diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-01-20 19:54:51 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-01-20 21:28:37 +0100 |
commit | 7f112f50fea585411ea2d493b3582bea77eb4d6e (patch) | |
tree | 2c670344aa6be9fff8bf4538d2e188bf280ecde3 /man/systemd.exec.xml | |
parent | 3540c7f88fd4b860d3d6d0e931ddb7cd91bc559a (diff) |
exec: introduce PrivateDevices= switch to provide services with a private /dev
Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that
sets up a private /dev with only the API pseudo-devices like /dev/null,
/dev/zero, /dev/random, but not any physical devices in them.
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r-- | man/systemd.exec.xml | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 610c821dc0..7eaf52bc5b 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -895,6 +895,24 @@ </varlistentry> <varlistentry> + <term><varname>PrivateDevices=</varname></term> + + <listitem><para>Takes a boolean + argument. If true, sets up a new /dev + namespace for the executed processes + and only adds API pseudo devices such + as <filename>/dev/null</filename>, + <filename>/dev/zero</filename> or + <filename>/dev/random</filename> to + it, but no physical devices such as + <filename>/dev/sda</filename>. This is + useful to securely turn off physical + device access by the executed + process. Defaults to + false.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>MountFlags=</varname></term> <listitem><para>Takes a mount |