aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYu Watanabe <watanabe.yu+github@gmail.com>2018-08-06 14:02:28 +0900
committerYu Watanabe <watanabe.yu+github@gmail.com>2018-08-06 14:02:31 +0900
commitfe65e88ba6ad876baf759461fd99162f706dd35e (patch)
treed628ea8cf900cee5b5143822a19dc07a7f62d1ba /man/systemd.exec.xml
parentcore: introduce cgroup_add_device_allow() (diff)
downloadsystemd-fe65e88ba6ad876baf759461fd99162f706dd35e.tar.gz
systemd-fe65e88ba6ad876baf759461fd99162f706dd35e.tar.bz2
systemd-fe65e88ba6ad876baf759461fd99162f706dd35e.zip
namespace: implicitly adds DeviceAllow= when RootImage= is set
RootImage= may require the following settings ``` DeviceAllow=/dev/loop-control rw DeviceAllow=block-loop rwm DeviceAllow=block-blkext rwm ``` This adds the following settings implicitly when RootImage= is specified. Fixes #9737.
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r--man/systemd.exec.xml11
1 files changed, 10 insertions, 1 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index c898d226a..0b650fc67 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -124,7 +124,16 @@
partition table, or a file system within an MBR/MS-DOS or GPT partition table with only a single
Linux-compatible partition, or a set of file systems within a GPT partition table that follows the <ulink
url="https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable Partitions
- Specification</ulink>.</para></listitem>
+ Specification</ulink>.</para>
+
+ <para>When <varname>DevicePolicy=</varname> is set to <literal>closed</literal> or <literal>strict</literal>,
+ or set to <literal>auto</literal> and <varname>DeviceAllow=</varname> is set, then this setting adds
+ <filename>/dev/loop-control</filename> with <constant>rw</constant> mode, <literal>block-loop</literal> and
+ <literal>block-blkext</literal> with <constant>rwm</constant> mode to <varname>DeviceAllow=</varname>. See
+ <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for the details about <varname>DevicePolicy=</varname> or <varname>DeviceAllow=</varname>. Also, see
+ <varname>PrivateDevices=</varname> below, as it may change the setting of <varname>DevicePolicy=</varname>.
+ </para></listitem>
</varlistentry>
<varlistentry>