exec: introduce PrivateNetwork= process option to turn off network access to specific services

author: Lennart Poettering <lennart@poettering.net> 2011-08-02 05:24:58 +0200
committer: Lennart Poettering <lennart@poettering.net> 2011-08-02 05:24:58 +0200
commit: ff01d048b4c1455241c894cf7982662c9d28fd34 (patch)
tree: 025e54f24e3e4879898e4be84b4e082367902f6a /man
parent: 4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16 (diff)
2 files changed, 23 insertions, 5 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 490c6c2cd5..6a0d21f0a5 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -155,7 +155,7 @@
                         </varlistentry>
 
                         <varlistentry>
-                                <term><option>--no-net</option></term>
+                                <term><option>--private-network</option></term>
 
                                 <listitem><para>Turn off networking in
                                 the container. This makes all network
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 99a91b3dfa..d28417da1c 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -783,9 +783,9 @@
                                 <term><varname>PrivateTmp=</varname></term>
 
                                 <listitem><para>Takes a boolean
-                                argument. If true sets up a new
-                                namespace for the executed processes
-                                and mounts a private
+                                argument. If true sets up a new file
+                                system namespace for the executed
+                                processes and mounts a private
                                 <filename>/tmp</filename> directory
                                 inside it, that is not shared by
                                 processes outside of the
@@ -794,7 +794,25 @@
                                 process, but makes sharing between
                                 processes via
                                 <filename>/tmp</filename>
-                                impossible. Defaults to false.</para></listitem>
+                                impossible. Defaults to
+                                false.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><varname>PrivateNetwork=</varname></term>
+
+                                <listitem><para>Takes a boolean
+                                argument. If true sets up a new
+                                network namespace for the executed
+                                processes and configures only the
+                                loopback network device
+                                <literal>lo</literal> inside it. No
+                                other network devices will be
+                                available to the executed process.
+                                This is useful to securely turn off
+                                network access by the executed
+                                process. Defaults to
+                                false.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
author	Lennart Poettering <lennart@poettering.net>	2011-08-02 05:24:58 +0200
committer	Lennart Poettering <lennart@poettering.net>	2011-08-02 05:24:58 +0200
commit	ff01d048b4c1455241c894cf7982662c9d28fd34 (patch)
tree	025e54f24e3e4879898e4be84b4e082367902f6a /man
parent	4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16 (diff)