diff options
| -rw-r--r-- | man/systemd.exec.xml | 105 |
1 files changed, 72 insertions, 33 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 90d36f9b57..784b48fff4 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -837,7 +837,15 @@ may be prefixed with <literal>-</literal>, in which case they will be ignored when they do not - exist.</para></listitem> + exist. Note that using this + setting will disconnect propagation of + mounts from the service to the host + (propagation in the opposite direction + continues to work). This means that + this setting may not be used for + services which shall be able to + install mount points in the main mount + namespace.</para></listitem> </varlistentry> <varlistentry> @@ -857,18 +865,61 @@ processes via <filename>/tmp</filename> or <filename>/var/tmp</filename> - impossible. All temporary data created - by service will be removed after - the service is stopped. Defaults to - false. Note that it is possible to run - two or more units within the same - private <filename>/tmp</filename> and + impossible. If this is enabled all + temporary files created by a service + in these directories will be removed + after the service is stopped. Defaults + to false. It is possible to run two or + more units within the same private + <filename>/tmp</filename> and <filename>/var/tmp</filename> namespace by using the <varname>JoinsNamespaceOf=</varname> directive, see <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for details.</para></listitem> + for details. Note that using this + setting will disconnect propagation of + mounts from the service to the host + (propagation in the opposite direction + continues to work). This means that + this setting may not be used for + services which shall be able to install + mount points in the main mount + namespace.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>PrivateDevices=</varname></term> + + <listitem><para>Takes a boolean + argument. If true, sets up a new /dev + namespace for the executed processes + and only adds API pseudo devices such + as <filename>/dev/null</filename>, + <filename>/dev/zero</filename> or + <filename>/dev/random</filename> (as + well as the pseudo TTY subsystem) to + it, but no physical devices such as + <filename>/dev/sda</filename>. This is + useful to securely turn off physical + device access by the executed + process. Defaults to false. Enabling + this option will also remove + <constant>CAP_MKNOD</constant> from + the capability bounding set for the + unit (see above), and set + <varname>DevicePolicy=closed</varname> + (see + <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for details). Note that using this + setting will disconnect propagation of + mounts from the service to the host + (propagation in the opposite direction + continues to work). This means that + this setting may not be used for + services which shall be able to + install mount points in the main mount + namespace.</para></listitem> </varlistentry> <varlistentry> @@ -884,35 +935,23 @@ available to the executed process. This is useful to securely turn off network access by the executed - process. Defaults to false. Note that - it is possible to run two or more - units within the same private network + process. Defaults to false. It is + possible to run two or more units + within the same private network namespace by using the <varname>JoinsNamespaceOf=</varname> directive, see <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for details.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>PrivateDevices=</varname></term> - - <listitem><para>Takes a boolean - argument. If true, sets up a new /dev - namespace for the executed processes - and only adds API pseudo devices such - as <filename>/dev/null</filename>, - <filename>/dev/zero</filename> or - <filename>/dev/random</filename> to - it, but no physical devices such as - <filename>/dev/sda</filename>. This is - useful to securely turn off physical - device access by the executed - process. Defaults to false. Note that - enabling this option implies that - <constant>CAP_MKNOD</constant> is - removed from the capability bounding - set for the unit.</para></listitem> + for details. Note that this option + will disconnect all socket families + from the host, this includes + AF_NETLINK and AF_UNIX. The latter has + the effect that AF_UNIX sockets in the + abstract socket namespace will become + unavailable to the processes (however, + those located in the file system will + continue to be + accessible).</para></listitem> </varlistentry> <varlistentry> |