From: Luca Boccassi Date: Sun, 15 Jan 2023 18:54:16 +0000 (+0000) Subject: man: note that cgroup-based sandboxing is not bypassed by '+' X-Git-Tag: v253-rc1~76 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f2af682cd6308f9b26035b83063e6aa8593e468c;p=thirdparty%2Fsystemd.git man: note that cgroup-based sandboxing is not bypassed by '+' DeviceAllow= and others are applied to the whole cgroup via bpf, so using '+' on an Exec line will not bypass them. Explain this in the manpage. Fixes https://github.com/systemd/systemd/issues/26035 --- diff --git a/man/cgroup-sandboxing.xml b/man/cgroup-sandboxing.xml new file mode 100644 index 00000000000..56f7c4007b6 --- /dev/null +++ b/man/cgroup-sandboxing.xml @@ -0,0 +1,16 @@ + + + + + + + +This option cannot be bypassed by prefixing + to the executable path +in the service unit, as it applies to the whole control group. + +These options cannot be bypassed by prefixing + to the executable path +in the service unit, as it applies to the whole control group. + + diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 3ee0484e946..0bb5569c331 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -2007,7 +2007,9 @@ RestrictFileSystems=ext4 Note that this setting might not be supported on some systems (for example if the LSM eBPF hook is not enabled in the underlying kernel or if not using the unified control group hierarchy). In that case this setting - has no effect. + has no effect. + + diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index a74a401ef7e..4b19b18231a 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -638,6 +638,8 @@ support is not enabled in the underlying kernel or container manager). These settings will have no effect in that case. If compatibility with such systems is desired it is hence recommended to not exclusively rely on them for IP security. + + @@ -814,6 +816,8 @@ SocketBindDeny=any SocketBindAllow=ipv4:udp:10000-65535 SocketBindDeny=any … + + @@ -860,6 +864,8 @@ RestrictNetworkInterfaces=eth1 eth2 RestrictNetworkInterfaces=~eth1 Programs in the unit will be only able to use the eth2 network interface. + + @@ -912,6 +918,7 @@ DeviceAllow=block-loop DeviceAllow=/dev/loop-control … + @@ -956,6 +963,8 @@ DeviceAllow=/dev/loop-control + + diff --git a/man/systemd.service.xml b/man/systemd.service.xml index f123fa2e4c8..641d6ac4790 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -406,7 +406,7 @@ + - If the executable path is prefixed with + then the process is executed with full privileges. In this mode privilege restrictions configured with User=, Group=, CapabilityBoundingSet= or the various file system namespacing options (such as PrivateDevices=, PrivateTmp=) are not applied to the invoked command line (but still affect any other ExecStart=, ExecStop=, … lines). + If the executable path is prefixed with + then the process is executed with full privileges. In this mode privilege restrictions configured with User=, Group=, CapabilityBoundingSet= or the various file system namespacing options (such as PrivateDevices=, PrivateTmp=) are not applied to the invoked command line (but still affect any other ExecStart=, ExecStop=, … lines). However, note that this will not bypass options that apply to the whole control group, such as DevicePolicy=, see systemd.resource-control5 for the full list.