diff options
author | Lennart Poettering <lennart@poettering.net> | 2012-05-24 04:00:56 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2012-05-24 04:00:56 +0200 |
commit | ec8927ca5940e809f0b72f530582c76f1db4f065 (patch) | |
tree | b230d2458088a82b879afc39a2752d5fc674974e /man | |
parent | e056b01d8acea7fc06d52ef91d227d744faf5259 (diff) |
main: add configuration option to alter capability bounding set for PID 1
This also ensures that caps dropped from the bounding set are also
dropped from the inheritable set, to be extra-secure. Usually that should
change very little though as the inheritable set is empty for all our uses
anyway.
Diffstat (limited to 'man')
-rw-r--r-- | man/systemd.conf.xml | 45 | ||||
-rw-r--r-- | man/systemd.exec.xml | 16 |
2 files changed, 50 insertions, 11 deletions
diff --git a/man/systemd.conf.xml b/man/systemd.conf.xml index 7dfaa18c18..2659f9ab7b 100644 --- a/man/systemd.conf.xml +++ b/man/systemd.conf.xml @@ -184,6 +184,38 @@ </varlistentry> <varlistentry> + <term><varname>CapabilityBoundingSet=</varname></term> + + <listitem><para>Controls which + capabilities to include in the + capability bounding set for PID 1 and + its children. See + <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details. Takes a whitespace + separated list of capability names as + read by + <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + Capabilities listed will be included + in the bounding set, all others are + removed. If the list of capabilities + is prefixed with ~ all but the listed + capabilities will be included, the + effect of the assignment + inverted. Note that this option also + effects the respective capabilities in + the effective, permitted and + inheritable capability sets. The + capability bounding set may also be + individually configured for units + using the + <varname>CapabilityBoundingSet=</varname> + directive for units, but note that + capabilities dropped for PID 1 cannot + be regained in individual units, they + are lost for good.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>DefaultLimitCPU=</varname></term> <term><varname>DefaultLimitFSIZE=</varname></term> <term><varname>DefaultLimitDATA=</varname></term> @@ -200,14 +232,21 @@ <term><varname>DefaultLimitNICE=</varname></term> <term><varname>DefaultLimitRTPRIO=</varname></term> <term><varname>DefaultLimitRTTIME=</varname></term> + <listitem><para>These settings control - various default resource limits for units. See + various default resource limits for + units. See <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details. Use the string <varname>infinity</varname> to configure no limit on a specific - resource. They can be overriden in units files - using corresponding LimitXXXX parameter.</para></listitem> + resource. These settings may be + overriden in individual units + using the corresponding LimitXXX= + directives. Note that these resource + limits are only defaults for units, + they are not applied to PID 1 + itself.</para></listitem> </varlistentry> </variablelist> </refsect1> diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 219733be37..0dc2ed48b5 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -678,17 +678,17 @@ is prefixed with ~ all but the listed capabilities will be included, the effect of the assignment - inverted. Note that this option does - not actually set or unset any - capabilities in the effective, - permitted or inherited capability - sets. That's what - <varname>Capabilities=</varname> is - for. If this option is not used the + inverted. Note that this option also + effects the respective capabilities in + the effective, permitted and + inheritable capability sets, on top of + what <varname>Capabilities=</varname> + does. If this option is not used the capability bounding set is not modified on process execution, hence no limits on the capabilities of the - process are enforced.</para></listitem> + process are + enforced.</para></listitem> </varlistentry> <varlistentry> |