diff options
| -rw-r--r-- | man/systemd.exec.xml | 3 | ||||
| -rw-r--r-- | src/core/namespace.c | 4 |
2 files changed, 3 insertions, 4 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index d426ac0899..c5bb55c556 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -941,8 +941,7 @@ argument or <literal>full</literal>. If true, mounts the <filename>/usr</filename> - and <filename>/boot</filename> - directories read-only for processes + directory read-only for processes invoked by this unit. If set to <literal>full</literal> the <filename>/etc</filename> is mounted diff --git a/src/core/namespace.c b/src/core/namespace.c index 080c086fd4..b6deab7081 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -357,7 +357,7 @@ int setup_namespace( strv_length(inaccessible_dirs) + private_dev + (protect_home != PROTECT_HOME_NO ? 2 : 0) + - (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) + + (protect_system != PROTECT_SYSTEM_NO ? 1 : 0) + (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0); if (n > 0) { @@ -399,7 +399,7 @@ int setup_namespace( } if (protect_system != PROTECT_SYSTEM_NO) { - r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "/etc", "-/boot") : STRV_MAKE("/usr", "-/boot"), READONLY); + r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "/etc") : STRV_MAKE("/usr"), READONLY); if (r < 0) return r; } |