diff options
author | Luca Boccassi <bluca@debian.org> | 2023-01-15 18:54:16 +0000 |
---|---|---|
committer | Luca Boccassi <luca.boccassi@gmail.com> | 2023-01-18 17:59:43 +0000 |
commit | f2af682cd6308f9b26035b83063e6aa8593e468c (patch) | |
tree | daae756d5864fc7978122d242752087be2b1ca82 /man/systemd.resource-control.xml | |
parent | db5310cfc19b5c7bd6aca840d652ee7d9b1ea649 (diff) | |
download | systemd-f2af682cd6308f9b26035b83063e6aa8593e468c.tar.gz |
man: note that cgroup-based sandboxing is not bypassed by '+'
DeviceAllow= and others are applied to the whole cgroup via bpf, so
using '+' on an Exec line will not bypass them. Explain this in the
manpage.
Fixes https://github.com/systemd/systemd/issues/26035
Diffstat (limited to 'man/systemd.resource-control.xml')
-rw-r--r-- | man/systemd.resource-control.xml | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index a74a401ef7..4b19b18231 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -638,6 +638,8 @@ support is not enabled in the underlying kernel or container manager). These settings will have no effect in that case. If compatibility with such systems is desired it is hence recommended to not exclusively rely on them for IP security.</para> + + <xi:include href="cgroup-sandboxing.xml" xpointer="singular"/> </listitem> </varlistentry> @@ -814,6 +816,8 @@ SocketBindDeny=any SocketBindAllow=ipv4:udp:10000-65535 SocketBindDeny=any …</programlisting></para> + + <xi:include href="cgroup-sandboxing.xml" xpointer="singular"/> </listitem> </varlistentry> @@ -860,6 +864,8 @@ RestrictNetworkInterfaces=eth1 eth2 RestrictNetworkInterfaces=~eth1</programlisting> Programs in the unit will be only able to use the eth2 network interface. </para> + + <xi:include href="cgroup-sandboxing.xml" xpointer="singular"/> </listitem> </varlistentry> @@ -912,6 +918,7 @@ DeviceAllow=block-loop DeviceAllow=/dev/loop-control …</programlisting></para> + <xi:include href="cgroup-sandboxing.xml" xpointer="singular"/> </listitem> </varlistentry> @@ -956,6 +963,8 @@ DeviceAllow=/dev/loop-control </listitem> </varlistentry> </variablelist> + + <xi:include href="cgroup-sandboxing.xml" xpointer="singular"/> </listitem> </varlistentry> |