man: improve documentation of fs namespace related settings
This commit is contained in:
Lennart Poettering
parent
7d711efb9c
commit
907afa0682
|
|
@ -837,7 +837,15 @@
|
|||
may be prefixed with
|
||||
<literal>-</literal>, in which case
|
||||
they will be ignored when they do not
|
||||
exist.</para></listitem>
|
||||
exist. Note that using this
|
||||
setting will disconnect propagation of
|
||||
mounts from the service to the host
|
||||
(propagation in the opposite direction
|
||||
continues to work). This means that
|
||||
this setting may not be used for
|
||||
services which shall be able to
|
||||
install mount points in the main mount
|
||||
namespace.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
|
|
@ -857,18 +865,61 @@
|
|||
processes via
|
||||
<filename>/tmp</filename> or
|
||||
<filename>/var/tmp</filename>
|
||||
impossible. All temporary data created
|
||||
by service will be removed after
|
||||
the service is stopped. Defaults to
|
||||
false. Note that it is possible to run
|
||||
two or more units within the same
|
||||
private <filename>/tmp</filename> and
|
||||
impossible. If this is enabled all
|
||||
temporary files created by a service
|
||||
in these directories will be removed
|
||||
after the service is stopped. Defaults
|
||||
to false. It is possible to run two or
|
||||
more units within the same private
|
||||
<filename>/tmp</filename> and
|
||||
<filename>/var/tmp</filename>
|
||||
namespace by using the
|
||||
<varname>JoinsNamespaceOf=</varname>
|
||||
directive, see
|
||||
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
for details.</para></listitem>
|
||||
for details. Note that using this
|
||||
setting will disconnect propagation of
|
||||
mounts from the service to the host
|
||||
(propagation in the opposite direction
|
||||
continues to work). This means that
|
||||
this setting may not be used for
|
||||
services which shall be able to install
|
||||
mount points in the main mount
|
||||
namespace.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>PrivateDevices=</varname></term>
|
||||
|
||||
<listitem><para>Takes a boolean
|
||||
argument. If true, sets up a new /dev
|
||||
namespace for the executed processes
|
||||
and only adds API pseudo devices such
|
||||
as <filename>/dev/null</filename>,
|
||||
<filename>/dev/zero</filename> or
|
||||
<filename>/dev/random</filename> (as
|
||||
well as the pseudo TTY subsystem) to
|
||||
it, but no physical devices such as
|
||||
<filename>/dev/sda</filename>. This is
|
||||
useful to securely turn off physical
|
||||
device access by the executed
|
||||
process. Defaults to false. Enabling
|
||||
this option will also remove
|
||||
<constant>CAP_MKNOD</constant> from
|
||||
the capability bounding set for the
|
||||
unit (see above), and set
|
||||
<varname>DevicePolicy=closed</varname>
|
||||
(see
|
||||
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
for details). Note that using this
|
||||
setting will disconnect propagation of
|
||||
mounts from the service to the host
|
||||
(propagation in the opposite direction
|
||||
continues to work). This means that
|
||||
this setting may not be used for
|
||||
services which shall be able to
|
||||
install mount points in the main mount
|
||||
namespace.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
|
|
@ -884,35 +935,23 @@
|
|||
available to the executed process.
|
||||
This is useful to securely turn off
|
||||
network access by the executed
|
||||
process. Defaults to false. Note that
|
||||
it is possible to run two or more
|
||||
units within the same private network
|
||||
process. Defaults to false. It is
|
||||
possible to run two or more units
|
||||
within the same private network
|
||||
namespace by using the
|
||||
<varname>JoinsNamespaceOf=</varname>
|
||||
directive, see
|
||||
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
for details.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>PrivateDevices=</varname></term>
|
||||
|
||||
<listitem><para>Takes a boolean
|
||||
argument. If true, sets up a new /dev
|
||||
namespace for the executed processes
|
||||
and only adds API pseudo devices such
|
||||
as <filename>/dev/null</filename>,
|
||||
<filename>/dev/zero</filename> or
|
||||
<filename>/dev/random</filename> to
|
||||
it, but no physical devices such as
|
||||
<filename>/dev/sda</filename>. This is
|
||||
useful to securely turn off physical
|
||||
device access by the executed
|
||||
process. Defaults to false. Note that
|
||||
enabling this option implies that
|
||||
<constant>CAP_MKNOD</constant> is
|
||||
removed from the capability bounding
|
||||
set for the unit.</para></listitem>
|
||||
for details. Note that this option
|
||||
will disconnect all socket families
|
||||
from the host, this includes
|
||||
AF_NETLINK and AF_UNIX. The latter has
|
||||
the effect that AF_UNIX sockets in the
|
||||
abstract socket namespace will become
|
||||
unavailable to the processes (however,
|
||||
those located in the file system will
|
||||
continue to be
|
||||
accessible).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
|
|
|
|||
Loading…
Reference in a new issue