From d6797c920e9eb70f46a893c00fdd9ecb86d15f84 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 6 Jun 2014 11:42:25 +0200 Subject: namespace: beef up read-only bind mount logic Instead of blindly creating another bind mount for read-only mounts, check if there's already one we can use, and if so, use it. Also, recursively mark all submounts read-only too. Also, ignore autofs mounts when remounting read-only unless they are already triggered. --- man/systemd.exec.xml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) (limited to 'man/systemd.exec.xml') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index c5bb55c556..c419424d9d 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -777,8 +777,8 @@ ReadOnlyDirectories= InaccessibleDirectories= - Sets up a new - file system namespace for executed + Sets up a new file + system namespace for executed processes. These options may be used to limit access a process might have to the main file system @@ -799,16 +799,14 @@ processes inside the namespace. Note that restricting access with these options does not extend to submounts - of a directory. You must list - submounts separately in these settings - to ensure the same limited - access. These options may be specified + of a directory that are created later + on. These options may be specified more than once in which case all directories listed will have limited access from within the namespace. If the empty string is assigned to this - option, the specific list is reset, and - all prior assignments have no + option, the specific list is reset, + and all prior assignments have no effect. Paths in ReadOnlyDirectories= -- cgit v1.2.3-54-g00ecf