</literal> or <literal>block-</literal> followed by a device group name, as listed in |