summaryrefslogtreecommitdiff
path: root/man/systemd.exec.xml
diff options
context:
space:
mode:
authorDjalal Harouni <tixxdz@opendz.org>2016-09-19 21:46:17 +0200
committerDjalal Harouni <tixxdz@opendz.org>2016-09-25 11:25:44 +0200
commit9221aec8d09f3b55a08fcbe8012e48129474ab54 (patch)
treed07983152c25db7d9c35dea662f7eb087949873c /man/systemd.exec.xml
parente778185bb55320e8242b57c19079377fe33e01bc (diff)
doc: explicitly document that /dev/mem and /dev/port are blocked by PrivateDevices=true
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r--man/systemd.exec.xml7
1 files changed, 4 insertions, 3 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 79ceee3ec0..a3a431c82b 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -931,9 +931,10 @@
<listitem><para>Takes a boolean argument. If true, sets up a new /dev namespace for the executed processes and
only adds API pseudo devices such as <filename>/dev/null</filename>, <filename>/dev/zero</filename> or
<filename>/dev/random</filename> (as well as the pseudo TTY subsystem) to it, but no physical devices such as
- <filename>/dev/sda</filename>. This is useful to securely turn off physical device access by the executed
- process. Defaults to false. Enabling this option will also remove <constant>CAP_MKNOD</constant> from the
- capability bounding set for the unit (see above), and set <varname>DevicePolicy=closed</varname> (see
+ <filename>/dev/sda</filename>, system memory <filename>/dev/mem</filename>, system ports
+ <filename>/dev/port</filename> and others. This is useful to securely turn off physical device access by the
+ executed process. Defaults to false. Enabling this option will also remove <constant>CAP_MKNOD</constant> from
+ the capability bounding set for the unit (see above), and set <varname>DevicePolicy=closed</varname> (see
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details). Note that using this setting will disconnect propagation of mounts from the service to the host
(propagation in the opposite direction continues to work). This means that this setting may not be used for