diff options
author | Alessandro Puccetti <alessandro@kinvolk.io> | 2016-07-06 09:48:58 +0200 |
---|---|---|
committer | Alessandro Puccetti <alessandro@kinvolk.io> | 2016-07-19 17:22:02 +0200 |
commit | c4b41707462a74eb7008e8d12a0b4d0a0c09bff4 (patch) | |
tree | ff6991bfe6b79f53d501c061792cc428a8a38910 /man | |
parent | 14eb41b2a45f0ab56b06054c7bc40c3613b23e82 (diff) |
namespace: unify limit behavior on non-directory paths
Despite the name, `Read{Write,Only}Directories=` already allows for
regular file paths to be masked. This commit adds the same behavior
to `InaccessibleDirectories=` and makes it explicit in the doc.
This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}`
{dile,device}nodes and mounts on the appropriate one the paths specified
in `InacessibleDirectories=`.
Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
Diffstat (limited to 'man')
-rw-r--r-- | man/systemd.exec.xml | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index ed02666daf..e982333434 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -855,24 +855,26 @@ <listitem><para>Sets up a new file system namespace for executed processes. These options may be used to limit access a process might have to the main file system hierarchy. Each - setting takes a space-separated list of directory paths relative to + setting takes a space-separated list of paths relative to the host's root directory (i.e. the system running the service manager). - Directories listed in + Note that if entries contain symlinks, they are resolved from the host's root directory as well. + Entries (files or directories) listed in <varname>ReadWriteDirectories=</varname> are accessible from within the namespace with the same access rights as from - outside. Directories listed in + outside. Entries listed in <varname>ReadOnlyDirectories=</varname> are accessible for reading only, writing will be refused even if the usual file - access controls would permit this. Directories listed in + access controls would permit this. Entries listed in <varname>InaccessibleDirectories=</varname> will be made inaccessible for processes inside the namespace, and may not countain any other mountpoints, including those specified by <varname>ReadWriteDirectories=</varname> or <varname>ReadOnlyDirectories=</varname>. Note that restricting access with these options does not extend - to submounts of a directory that are created later on. These + to submounts of a directory that are created later on. + Non-directory paths can be specified as well. These options may be specified more than once, in which case all - directories listed will have limited access from within the + paths listed will have limited access from within the namespace. If the empty string is assigned to this option, the specific list is reset, and all prior assignments have no effect.</para> |