summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
authorDjalal Harouni <tixxdz@opendz.org>2016-10-12 13:31:21 +0200
committerDjalal Harouni <tixxdz@opendz.org>2016-10-12 13:31:21 +0200
commit502d704e5ed2d288069471f4e3611115cde107d6 (patch)
tree4f477c49d4ce8b979479735bcc4f4043b2df111b /man
parent18e51a022c632344c4a48ba6ccb3475fad2a2c3b (diff)
core:sandbox: Add ProtectKernelModules= option
This is useful to turn off explicit module load and unload operations on modular kernels. This option removes CAP_SYS_MODULE from the capability bounding set for the unit, and installs a system call filter to block module system calls. This option will not prevent the kernel from loading modules using the module auto-load feature which is a system wide operation.
Diffstat (limited to 'man')
-rw-r--r--man/systemd.exec.xml17
1 files changed, 17 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 986985ad35..3bea4976b3 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1405,6 +1405,23 @@
</varlistentry>
<varlistentry>
+ <term><varname>ProtectKernelModules=</varname></term>
+
+ <listitem><para>Takes a boolean argument. If true, explicit module loading will
+ be denied. This allows to turn off module load and unload operations on modular
+ kernels. It is recomended to turn this on for most services that do not need special
+ file systems or extra kernel modules to work. Default to off. Enabling this option
+ removes <constant>CAP_SYS_MODULE</constant> from the capability bounding set for
+ the unit, and installs a system call filter to block module system calls.
+ Note that limited automatic module loading due to user configuration or kernel
+ mapping tables might still happen as side effect of requested user operations,
+ both privileged and unprivileged. To disable module auto-load feature please see
+ <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <constant>kernel.modules_disabled</constant> mechanism and
+ <filename>/proc/sys/kernel/modules_disabled</filename> documentation.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>Personality=</varname></term>
<listitem><para>Controls which kernel architecture <citerefentry