From: Maximilian Wilhelm <maximilian.wilhelm@hetzner-cloud.de>
Date: Wed, 19 Jun 2024 11:41:39 +0000 (+0200)
Subject: man/systemd.exec: list inaccessible files for ProtectKernelTunables
X-Git-Tag: v257-rc1~1098
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=163bb43ceaa1e5bdcda27c4417339b3af9cf28af;p=thirdparty%2Fsystemd.git

man/systemd.exec: list inaccessible files for ProtectKernelTunables
---

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 2fd69f6912f..9e621b9aa30 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -2022,8 +2022,9 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
         <filename>/proc/sys/</filename>, <filename>/sys/</filename>, <filename>/proc/sysrq-trigger</filename>,
         <filename>/proc/latency_stats</filename>, <filename>/proc/acpi</filename>,
         <filename>/proc/timer_stats</filename>, <filename>/proc/fs</filename> and <filename>/proc/irq</filename> will
-        be made read-only to all processes of the unit. Usually, tunable kernel variables should be initialized only at
-        boot-time, for example with the
+        be made read-only and <filename>/proc/kallsyms</filename> as well as <filename>/proc/kcore</filename> will be
+        inaccessible to all processes of the unit.
+        Usually, tunable kernel variables should be initialized only at boot-time, for example with the
         <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> mechanism. Few
         services need to write to these at runtime; it is hence recommended to turn this on for most services. For this
         setting the same restrictions regarding mount propagation and privileges apply as for