man: mention that ProtectSystem= also takes care of /efi
This commit is contained in:
parent
f46ba93944
commit
26b8190841
|
@ -891,10 +891,11 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
||||||
<term><varname>ProtectSystem=</varname></term>
|
<term><varname>ProtectSystem=</varname></term>
|
||||||
|
|
||||||
<listitem><para>Takes a boolean argument or the special values <literal>full</literal> or
|
<listitem><para>Takes a boolean argument or the special values <literal>full</literal> or
|
||||||
<literal>strict</literal>. If true, mounts the <filename>/usr</filename> and <filename>/boot</filename>
|
<literal>strict</literal>. If true, mounts the <filename>/usr</filename> and the boot loader
|
||||||
directories read-only for processes invoked by this unit. If set to <literal>full</literal>, the
|
directories (<filename>/boot</filename> and <filename>/efi</filename>) read-only for processes
|
||||||
<filename>/etc</filename> directory is mounted read-only, too. If set to <literal>strict</literal> the entire
|
invoked by this unit. If set to <literal>full</literal>, the <filename>/etc</filename> directory is
|
||||||
file system hierarchy is mounted read-only, except for the API file system subtrees <filename>/dev</filename>,
|
mounted read-only, too. If set to <literal>strict</literal> the entire file system hierarchy is
|
||||||
|
mounted read-only, except for the API file system subtrees <filename>/dev</filename>,
|
||||||
<filename>/proc</filename> and <filename>/sys</filename> (protect these directories using
|
<filename>/proc</filename> and <filename>/sys</filename> (protect these directories using
|
||||||
<varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
|
<varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
|
||||||
<varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the vendor-supplied
|
<varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the vendor-supplied
|
||||||
|
|
Loading…
Reference in a new issue