summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
Diffstat (limited to 'man')
-rw-r--r--man/systemd.exec.xml48
1 files changed, 48 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index c04db12e3b..6e55d8dfcf 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1091,6 +1091,54 @@
shell pipelines.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>NoNewPrivileges=</varname></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true ensures that the
+ service process and all its children
+ can never gain new privileges. This
+ option is more powerful than the respective
+ secure bits flags (see above), as it
+ also prohibits UID changes of any
+ kind. This is the simplest, most
+ effective way to ensure that a process
+ and its children can never elevate
+ privileges again.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SystemCallFilter=</varname></term>
+
+ <listitem><para>Takes a space
+ separated list of system call
+ names. If this setting is used all
+ system calls executed by the unit
+ process except for the listed ones
+ will result in immediate process
+ termination with the SIGSYS signal
+ (whitelisting). If the first character
+ of the list is <literal>~</literal>
+ the effect is inverted: only the
+ listed system calls will result in
+ immediate process termination
+ (blacklisting). If this option is used
+ <varname>NoNewPrivileges=yes</varname>
+ is implied. This feature makes use of
+ the Secure Computing Mode 2 interfaces
+ of the kernel ('seccomp filtering')
+ and is useful for enforcing a minimal
+ sandboxing environment. Note that the
+ <function>execve</function>,
+ <function>rt_sigreturn</function>,
+ <function>sigreturn</function>,
+ <function>exit_group</function>,
+ <function>exit</function> system calls
+ are implicitly whitelisted and don't
+ need to be listed
+ explicitly.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>