summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-03-19 22:26:08 +0100
committerLennart Poettering <lennart@poettering.net>2014-03-19 22:26:08 +0100
commit907afa0682c8d6f00937b11b04be6b8a26a3cd41 (patch)
treeafe57d48b166105ca09037241bd1f5b4569d4ee1 /man
parent7d711efb9c6fd6d025cb688aa8317ce6a78db711 (diff)
man: improve documentation of fs namespace related settings
Diffstat (limited to 'man')
-rw-r--r--man/systemd.exec.xml105
1 files changed, 72 insertions, 33 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 90d36f9b57..784b48fff4 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -837,7 +837,15 @@
may be prefixed with
<literal>-</literal>, in which case
they will be ignored when they do not
- exist.</para></listitem>
+ exist. Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to
+ install mount points in the main mount
+ namespace.</para></listitem>
</varlistentry>
<varlistentry>
@@ -857,18 +865,61 @@
processes via
<filename>/tmp</filename> or
<filename>/var/tmp</filename>
- impossible. All temporary data created
- by service will be removed after
- the service is stopped. Defaults to
- false. Note that it is possible to run
- two or more units within the same
- private <filename>/tmp</filename> and
+ impossible. If this is enabled all
+ temporary files created by a service
+ in these directories will be removed
+ after the service is stopped. Defaults
+ to false. It is possible to run two or
+ more units within the same private
+ <filename>/tmp</filename> and
<filename>/var/tmp</filename>
namespace by using the
<varname>JoinsNamespaceOf=</varname>
directive, see
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for details.</para></listitem>
+ for details. Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to install
+ mount points in the main mount
+ namespace.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>PrivateDevices=</varname></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true, sets up a new /dev
+ namespace for the executed processes
+ and only adds API pseudo devices such
+ as <filename>/dev/null</filename>,
+ <filename>/dev/zero</filename> or
+ <filename>/dev/random</filename> (as
+ well as the pseudo TTY subsystem) to
+ it, but no physical devices such as
+ <filename>/dev/sda</filename>. This is
+ useful to securely turn off physical
+ device access by the executed
+ process. Defaults to false. Enabling
+ this option will also remove
+ <constant>CAP_MKNOD</constant> from
+ the capability bounding set for the
+ unit (see above), and set
+ <varname>DevicePolicy=closed</varname>
+ (see
+ <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for details). Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to
+ install mount points in the main mount
+ namespace.</para></listitem>
</varlistentry>
<varlistentry>
@@ -884,35 +935,23 @@
available to the executed process.
This is useful to securely turn off
network access by the executed
- process. Defaults to false. Note that
- it is possible to run two or more
- units within the same private network
+ process. Defaults to false. It is
+ possible to run two or more units
+ within the same private network
namespace by using the
<varname>JoinsNamespaceOf=</varname>
directive, see
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for details.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>PrivateDevices=</varname></term>
-
- <listitem><para>Takes a boolean
- argument. If true, sets up a new /dev
- namespace for the executed processes
- and only adds API pseudo devices such
- as <filename>/dev/null</filename>,
- <filename>/dev/zero</filename> or
- <filename>/dev/random</filename> to
- it, but no physical devices such as
- <filename>/dev/sda</filename>. This is
- useful to securely turn off physical
- device access by the executed
- process. Defaults to false. Note that
- enabling this option implies that
- <constant>CAP_MKNOD</constant> is
- removed from the capability bounding
- set for the unit.</para></listitem>
+ for details. Note that this option
+ will disconnect all socket families
+ from the host, this includes
+ AF_NETLINK and AF_UNIX. The latter has
+ the effect that AF_UNIX sockets in the
+ abstract socket namespace will become
+ unavailable to the processes (however,
+ those located in the file system will
+ continue to be
+ accessible).</para></listitem>
</varlistentry>
<varlistentry>