namespace: Make private /dev noexec and readonly (#3263)

Private /dev will not be managed by udev or others, so we can make it noexec and readonly after we have made all device nodes. As /dev/shm needs to be writable, we can't use bind_remount_recursive().
author: topimiettinen <topimiettinen@users.noreply.github.com> 2016-05-16 02:34:05 +0000
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2016-05-15 22:34:05 -0400
commit: 737ba3c82c71c15de498f63527d264dc996ffa11 (patch)
tree: 6db341e8a8664cd71a665a8d483ac44cf67b44b0 /man
parent: 80f524a4c973654c5d82bf15598466b2f96a487d (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 2a93760428..3cf6de8256 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -933,7 +933,10 @@
         (propagation in the opposite direction continues to work).
         This means that this setting may not be used for services
         which shall be able to install mount points in the main mount
-        namespace.</para></listitem>
+        namespace. The /dev namespace will be mounted read-only and 'noexec'.
+        The latter may break old programs which try to set up executable
+        memory by using <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+        of <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
author	topimiettinen <topimiettinen@users.noreply.github.com>	2016-05-16 02:34:05 +0000
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2016-05-15 22:34:05 -0400
commit	737ba3c82c71c15de498f63527d264dc996ffa11 (patch)
tree	6db341e8a8664cd71a665a8d483ac44cf67b44b0 /man
parent	80f524a4c973654c5d82bf15598466b2f96a487d (diff)