From 8351ceaea9480d9c2979aa2ff0f4982cfdfef58d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 17 Jul 2012 04:17:53 +0200 Subject: execute: support syscall filtering using seccomp filters --- man/systemd.exec.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) (limited to 'man') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index c04db12e3b..6e55d8dfcf 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1091,6 +1091,54 @@ shell pipelines. + + NoNewPrivileges= + + Takes a boolean + argument. If true ensures that the + service process and all its children + can never gain new privileges. This + option is more powerful than the respective + secure bits flags (see above), as it + also prohibits UID changes of any + kind. This is the simplest, most + effective way to ensure that a process + and its children can never elevate + privileges again. + + + + SystemCallFilter= + + Takes a space + separated list of system call + names. If this setting is used all + system calls executed by the unit + process except for the listed ones + will result in immediate process + termination with the SIGSYS signal + (whitelisting). If the first character + of the list is ~ + the effect is inverted: only the + listed system calls will result in + immediate process termination + (blacklisting). If this option is used + NoNewPrivileges=yes + is implied. This feature makes use of + the Secure Computing Mode 2 interfaces + of the kernel ('seccomp filtering') + and is useful for enforcing a minimal + sandboxing environment. Note that the + execve, + rt_sigreturn, + sigreturn, + exit_group, + exit system calls + are implicitly whitelisted and don't + need to be listed + explicitly. + + -- cgit v1.2.3-54-g00ecf