summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-08-22 18:43:59 +0200
committerDjalal Harouni <tixxdz@opendz.org>2016-09-25 10:18:48 +0200
commit59eeb84ba65483c5543d1bc840c2ac75642ef638 (patch)
tree2195a40c7daf3575a8a7500bc8a82412056688ab /man
parent72246c2a654ead7f7ee6e7799161e2e46dc0b84b (diff)
core: add two new service settings ProtectKernelTunables= and ProtectControlGroups=
If enabled, these will block write access to /sys, /proc/sys and /proc/sys/fs/cgroup.
Diffstat (limited to 'man')
-rw-r--r--man/systemd.exec.xml20
1 files changed, 20 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index bcedebd5bb..07128b489e 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1060,6 +1060,26 @@
</varlistentry>
<varlistentry>
+ <term><varname>ProtectKernelTunables=</varname></term>
+
+ <listitem><para>Takes a boolean argument. If true, kernel variables accessible through
+ <filename>/proc/sys</filename> and <filename>/sys</filename> will be made read-only to all processes of the
+ unit. Usually, tunable kernel variables should only be written at boot-time, with the
+ <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> mechanism. Almost
+ no services need to write to these at runtime; it is hence recommended to turn this on for most
+ services. Defaults to off.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>ProtectControlGroups=</varname></term>
+
+ <listitem><para>Takes a boolean argument. If true, the Linux Control Groups ("cgroups") hierarchies accessible
+ through <filename>/sys/fs/cgroup</filename> will be made read-only to all processes of the unit. Except for
+ container managers no services should require write access to the control groups hierarchies; it is hence
+ recommended to turn this on for most services. Defaults to off.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>MountFlags=</varname></term>
<listitem><para>Takes a mount propagation flag: