summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDjalal Harouni <tixxdz@opendz.org>2016-09-19 21:46:17 +0200
committerDjalal Harouni <tixxdz@opendz.org>2016-09-25 11:25:31 +0200
commite778185bb55320e8242b57c19079377fe33e01bc (patch)
tree8e23eb46c2e826740dcbba313585537dd50ddbfb
parent2652c6c10394623b2c3e2ed5d4616c85918d140c (diff)
doc: documentation fixes for ReadWritePaths= and ProtectKernelTunables=
Documentation fixes for ReadWritePaths= and ProtectKernelTunables= as reported by Evgeny Vereshchagin.
-rw-r--r--man/systemd.exec.xml26
1 files changed, 13 insertions, 13 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 403aa471c8..79ceee3ec0 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -897,14 +897,14 @@
in which case all paths listed will have limited access from within the namespace. If the empty string is
assigned to this option, the specific list is reset, and all prior assignments have no effect.</para>
- <para>Paths in <varname>ReadOnlyPaths=</varname> and <varname>InaccessiblePaths=</varname> may be prefixed with
- <literal>-</literal>, in which case they will be ignored when they do not exist. Note that using this setting
- will disconnect propagation of mounts from the service to the host (propagation in the opposite direction
- continues to work). This means that this setting may not be used for services which shall be able to install
- mount points in the main mount namespace. Note that the effect of these settings may be undone by privileged
- processes. In order to set up an effective sandboxed environment for a unit it is thus recommended to combine
- these settings with either <varname>CapabilityBoundingSet=~CAP_SYS_ADMIN</varname> or
- <varname>SystemCallFilter=~@mount</varname>.</para></listitem>
+ <para>Paths in <varname>ReadWritePaths=</varname>, <varname>ReadOnlyPaths=</varname> and
+ <varname>InaccessiblePaths=</varname> may be prefixed with <literal>-</literal>, in which case they will be ignored
+ when they do not exist. Note that using this setting will disconnect propagation of mounts from the service to
+ the host (propagation in the opposite direction continues to work). This means that this setting may not be used
+ for services which shall be able to install mount points in the main mount namespace. Note that the effect of
+ these settings may be undone by privileged processes. In order to set up an effective sandboxed environment for
+ a unit it is thus recommended to combine these settings with either
+ <varname>CapabilityBoundingSet=~CAP_SYS_ADMIN</varname> or <varname>SystemCallFilter=~@mount</varname>.</para></listitem>
</varlistentry>
<varlistentry>
@@ -1025,11 +1025,11 @@
<term><varname>ProtectKernelTunables=</varname></term>
<listitem><para>Takes a boolean argument. If true, kernel variables accessible through
- <filename>/proc/sys</filename> and <filename>/sys</filename> will be made read-only to all processes of the
- unit. Usually, tunable kernel variables should only be written at boot-time, with the
- <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> mechanism. Almost
- no services need to write to these at runtime; it is hence recommended to turn this on for most services. For
- this setting the same restrictions regarding mount propagation and privileges apply as for
+ <filename>/proc/sys</filename>, <filename>/sys</filename> and <filename>/proc/sysrq-trigger</filename> will be
+ made read-only to all processes of the unit. Usually, tunable kernel variables should only be written at
+ boot-time, with the <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ mechanism. Almost no services need to write to these at runtime; it is hence recommended to turn this on for
+ most services. For this setting the same restrictions regarding mount propagation and privileges apply as for
<varname>ReadOnlyPaths=</varname> and related calls, see above. Defaults to off.</para></listitem>
</varlistentry>