diff options
| author | Lennart Poettering <lennart@poettering.net> | 2017-02-21 17:48:59 +0100 | 
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2017-02-21 21:55:43 +0100 | 
| commit | 525872bfab49ce44390a29f322816ae951a4bc38 (patch) | |
| tree | be751d460ead5ef1aa9e2691182bb8564b34422d | |
| parent | f5b84de2abbb48b33c710ec76c8b2f59e90386ae (diff) | |
man: document that ProtectKernelTunables= and ProtectControlGroups= implies MountAPIVFS=
See: #5384
| -rw-r--r-- | man/systemd.exec.xml | 25 | 
1 files changed, 14 insertions, 11 deletions
| diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index edeced56b5..5d4986b6bf 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1151,16 +1151,18 @@          <filename>/proc/sys</filename>, <filename>/sys</filename>, <filename>/proc/sysrq-trigger</filename>,          <filename>/proc/latency_stats</filename>, <filename>/proc/acpi</filename>,          <filename>/proc/timer_stats</filename>, <filename>/proc/fs</filename> and <filename>/proc/irq</filename> will -        be made read-only to all processes of the unit. Usually, tunable kernel variables should only be written at -        boot-time, with the <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> -        mechanism. Almost no services need to write to these at runtime; it is hence recommended to turn this on for -        most services. For this setting the same restrictions regarding mount propagation and privileges apply as for -        <varname>ReadOnlyPaths=</varname> and related calls, see above. Defaults to off. -        If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> -        capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> -        is implied. Note that this option does not prevent kernel tuning through IPC interfaces -        and external programs. However <varname>InaccessiblePaths=</varname> can be used to -        make some IPC file system objects inaccessible.</para></listitem> +        be made read-only to all processes of the unit. Usually, tunable kernel variables should be initialized only at +        boot-time, for example with the +        <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> mechanism. Few +        services need to write to these at runtime; it is hence recommended to turn this on for most services. For this +        setting the same restrictions regarding mount propagation and privileges apply as for +        <varname>ReadOnlyPaths=</varname> and related calls, see above. Defaults to off.  If turned on and if running +        in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g.  services +        for which <varname>User=</varname> is set), <varname>NoNewPrivileges=yes</varname> is implied. Note that this +        option does not prevent indirect changes to kernel tunables effected by IPC calls to other processes. However, +        <varname>InaccessiblePaths=</varname> may be used to make relevant IPC file system objects inaccessible. If +        <varname>ProtectKernelTunables=</varname> is set, <varname>MountAPIVFS=yes</varname> is +        implied.</para></listitem>        </varlistentry>        <varlistentry> @@ -1196,7 +1198,8 @@          unit. Except for container managers no services should require write access to the control groups hierarchies;          it is hence recommended to turn this on for most services. For this setting the same restrictions regarding          mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and related calls, see -        above. Defaults to off.</para></listitem> +        above. Defaults to off. If <varname>ProtectControlGroups=</varname> is set, <varname>MountAPIVFS=yes</varname> is +        implied.</para></listitem>        </varlistentry>        <varlistentry> | 
