diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2021-01-22 17:14:50 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2021-05-26 17:42:39 +0200 |
commit | d8e3c31bd8e307c8defc759424298175aa0f7001 (patch) | |
tree | 620d60e2dadc2e7d4cc19a74c39c1373f6259d64 /man | |
parent | aa6dc3ec337b04308a5dfe3b962fa88088b2c82e (diff) | |
download | systemd-d8e3c31bd8e307c8defc759424298175aa0f7001.tar.gz |
Mount all fs nosuid when NoNewPrivileges=yes
When `NoNewPrivileges=yes`, the service shouldn't have a need for any
setuid/setgid programs, so in case there will be a new mount namespace anyway,
mount the file systems with MS_NOSUID.
Diffstat (limited to 'man')
-rw-r--r-- | man/systemd.exec.xml | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 893b56d93a..96d18dd93b 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -675,9 +675,10 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> <varname>SystemCallArchitectures=</varname>, <varname>SystemCallFilter=</varname>, or <varname>SystemCallLog=</varname> are specified. Note that even if this setting is overridden - by them, <command>systemctl show</command> shows the original value of this setting. Also see - <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New - Privileges Flag</ulink>.</para></listitem> + by them, <command>systemctl show</command> shows the original value of this setting. In case the + service will be run in a new mount namespace anyway, all file systems are mounted with MS_NOSUID + flag. Also see <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html"> + No New Privileges Flag</ulink>.</para></listitem> </varlistentry> <varlistentry> |