summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
authorDjalal Harouni <tixxdz@opendz.org>2016-10-12 14:11:16 +0200
committerDjalal Harouni <tixxdz@opendz.org>2016-10-12 14:11:16 +0200
commitc575770b75b6cd15684fbacd249147bf5fd6ead7 (patch)
tree1dbde008e50d9ab2780168dd26ead86a762959dc /man
parentac246d9868bd476297e2702e0a7ef52294f9cfa8 (diff)
core:sandbox: lets make /lib/modules/ inaccessible on ProtectKernelModules=
Lets go further and make /lib/modules/ inaccessible for services that do not have business with modules, this is a minor improvment but it may help on setups with custom modules and they are limited... in regard of kernel auto-load feature. This change introduce NameSpaceInfo struct which we may embed later inside ExecContext but for now lets just reduce the argument number to setup_namespace() and merge ProtectKernelModules feature.
Diffstat (limited to 'man')
-rw-r--r--man/systemd.exec.xml5
1 files changed, 4 insertions, 1 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 4a68695348..249fcb0363 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1415,7 +1415,10 @@
kernels. It is recomended to turn this on for most services that do not need special
file systems or extra kernel modules to work. Default to off. Enabling this option
removes <constant>CAP_SYS_MODULE</constant> from the capability bounding set for
- the unit, and installs a system call filter to block module system calls.
+ the unit, and installs a system call filter to block module system calls,
+ also <filename>/usr/lib/modules</filename> is made inaccessible. For this
+ setting the same restrictions regarding mount propagation and privileges
+ apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above.
Note that limited automatic module loading due to user configuration or kernel
mapping tables might still happen as side effect of requested user operations,
both privileged and unprivileged. To disable module auto-load feature please see