From 907afa0682c8d6f00937b11b04be6b8a26a3cd41 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 19 Mar 2014 22:26:08 +0100 Subject: [PATCH] man: improve documentation of fs namespace related settings --- man/systemd.exec.xml | 105 +++++++++++++++++++++++++++++-------------- 1 file changed, 72 insertions(+), 33 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 90d36f9b5..784b48fff 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -837,7 +837,15 @@ may be prefixed with -, in which case they will be ignored when they do not - exist. + exist. Note that using this + setting will disconnect propagation of + mounts from the service to the host + (propagation in the opposite direction + continues to work). This means that + this setting may not be used for + services which shall be able to + install mount points in the main mount + namespace. @@ -857,18 +865,61 @@ processes via /tmp or /var/tmp - impossible. All temporary data created - by service will be removed after - the service is stopped. Defaults to - false. Note that it is possible to run - two or more units within the same - private /tmp and + impossible. If this is enabled all + temporary files created by a service + in these directories will be removed + after the service is stopped. Defaults + to false. It is possible to run two or + more units within the same private + /tmp and /var/tmp namespace by using the JoinsNamespaceOf= directive, see systemd.unit5 - for details. + for details. Note that using this + setting will disconnect propagation of + mounts from the service to the host + (propagation in the opposite direction + continues to work). This means that + this setting may not be used for + services which shall be able to install + mount points in the main mount + namespace. + + + + PrivateDevices= + + Takes a boolean + argument. If true, sets up a new /dev + namespace for the executed processes + and only adds API pseudo devices such + as /dev/null, + /dev/zero or + /dev/random (as + well as the pseudo TTY subsystem) to + it, but no physical devices such as + /dev/sda. This is + useful to securely turn off physical + device access by the executed + process. Defaults to false. Enabling + this option will also remove + CAP_MKNOD from + the capability bounding set for the + unit (see above), and set + DevicePolicy=closed + (see + systemd.resource-control5 + for details). Note that using this + setting will disconnect propagation of + mounts from the service to the host + (propagation in the opposite direction + continues to work). This means that + this setting may not be used for + services which shall be able to + install mount points in the main mount + namespace. @@ -884,35 +935,23 @@ available to the executed process. This is useful to securely turn off network access by the executed - process. Defaults to false. Note that - it is possible to run two or more - units within the same private network + process. Defaults to false. It is + possible to run two or more units + within the same private network namespace by using the JoinsNamespaceOf= directive, see systemd.unit5 - for details. - - - - PrivateDevices= - - Takes a boolean - argument. If true, sets up a new /dev - namespace for the executed processes - and only adds API pseudo devices such - as /dev/null, - /dev/zero or - /dev/random to - it, but no physical devices such as - /dev/sda. This is - useful to securely turn off physical - device access by the executed - process. Defaults to false. Note that - enabling this option implies that - CAP_MKNOD is - removed from the capability bounding - set for the unit. + for details. Note that this option + will disconnect all socket families + from the host, this includes + AF_NETLINK and AF_UNIX. The latter has + the effect that AF_UNIX sockets in the + abstract socket namespace will become + unavailable to the processes (however, + those located in the file system will + continue to be + accessible). -- 2.30.2