picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

man: mention that RestrictNamespaces= can be specified multiple times

This commit is contained in:
Yu Watanabe 2018-04-27 00:22:10 +09:00
parent 1dcf96c29f
commit 53255e53ce
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
man/systemd.exec.xml
View File

@ -1152,7 +1152,9 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
prohibited (whitelisting). By prepending the list with a single tilde character (<literal>~</literal>) the
effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are
permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied,
which is equivalent to false. Internally, this setting limits access to the
which is equivalent to false. This option may appear more than once, in which case the namespace types are
merged by <constant>OR</constant>, or by <constant>AND</constant> if the lines are prefixed with
<literal>~</literal> (see examples below). Internally, this setting limits access to the
<citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
<citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
<citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking
@ -1162,7 +1164,16 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
supported on x86, x86-64, mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32, ppc64, ppc64-le, s390
and s390x, and enforces no restrictions on other architectures. If running in user mode, or in system mode, but
without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>),
<varname>NoNewPrivileges=yes</varname> is implied. </para></listitem>
<varname>NoNewPrivileges=yes</varname> is implied.</para>
<para>Example: if a unit has the following,
<programlisting>RestrictNamespaces=cgroup ipc
RestrictNamespaces=cgroup net</programlisting>
then <constant>cgroup</constant>, <constant>ipc</constant>, and <constant>net</constant> are set.
If the second line is prefixed with <literal>~</literal>, e.g.,
<programlisting>RestrictNamespaces=cgroup ipc
RestrictNamespaces=~cgroup net</programlisting>
then, only <constant>ipc</constant> is set.</para></listitem>
</varlistentry>
<varlistentry>