diff options
| author | Lennart Poettering <lennart@poettering.net> | 2012-05-24 04:00:56 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2012-05-24 04:00:56 +0200 |
| commit | ec8927ca5940e809f0b72f530582c76f1db4f065 (patch) | |
| tree | b230d2458088a82b879afc39a2752d5fc674974e /man/systemd.exec.xml | |
| parent | e056b01d8acea7fc06d52ef91d227d744faf5259 (diff) | |
main: add configuration option to alter capability bounding set for PID 1
This also ensures that caps dropped from the bounding set are also
dropped from the inheritable set, to be extra-secure. Usually that should
change very little though as the inheritable set is empty for all our uses
anyway.
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 219733be37..0dc2ed48b5 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -678,17 +678,17 @@ is prefixed with ~ all but the listed capabilities will be included, the effect of the assignment - inverted. Note that this option does - not actually set or unset any - capabilities in the effective, - permitted or inherited capability - sets. That's what - <varname>Capabilities=</varname> is - for. If this option is not used the + inverted. Note that this option also + effects the respective capabilities in + the effective, permitted and + inheritable capability sets, on top of + what <varname>Capabilities=</varname> + does. If this option is not used the capability bounding set is not modified on process execution, hence no limits on the capabilities of the - process are enforced.</para></listitem> + process are + enforced.</para></listitem> </varlistentry> <varlistentry> |