From: Lennart Poettering Date: Mon, 22 Apr 2024 09:18:45 +0000 (+0200) Subject: man: explicitly say that BindPaths=/BindReadOnlyPaths= opens a new mount X-Git-Tag: v256-rc1~71^2~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3c7f0d6b4401ab3ca62f6021adeb533a8e3802a6;p=thirdparty%2Fsystemd.git man: explicitly say that BindPaths=/BindReadOnlyPaths= opens a new mount namespace Fixes: #32339 --- diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 64b7b07fc7f..598a399b93a 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -443,6 +443,9 @@ that in this case both read-only and regular bind mounts are reset, regardless which of the two settings is used. + Using this option implies that a mount namespace is allocated for the unit, i.e. it implies the + effect of PrivateMounts= (see below). + This option is particularly useful when RootDirectory=/RootImage= is used. In this case the source path refers to a path on the host file system, while the destination path refers to a path below the root directory of the unit. @@ -2372,8 +2375,9 @@ RestrictNamespaces=~cgroup net Other file system namespace unit settings — PrivateTmp=, PrivateDevices=, ProtectSystem=, ProtectHome=, ReadOnlyPaths=, - InaccessiblePaths=, ReadWritePaths=, … — also enable file - system namespacing in a fashion equivalent to this option. Hence it is primarily useful to explicitly + InaccessiblePaths=, ReadWritePaths=, + BindPaths=, BindReadOnlyPaths=, … — also enable file system + namespacing in a fashion equivalent to this option. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are used.