From: Djalal Harouni Date: Mon, 19 Sep 2016 19:46:17 +0000 (+0200) Subject: doc: explicitly document that /dev/mem and /dev/port are blocked by PrivateDevices... X-Git-Tag: v232~181^2~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9221aec8d09f3b55a08fcbe8012e48129474ab54;p=thirdparty%2Fsystemd.git doc: explicitly document that /dev/mem and /dev/port are blocked by PrivateDevices=true --- diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 79ceee3ec03..a3a431c82b7 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -931,9 +931,10 @@ Takes a boolean argument. If true, sets up a new /dev namespace for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, but no physical devices such as - /dev/sda. This is useful to securely turn off physical device access by the executed - process. Defaults to false. Enabling this option will also remove CAP_MKNOD from the - capability bounding set for the unit (see above), and set DevicePolicy=closed (see + /dev/sda, system memory /dev/mem, system ports + /dev/port and others. This is useful to securely turn off physical device access by the + executed process. Defaults to false. Enabling this option will also remove CAP_MKNOD from + the capability bounding set for the unit (see above), and set DevicePolicy=closed (see systemd.resource-control5 for details). Note that using this setting will disconnect propagation of mounts from the service to the host (propagation in the opposite direction continues to work). This means that this setting may not be used for