diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2018-04-27 00:22:10 +0900 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2018-05-05 11:07:37 +0900 |
| commit | 53255e53ce86efdb054c850669c666d8d30e3dbe (patch) | |
| tree | a52993f9618e844b96de8f49e7d53e22dc090098 /man/systemd.exec.xml | |
| parent | 1dcf96c29f28bb9cee4b5a1265bce594afa8a44e (diff) | |
| download | systemd-53255e53ce86efdb054c850669c666d8d30e3dbe.tar.gz | |
man: mention that RestrictNamespaces= can be specified multiple times
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 2d0e6772ce..eeac195a39 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1152,7 +1152,9 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> prohibited (whitelisting). By prepending the list with a single tilde character (<literal>~</literal>) the effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied, - which is equivalent to false. Internally, this setting limits access to the + which is equivalent to false. This option may appear more than once, in which case the namespace types are + merged by <constant>OR</constant>, or by <constant>AND</constant> if the lines are prefixed with + <literal>~</literal> (see examples below). Internally, this setting limits access to the <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking @@ -1162,7 +1164,16 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> supported on x86, x86-64, mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32, ppc64, ppc64-le, s390 and s390x, and enforces no restrictions on other architectures. If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>), - <varname>NoNewPrivileges=yes</varname> is implied. </para></listitem> + <varname>NoNewPrivileges=yes</varname> is implied.</para> + + <para>Example: if a unit has the following, + <programlisting>RestrictNamespaces=cgroup ipc +RestrictNamespaces=cgroup net</programlisting> + then <constant>cgroup</constant>, <constant>ipc</constant>, and <constant>net</constant> are set. + If the second line is prefixed with <literal>~</literal>, e.g., + <programlisting>RestrictNamespaces=cgroup ipc +RestrictNamespaces=~cgroup net</programlisting> + then, only <constant>ipc</constant> is set.</para></listitem> </varlistentry> <varlistentry> |