From a54342b371a5593f84a0d2c1d9f65081a91ee418 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 6 Aug 2020 15:26:53 +0200 Subject: [PATCH] man: document ProtectProc= and ProcSubset= --- man/systemd.exec.xml | 49 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 6ac877f9bc..a0069587f4 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -267,6 +267,55 @@ + + ProtectProc= + + Takes one of noaccess, invisible, + ptraceable or default (which it defaults to). When set, this + controls the hidepid= mount option of the procfs instance for + the unit that controls which directories with process metainformation + (/proc/PID) are visible and accessible: when set to + noaccess the ability to access most of other users' process metadata in + /proc/ is taken away for processes of the service. When set to + invisible processes owned by other users are hidden from + /proc/. If ptraceable all processes that cannot be + ptrace()'ed by a process are hidden to it. If default no + restrictions on /proc/ access or visibility are made. For further details see + The /proc + Filesystem. It is generally recommended to run most system services with this option set to + invisible. This option is implemented via file system namespacing, and thus cannot + be used with services that shall be able to install mount points in the host file system + hierarchy. It also cannot be used for services that need to access metainformation about other users' + processes. This option implies MountAPIVFS=. + + If the kernel doesn't support per-mount point mount options this + setting remains without effect, and the unit's processes will be able to access and see other process + as if the option was not used. + + + + + + ProcSubset= + + Takes one of all (the default) and pid. If + the latter all files and directories not directly associated with process management and introspection + are made invisible in the /proc/ file system configured for the unit's + processes. This controls the subset= mount option of the procfs + instance for the unit. For further details see The /proc + Filesystem. Note that Linux exposes various kernel APIs via /proc/, + which are made unavailable with this setting. Since these APIs are used frequently this option is + useful only in a few, specific cases, and is not suitable for most non-trivial programs. + + Much like ProtectProc= above, this is implemented via file system mount + namespacing, and hence the same restrictions apply: it is only available to system services, it + disables mount propagation to the host mount table, and it implies + MountAPIVFS=. Also, like ProtectProc= this setting is gracefully + disabled if the used kernel does not support the subset= mount option of + procfs. + + BindPaths= BindReadOnlyPaths=