Zbigniew Jędrzejewski-Szmek
parent
9b232d3241
commit
74388c2d11
|
|
@ -1234,13 +1234,22 @@
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>NoNewPrivileges=</varname></term>
|
<term><varname>NoNewPrivileges=</varname></term>
|
||||||
|
|
||||||
<listitem><para>Takes a boolean argument. If true, ensures
|
<listitem><para>Takes a boolean argument. If true, ensures that the service
|
||||||
that the service process and all its children can never gain
|
process and all its children can never gain new privileges. This option is more
|
||||||
new privileges. This option is more powerful than the
|
powerful than the respective secure bits flags (see above), as it also prohibits
|
||||||
respective secure bits flags (see above), as it also prohibits
|
UID changes of any kind. This is the simplest and most effective way to ensure that
|
||||||
UID changes of any kind. This is the simplest, most effective
|
a process and its children can never elevate privileges again. Defaults to false,
|
||||||
way to ensure that a process and its children can never
|
but in the user manager instance certain settings force
|
||||||
elevate privileges again.</para></listitem>
|
<varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting.
|
||||||
|
Those is the case when <varname>SystemCallFilter=</varname>,
|
||||||
|
<varname>SystemCallArchitectures=</varname>,
|
||||||
|
<varname>RestrictAddressFamilies=</varname>,
|
||||||
|
<varname>PrivateDevices=</varname>,
|
||||||
|
<varname>ProtectKernelTunables=</varname>,
|
||||||
|
<varname>ProtectKernelModules=</varname>,
|
||||||
|
<varname>MemoryDenyWriteExecute=</varname>, or
|
||||||
|
<varname>RestrictRealtime=</varname> are specified.
|
||||||
|
</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue