X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=6e55d8dfcf87c62b279bcf4a07dd6f83bbfd0fe5;hp=c04db12e3bee1479fec8ac5be741de551934df4e;hb=8351ceaea9480d9c2979aa2ff0f4982cfdfef58d;hpb=cd96b3b86abb4a88cac2722bdfb6e5d4413f6831
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index c04db12e3..6e55d8dfc 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1091,6 +1091,54 @@
shell pipelines.
+
+ NoNewPrivileges=
+
+ Takes a boolean
+ argument. If true ensures that the
+ service process and all its children
+ can never gain new privileges. This
+ option is more powerful than the respective
+ secure bits flags (see above), as it
+ also prohibits UID changes of any
+ kind. This is the simplest, most
+ effective way to ensure that a process
+ and its children can never elevate
+ privileges again.
+
+
+
+ SystemCallFilter=
+
+ Takes a space
+ separated list of system call
+ names. If this setting is used all
+ system calls executed by the unit
+ process except for the listed ones
+ will result in immediate process
+ termination with the SIGSYS signal
+ (whitelisting). If the first character
+ of the list is ~
+ the effect is inverted: only the
+ listed system calls will result in
+ immediate process termination
+ (blacklisting). If this option is used
+ NoNewPrivileges=yes
+ is implied. This feature makes use of
+ the Secure Computing Mode 2 interfaces
+ of the kernel ('seccomp filtering')
+ and is useful for enforcing a minimal
+ sandboxing environment. Note that the
+ execve,
+ rt_sigreturn,
+ sigreturn,
+ exit_group,
+ exit system calls
+ are implicitly whitelisted and don't
+ need to be listed
+ explicitly.
+
+