From 85265556807397546a4742609b5168d19aa0df96 Mon Sep 17 00:00:00 2001 From: Djalal Harouni Date: Mon, 14 Nov 2016 08:32:06 +0100 Subject: [PATCH] doc: move ProtectKernelModules= documentation near ProtectKernelTunalbes= --- man/systemd.exec.xml | 48 ++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 669b726920..f85dbb4cda 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1101,6 +1101,30 @@ make some IPC file system objects inaccessible. + + ProtectKernelModules= + + Takes a boolean argument. If true, explicit module loading will + be denied. This allows to turn off module load and unload operations on modular + kernels. It is recommended to turn this on for most services that do not need special + file systems or extra kernel modules to work. Default to off. Enabling this option + removes CAP_SYS_MODULE from the capability bounding set for + the unit, and installs a system call filter to block module system calls, + also /usr/lib/modules is made inaccessible. For this + setting the same restrictions regarding mount propagation and privileges + apply as for ReadOnlyPaths= and related calls, see above. + Note that limited automatic module loading due to user configuration or kernel + mapping tables might still happen as side effect of requested user operations, + both privileged and unprivileged. To disable module auto-load feature please see + sysctl.d5 + kernel.modules_disabled mechanism and + /proc/sys/kernel/modules_disabled documentation. + If turned on and if running in user mode, or in system mode, but without the CAP_SYS_ADMIN + capability (e.g. setting User=), NoNewPrivileges=yes + is implied. + + + ProtectControlGroups= @@ -1495,30 +1519,6 @@ - - ProtectKernelModules= - - Takes a boolean argument. If true, explicit module loading will - be denied. This allows to turn off module load and unload operations on modular - kernels. It is recommended to turn this on for most services that do not need special - file systems or extra kernel modules to work. Default to off. Enabling this option - removes CAP_SYS_MODULE from the capability bounding set for - the unit, and installs a system call filter to block module system calls, - also /usr/lib/modules is made inaccessible. For this - setting the same restrictions regarding mount propagation and privileges - apply as for ReadOnlyPaths= and related calls, see above. - Note that limited automatic module loading due to user configuration or kernel - mapping tables might still happen as side effect of requested user operations, - both privileged and unprivileged. To disable module auto-load feature please see - sysctl.d5 - kernel.modules_disabled mechanism and - /proc/sys/kernel/modules_disabled documentation. - If turned on and if running in user mode, or in system mode, but without the CAP_SYS_ADMIN - capability (e.g. setting User=), NoNewPrivileges=yes - is implied. - - - Personality=