diff options
| author | Lennart Poettering <lennart@poettering.net> | 2011-08-02 05:24:58 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2011-08-02 05:24:58 +0200 |
| commit | ff01d048b4c1455241c894cf7982662c9d28fd34 (patch) | |
| tree | 025e54f24e3e4879898e4be84b4e082367902f6a /man/systemd.exec.xml | |
| parent | 4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16 (diff) | |
exec: introduce PrivateNetwork= process option to turn off network access to specific services
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 99a91b3dfa..d28417da1c 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -783,9 +783,9 @@ <term><varname>PrivateTmp=</varname></term> <listitem><para>Takes a boolean - argument. If true sets up a new - namespace for the executed processes - and mounts a private + argument. If true sets up a new file + system namespace for the executed + processes and mounts a private <filename>/tmp</filename> directory inside it, that is not shared by processes outside of the @@ -794,7 +794,25 @@ process, but makes sharing between processes via <filename>/tmp</filename> - impossible. Defaults to false.</para></listitem> + impossible. Defaults to + false.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>PrivateNetwork=</varname></term> + + <listitem><para>Takes a boolean + argument. If true sets up a new + network namespace for the executed + processes and configures only the + loopback network device + <literal>lo</literal> inside it. No + other network devices will be + available to the executed process. + This is useful to securely turn off + network access by the executed + process. Defaults to + false.</para></listitem> </varlistentry> <varlistentry> |