From ff01d048b4c1455241c894cf7982662c9d28fd34 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 2 Aug 2011 05:24:58 +0200 Subject: exec: introduce PrivateNetwork= process option to turn off network access to specific services --- man/systemd.exec.xml | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) (limited to 'man/systemd.exec.xml') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 99a91b3dfa..d28417da1c 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -783,9 +783,9 @@ PrivateTmp= Takes a boolean - argument. If true sets up a new - namespace for the executed processes - and mounts a private + argument. If true sets up a new file + system namespace for the executed + processes and mounts a private /tmp directory inside it, that is not shared by processes outside of the @@ -794,7 +794,25 @@ process, but makes sharing between processes via /tmp - impossible. Defaults to false. + impossible. Defaults to + false. + + + + PrivateNetwork= + + Takes a boolean + argument. If true sets up a new + network namespace for the executed + processes and configures only the + loopback network device + lo inside it. No + other network devices will be + available to the executed process. + This is useful to securely turn off + network access by the executed + process. Defaults to + false. -- cgit v1.2.3-54-g00ecf