diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-02-26 02:28:52 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-02-26 02:28:52 +0100 |
commit | f513e420c8b1a1d4c13092cd378f048b69793497 (patch) | |
tree | 8bc6f9e42cec765ca4bc7f1b769177e9a3fb1016 /man | |
parent | 9c423fbf2a11bf9c936017c0f1e06ea2e4e82a40 (diff) |
exec: imply NoNewPriviliges= only when seccomp filters are used in user mode
Diffstat (limited to 'man')
-rw-r--r-- | man/systemd.exec.xml | 59 |
1 files changed, 33 insertions, 26 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 413d81d330..9224f1ef3d 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1010,8 +1010,8 @@ <varlistentry> <term><varname>SystemCallFilter=</varname></term> - <listitem><para>Takes a space-separated - list of system call + <listitem><para>Takes a + space-separated list of system call names. If this setting is used, all system calls executed by the unit processes except for the listed ones @@ -1023,12 +1023,13 @@ the effect is inverted: only the listed system calls will result in immediate process termination - (blacklisting). If this option is used, + (blacklisting). If running in user + mode and this option is used, <varname>NoNewPrivileges=yes</varname> - is implied. This feature makes use of - the Secure Computing Mode 2 interfaces - of the kernel ('seccomp filtering') - and is useful for enforcing a minimal + is implied. This feature makes use of the + Secure Computing Mode 2 interfaces of + the kernel ('seccomp filtering') and + is useful for enforcing a minimal sandboxing environment. Note that the <function>execve</function>, <function>rt_sigreturn</function>, @@ -1096,28 +1097,31 @@ <constant>x86</constant>, <constant>x86-64</constant>, <constant>x32</constant>, - <constant>arm</constant> as well as the - special identifier - <constant>native</constant>. Only system - calls of the specified architectures - will be permitted to processes of this - unit. This is an effective way to - disable compatibility with non-native - architectures for processes, for - example to prohibit execution of - 32-bit x86 binaries on 64-bit x86-64 - systems. The special + <constant>arm</constant> as well as + the special identifier + <constant>native</constant>. Only + system calls of the specified + architectures will be permitted to + processes of this unit. This is an + effective way to disable compatibility + with non-native architectures for + processes, for example to prohibit + execution of 32-bit x86 binaries on + 64-bit x86-64 systems. The special <constant>native</constant> identifier implicitly maps to the native architecture of the system (or more strictly: to the architecture the - system manager is compiled for). Note - that setting this option to a - non-empty list implies that - <constant>native</constant> is included - too. By default, this option is set to - the empty list, i.e. no architecture - system call filtering is + system manager is compiled for). If + running in user mode and this option + is used, + <varname>NoNewPrivileges=yes</varname> + is implied. Note that setting this + option to a non-empty list implies + that <constant>native</constant> is + included too. By default, this option + is set to the empty list, i.e. no + architecture system call filtering is applied.</para></listitem> </varlistentry> @@ -1149,7 +1153,10 @@ sockets only) are unaffected. Note that this option has no effect on 32bit x86 and is ignored (but works - correctly on x86-64). By default no + correctly on x86-64). If running in user + mode and this option is used, + <varname>NoNewPrivileges=yes</varname> + is implied. By default no restriction applies, all address families are accessible to processes. If assigned the empty |