aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2018-05-24 16:49:13 +0200
committerGitHub <noreply@github.com>2018-05-24 16:49:13 +0200
commitcdc0f9be925c79f52452938f39013062325da27a (patch)
treedfd01079f60ca2b6cc85baa298911a7bb375dae9 /man/systemd.exec.xml
parentnetworkd: Support the ability to set MTU in [Route] sections (diff)
parentman: fix merging rule for CapabilityBoundingSet= (diff)
downloadsystemd-cdc0f9be925c79f52452938f39013062325da27a.tar.gz
systemd-cdc0f9be925c79f52452938f39013062325da27a.tar.bz2
systemd-cdc0f9be925c79f52452938f39013062325da27a.zip
Merge pull request #8817 from yuwata/cleanup-nsflags
core: allow to specify RestrictNamespaces= multiple times
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r--man/systemd.exec.xml17
1 files changed, 14 insertions, 3 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index fc12c2572..b21c5aa10 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -313,7 +313,7 @@
inverted. Note that this option also affects the respective capabilities in the effective, permitted and
inheritable capability sets. If this option is not used, the capability bounding set is not modified on process
execution, hence no limits on the capabilities of the process are enforced. This option may appear more than
- once, in which case the bounding sets are merged by <constant>AND</constant>, or by <constant>OR</constant> if
+ once, in which case the bounding sets are merged by <constant>OR</constant>, or by <constant>AND</constant> if
the lines are prefixed with <literal>~</literal> (see below). If the empty string is assigned to this option,
the bounding set is reset to the empty capability set, and all prior settings have no effect. If set to
<literal>~</literal> (without any further argument), the bounding set is reset to the full set of available
@@ -1152,7 +1152,9 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
prohibited (whitelisting). By prepending the list with a single tilde character (<literal>~</literal>) the
effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are
permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied,
- which is equivalent to false. Internally, this setting limits access to the
+ which is equivalent to false. This option may appear more than once, in which case the namespace types are
+ merged by <constant>OR</constant>, or by <constant>AND</constant> if the lines are prefixed with
+ <literal>~</literal> (see examples below). Internally, this setting limits access to the
<citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
<citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
<citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking
@@ -1162,7 +1164,16 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
supported on x86, x86-64, mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32, ppc64, ppc64-le, s390
and s390x, and enforces no restrictions on other architectures. If running in user mode, or in system mode, but
without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>),
- <varname>NoNewPrivileges=yes</varname> is implied. </para></listitem>
+ <varname>NoNewPrivileges=yes</varname> is implied.</para>
+
+ <para>Example: if a unit has the following,
+ <programlisting>RestrictNamespaces=cgroup ipc
+RestrictNamespaces=cgroup net</programlisting>
+ then <constant>cgroup</constant>, <constant>ipc</constant>, and <constant>net</constant> are set.
+ If the second line is prefixed with <literal>~</literal>, e.g.,
+ <programlisting>RestrictNamespaces=cgroup ipc
+RestrictNamespaces=~cgroup net</programlisting>
+ then, only <constant>ipc</constant> is set.</para></listitem>
</varlistentry>
<varlistentry>