diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2016-11-17 19:40:57 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-11-17 19:40:57 -0500 |
| commit | 9a4550e2589bddb12cea93693b83211d805444e1 (patch) | |
| tree | e3ffb3520b9ff878dc870bb1dbf2e2cf49270256 /man | |
| parent | a1e45b8ba3b8695d02cc12b42c46af6066f59766 (diff) | |
| parent | 0c426957d8dfe061a6d39c84d5d1071acd807747 (diff) | |
Merge pull request #4671 from poettering/namespace-bind
rework service namespace handling a bit
Diffstat (limited to 'man')
| -rw-r--r-- | man/systemd.exec.xml | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index f85dbb4cda..2ea4a53d18 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -952,13 +952,19 @@ assigned to this option, the specific list is reset, and all prior assignments have no effect.</para> <para>Paths in <varname>ReadWritePaths=</varname>, <varname>ReadOnlyPaths=</varname> and - <varname>InaccessiblePaths=</varname> may be prefixed with <literal>-</literal>, in which case they will be ignored - when they do not exist. Note that using this setting will disconnect propagation of mounts from the service to - the host (propagation in the opposite direction continues to work). This means that this setting may not be used - for services which shall be able to install mount points in the main mount namespace. Note that the effect of - these settings may be undone by privileged processes. In order to set up an effective sandboxed environment for - a unit it is thus recommended to combine these settings with either - <varname>CapabilityBoundingSet=~CAP_SYS_ADMIN</varname> or <varname>SystemCallFilter=~@mount</varname>.</para></listitem> + <varname>InaccessiblePaths=</varname> may be prefixed with <literal>-</literal>, in which case they will be + ignored when they do not exist. If prefixed with <literal>+</literal> the paths are taken relative to the root + directory of the unit, as configured with <varname>RootDirectory=</varname>, instead of relative to the root + directory of the host (see above). When combining <literal>-</literal> and <literal>+</literal> on the same + path make sure to specify <literal>-</literal> first, and <literal>+</literal> second.</para> + + <para>Note that using this setting will disconnect propagation of mounts from the service to the host + (propagation in the opposite direction continues to work). This means that this setting may not be used for + services which shall be able to install mount points in the main mount namespace. Note that the effect of these + settings may be undone by privileged processes. In order to set up an effective sandboxed environment for a + unit it is thus recommended to combine these settings with either + <varname>CapabilityBoundingSet=~CAP_SYS_ADMIN</varname> or + <varname>SystemCallFilter=~@mount</varname>.</para></listitem> </varlistentry> <varlistentry> |