diff options
author | Lennart Poettering <lennart@poettering.net> | 2011-08-02 05:24:58 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2011-08-02 05:24:58 +0200 |
commit | ff01d048b4c1455241c894cf7982662c9d28fd34 (patch) | |
tree | 025e54f24e3e4879898e4be84b4e082367902f6a /man | |
parent | 4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16 (diff) |
exec: introduce PrivateNetwork= process option to turn off network access to specific services
Diffstat (limited to 'man')
-rw-r--r-- | man/systemd-nspawn.xml | 2 | ||||
-rw-r--r-- | man/systemd.exec.xml | 26 |
2 files changed, 23 insertions, 5 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 490c6c2cd5..6a0d21f0a5 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -155,7 +155,7 @@ </varlistentry> <varlistentry> - <term><option>--no-net</option></term> + <term><option>--private-network</option></term> <listitem><para>Turn off networking in the container. This makes all network diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 99a91b3dfa..d28417da1c 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -783,9 +783,9 @@ <term><varname>PrivateTmp=</varname></term> <listitem><para>Takes a boolean - argument. If true sets up a new - namespace for the executed processes - and mounts a private + argument. If true sets up a new file + system namespace for the executed + processes and mounts a private <filename>/tmp</filename> directory inside it, that is not shared by processes outside of the @@ -794,7 +794,25 @@ process, but makes sharing between processes via <filename>/tmp</filename> - impossible. Defaults to false.</para></listitem> + impossible. Defaults to + false.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>PrivateNetwork=</varname></term> + + <listitem><para>Takes a boolean + argument. If true sets up a new + network namespace for the executed + processes and configures only the + loopback network device + <literal>lo</literal> inside it. No + other network devices will be + available to the executed process. + This is useful to securely turn off + network access by the executed + process. Defaults to + false.</para></listitem> </varlistentry> <varlistentry> |