X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=3b39a9c912be182a01ab5f9f5dcec1ed1f3964cb;hb=add005357d535681c7075ced8eec2b6e61b43728;hp=0973f4047a798862a9658a0f1d952a44647b5326;hpb=9156493171cf2d78e1ac1a3746c385b0e281acf1;p=thirdparty%2Fsystemd.git
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 0973f4047a7..3b39a9c912b 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1234,22 +1234,16 @@
NoNewPrivileges=
- Takes a boolean argument. If true, ensures that the service
- process and all its children can never gain new privileges through
- execve (e.g. via setuid or setgid bits, or filesystem
- capabilities). This is the simplest and most effective way to ensure that
- a process and its children can never elevate privileges again. Defaults to false,
- but in the user manager instance certain settings force
- NoNewPrivileges=yes, ignoring the value of this setting.
- This is the case when SystemCallFilter=,
- SystemCallArchitectures=,
- RestrictAddressFamilies=,
- PrivateDevices=,
- ProtectKernelTunables=,
- ProtectKernelModules=,
- MemoryDenyWriteExecute=, or
- RestrictRealtime= are specified.
-
+ Takes a boolean argument. If true, ensures that the service process and all its children can
+ never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem
+ capabilities). This is the simplest and most effective way to ensure that a process and its children can never
+ elevate privileges again. Defaults to false, but in the user manager instance certain settings force
+ NoNewPrivileges=yes, ignoring the value of this setting. This is the case when
+ SystemCallFilter=, SystemCallArchitectures=,
+ RestrictAddressFamilies=, RestrictNamespaces=,
+ PrivateDevices=, ProtectKernelTunables=,
+ ProtectKernelModules=, MemoryDenyWriteExecute=, or
+ RestrictRealtime= are specified.
@@ -1467,6 +1461,30 @@
logging. This does not affect commands prefixed with +.
+
+ RestrictNamespaces=
+
+ Restricts access to Linux namespace functionality for the processes of this unit. For details
+ about Linux namespaces, see
+ namespaces7. Either takes a
+ boolean argument, or a space-separated list of namespace type identifiers. If false (the default), no
+ restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is
+ prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of
+ any combination of: cgroup, ipc, net,
+ mnt, pid, user and uts. Any
+ namespace type listed is made accessible to the unit's processes, access to namespace types not listed is
+ prohibited (whitelisting). By prepending the list with a single tilda character (~) the
+ effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are
+ permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied,
+ which is equivalent to false. Internally, this setting limits access to the
+ unshare2,
+ clone2 and
+ setns2 system calls, taking
+ the specified flags parameters into account. Note that â if this option is used â in addition to restricting
+ creation and switching of the specified types of namespaces (or all of them, if true) access to the
+ setns() system call with a zero flags parameter is prohibited.
+
+
ProtectKernelModules=