diff options
author | Lennart Poettering <lennart@poettering.net> | 2020-11-02 14:51:10 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-11-05 20:22:19 +0100 |
commit | ce8f6d478e3f6c6a313fb19615aa5029bb18f86d (patch) | |
tree | bd4d5d5c89d8f1a21ee734bd9d95c0192336ea84 /docs | |
parent | d72ff2df1ce6b1e7c0e599605d8840755a8657f4 (diff) | |
download | systemd-ce8f6d478e3f6c6a313fb19615aa5029bb18f86d.tar.gz |
seccomp: allow turning off of seccomp filtering via env var
Fixes: #17504
(While we are it, also move $SYSTEMD_SECCOMP_LOG= env var description
into the right document section)
Also suggested in: https://github.com/systemd/systemd/issues/17245#issuecomment-704773603
Diffstat (limited to 'docs')
-rw-r--r-- | docs/ENVIRONMENT.md | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md index 38752c9169..74a71bba93 100644 --- a/docs/ENVIRONMENT.md +++ b/docs/ENVIRONMENT.md @@ -83,6 +83,13 @@ All tools: * `$SYSTEMD_RDRAND=0` — if set, the RDRAND instruction will never be used, even if the CPU supports it. +* `$SYSTEMD_SECCOMP=0` – if set, seccomp filters will not be enforced, even if + support for it is compiled in and available in the kernel. + +* `$SYSTEMD_LOG_SECCOMP=1` — if set, system calls blocked by seccomp filtering, + for example in systemd-nspawn, will be logged to the audit log, if the current + kernel version supports this. + systemctl: * `$SYSTEMCTL_FORCE_BUS=1` — if set, do not connect to PID1's private D-Bus @@ -93,10 +100,6 @@ systemctl: * `$SYSTEMCTL_SKIP_SYSV=1` — if set, do not call out to SysV compatibility hooks. -* `$SYSTEMD_LOG_SECCOMP=1` — if set, system calls blocked by seccomp filtering, - for example in systemd-nspawn, will be logged to the audit log, if the current - kernel version supports this. - systemd-nspawn: * `$SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=1` — if set, force nspawn into unified |