man: add warnings that Private*= settings are not always applied

2017-07-11 13:36:15 -04:00 · 2017-07-11 13:36:15 -04:00 · b023856884
parent 2c75fb7330
commit b023856884
1 changed files with 26 additions and 9 deletions
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@ -1038,14 +1038,19 @@
        <varname>After=</varname> dependencies on all mount units necessary to access <filename>/tmp</filename> and
        <filename>/var/tmp</filename>. Moreover an implicitly <varname>After=</varname> ordering on
        <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-        is added.</para></listitem>
+        is added.</para>
+
+        <para>Note that the implementation of this setting might be impossible (for example if mount namespaces
+        are not available), and the unit should be written in a way that does not solely rely on this setting for
+        security.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>PrivateDevices=</varname></term>

-        <listitem><para>Takes a boolean argument. If true, sets up a new /dev namespace for the executed processes and
-        only adds API pseudo devices such as <filename>/dev/null</filename>, <filename>/dev/zero</filename> or
+        <listitem><para>Takes a boolean argument. If true, sets up a new <filename>/dev</filename> mount for the
+        executed processes and only adds API pseudo devices such as <filename>/dev/null</filename>,
+        <filename>/dev/zero</filename> or
        <filename>/dev/random</filename> (as well as the pseudo TTY subsystem) to it, but no physical devices such as
        <filename>/dev/sda</filename>, system memory <filename>/dev/mem</filename>, system ports
        <filename>/dev/port</filename> and others. This is useful to securely turn off physical device access by the
@ -1056,8 +1061,8 @@
        <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        for details). Note that using this setting will disconnect propagation of mounts from the service to the host
        (propagation in the opposite direction continues to work).  This means that this setting may not be used for
-        services which shall be able to install mount points in the main mount namespace. The /dev namespace will be
-        mounted read-only and 'noexec'.  The latter may break old programs which try to set up executable memory by
+        services which shall be able to install mount points in the main mount namespace. The new <filename>/dev</filename>
+        will be mounted read-only and 'noexec'. The latter may break old programs which try to set up executable memory by
        using <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> of
        <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. This setting is implied if
        <varname>DynamicUser=</varname> is set. For this setting the same restrictions regarding mount propagation and
@ -1065,7 +1070,11 @@
        If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
        capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
        is implied.
-        </para></listitem>
+        </para>
+
+        <para>Note that the implementation of this setting might be impossible (for example if mount namespaces
+        are not available), and the unit should be written in a way that does not solely rely on this setting for
+        security.</para></listitem>
      </varlistentry>

      <varlistentry>
@ -1076,7 +1085,7 @@
        configures only the loopback network device
        <literal>lo</literal> inside it. No other network devices will
        be available to the executed process. This is useful to
-        securely turn off network access by the executed process.
+        turn off network access by the executed process.
        Defaults to false. It is possible to run two or more units
        within the same private network namespace by using the
        <varname>JoinsNamespaceOf=</varname> directive, see
@ -1086,7 +1095,11 @@
        The latter has the effect that AF_UNIX sockets in the abstract
        socket namespace will become unavailable to the processes
        (however, those located in the file system will continue to be
-        accessible).</para></listitem>
+        accessible).</para>
+
+        <para>Note that the implementation of this setting might be impossible (for example if network namespaces
+        are not available), and the unit should be written in a way that does not solely rely on this setting for
+        security.</para></listitem>
      </varlistentry>

      <varlistentry>
@ -1108,7 +1121,11 @@
        <para>This setting is particularly useful in conjunction with
        <varname>RootDirectory=</varname>/<varname>RootImage=</varname>, as the need to synchronize the user and group
        databases in the root directory and on the host is reduced, as the only users and groups who need to be matched
-        are <literal>root</literal>, <literal>nobody</literal> and the unit's own user and group.</para></listitem>
+        are <literal>root</literal>, <literal>nobody</literal> and the unit's own user and group.</para>
+
+        <para>Note that the implementation of this setting might be impossible (for example if user namespaces
+        are not available), and the unit should be written in a way that does not solely rely on this setting for
+        security.</para></listitem>
      </varlistentry>

      <varlistentry>