diff options
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r-- | man/systemd.exec.xml | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index a671649..1e95a94 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1369,6 +1369,11 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> accessible to privileged processes. However, most namespacing settings, that will not work on their own in user services, will work when used in conjunction with <varname>PrivateUsers=</varname><option>true</option>.</para> + <para>Note that the various options that turn directories read-only (such as + <varname>ProtectSystem=</varname>, <varname>ReadOnlyPaths=</varname>, …) do not affect the ability for + programs to connect to and communicate with <constant>AF_UNIX</constant> sockets in these + directores. These options cannot be used to lock down access to IPC services hence.</para> + <variablelist class='unit-directives'> <varlistentry> @@ -1382,14 +1387,16 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> mounted read-only, except for the API file system subtrees <filename>/dev/</filename>, <filename>/proc/</filename> and <filename>/sys/</filename> (protect these directories using <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>, - <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the vendor-supplied - operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is - recommended to enable this setting for all long-running services, unless they are involved with system updates - or need to modify the operating system in other ways. If this option is used, - <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being made read-only. This - setting is implied if <varname>DynamicUser=</varname> is set. This setting cannot ensure protection in all - cases. In general it has the same limitations as <varname>ReadOnlyPaths=</varname>, see below. Defaults to - off.</para> + <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the + vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited + for the service. It is recommended to enable this setting for all long-running services, unless they + are involved with system updates or need to modify the operating system in other ways. If this option + is used, <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being + made read-only. Similar, <varname>StateDirectory=</varname>, <varname>LogsDirectory=</varname>, … and + related directory settings (see below) also exclude the specific directories from the effect of + <varname>ProtectSystem=</varname>. This setting is implied if <varname>DynamicUser=</varname> is + set. This setting cannot ensure protection in all cases. In general it has the same limitations as + <varname>ReadOnlyPaths=</varname>, see below. Defaults to off.</para> <xi:include href="version-info.xml" xpointer="v214"/></listitem> </varlistentry> @@ -3121,6 +3128,9 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX values are indexed may also be used to implement cross-unit log record matching. Assign an empty string to reset the list.</para> + <para>Note that this functionality is currently only available in system services, not in per-user + services.</para> + <xi:include href="version-info.xml" xpointer="v236"/></listitem> </varlistentry> @@ -3176,6 +3186,9 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX the kernel log buffer (kmsg), the systemd console, or sent as wall messages to all logged-in users.</para> + <para>Note that this functionality is currently only available in system services, not in per-user + services.</para> + <xi:include href="version-info.xml" xpointer="v253"/></listitem> </varlistentry> |