diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2016-11-08 19:54:21 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-11-08 19:54:21 -0500 |
commit | d85a0f802851e79efdb09acaa1ce517f7127ad28 (patch) | |
tree | 609c7aa9f807b3a74e0f23e3d4eed3f1e2454ea2 /man | |
parent | a809cee58249cc2f42222f1ab5d4746d634c2668 (diff) | |
parent | add005357d535681c7075ced8eec2b6e61b43728 (diff) |
Merge pull request #4536 from poettering/seccomp-namespaces
core: add new RestrictNamespaces= unit file setting
Merging, not rebasing, because this touches many files and there were tree-wide cleanups in the mean time.
Diffstat (limited to 'man')
-rw-r--r-- | man/systemd.exec.xml | 50 |
1 files changed, 34 insertions, 16 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 0973f4047a..3b39a9c912 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1234,22 +1234,16 @@ <varlistentry> <term><varname>NoNewPrivileges=</varname></term> - <listitem><para>Takes a boolean argument. If true, ensures that the service - process and all its children can never gain new privileges through - <function>execve</function> (e.g. via setuid or setgid bits, or filesystem - capabilities). This is the simplest and most effective way to ensure that - a process and its children can never elevate privileges again. Defaults to false, - but in the user manager instance certain settings force - <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting. - This is the case when <varname>SystemCallFilter=</varname>, - <varname>SystemCallArchitectures=</varname>, - <varname>RestrictAddressFamilies=</varname>, - <varname>PrivateDevices=</varname>, - <varname>ProtectKernelTunables=</varname>, - <varname>ProtectKernelModules=</varname>, - <varname>MemoryDenyWriteExecute=</varname>, or - <varname>RestrictRealtime=</varname> are specified. - </para></listitem> + <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its children can + never gain new privileges through <function>execve()</function> (e.g. via setuid or setgid bits, or filesystem + capabilities). This is the simplest and most effective way to ensure that a process and its children can never + elevate privileges again. Defaults to false, but in the user manager instance certain settings force + <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting. This is the case when + <varname>SystemCallFilter=</varname>, <varname>SystemCallArchitectures=</varname>, + <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>, + <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>, + <varname>ProtectKernelModules=</varname>, <varname>MemoryDenyWriteExecute=</varname>, or + <varname>RestrictRealtime=</varname> are specified.</para></listitem> </varlistentry> <varlistentry> @@ -1468,6 +1462,30 @@ </varlistentry> <varlistentry> + <term><varname>RestrictNamespaces=</varname></term> + + <listitem><para>Restricts access to Linux namespace functionality for the processes of this unit. For details + about Linux namespaces, see + <citerefentry><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>. Either takes a + boolean argument, or a space-separated list of namespace type identifiers. If false (the default), no + restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is + prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of + any combination of: <constant>cgroup</constant>, <constant>ipc</constant>, <constant>net</constant>, + <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant> and <constant>uts</constant>. Any + namespace type listed is made accessible to the unit's processes, access to namespace types not listed is + prohibited (whitelisting). By prepending the list with a single tilda character (<literal>~</literal>) the + effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are + permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied, + which is equivalent to false. Internally, this setting limits access to the + <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>, + <citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and + <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking + the specified flags parameters into account. Note that — if this option is used — in addition to restricting + creation and switching of the specified types of namespaces (or all of them, if true) access to the + <function>setns()</function> system call with a zero flags parameter is prohibited.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>ProtectKernelModules=</varname></term> <listitem><para>Takes a boolean argument. If true, explicit module loading will |