summaryrefslogtreecommitdiffstats
path: root/man/systemd.exec.xml
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--man/systemd.exec.xml23
1 files changed, 15 insertions, 8 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index d3b64e9..0aad217 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1240,6 +1240,11 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
accessible to privileged processes. However, most namespacing settings, that will not work on their own in user
services, will work when used in conjunction with <varname>PrivateUsers=</varname><option>true</option>.</para>
+ <para>Note that the various options that turn directories read-only (such as
+ <varname>ProtectSystem=</varname>, <varname>ReadOnlyPaths=</varname>, …) do not affect the ability for
+ programs to connect to and communicate with <constant>AF_UNIX</constant> sockets in these
+ directores. These options cannot be used to lock down access to IPC services hence.</para>
+
<variablelist class='unit-directives'>
<varlistentry>
@@ -1253,14 +1258,16 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
mounted read-only, except for the API file system subtrees <filename>/dev/</filename>,
<filename>/proc/</filename> and <filename>/sys/</filename> (protect these directories using
<varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
- <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the vendor-supplied
- operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is
- recommended to enable this setting for all long-running services, unless they are involved with system updates
- or need to modify the operating system in other ways. If this option is used,
- <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being made read-only. This
- setting is implied if <varname>DynamicUser=</varname> is set. This setting cannot ensure protection in all
- cases. In general it has the same limitations as <varname>ReadOnlyPaths=</varname>, see below. Defaults to
- off.</para></listitem>
+ <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the
+ vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited
+ for the service. It is recommended to enable this setting for all long-running services, unless they
+ are involved with system updates or need to modify the operating system in other ways. If this option
+ is used, <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being
+ made read-only. Similar, <varname>StateDirectory=</varname>, <varname>LogsDirectory=</varname>, … and
+ related directory settings (see below) also exclude the specific directories from the effect of
+ <varname>ProtectSystem=</varname>. This setting is implied if <varname>DynamicUser=</varname> is
+ set. This setting cannot ensure protection in all cases. In general it has the same limitations as
+ <varname>ReadOnlyPaths=</varname>, see below. Defaults to off.</para></listitem>
</varlistentry>
<varlistentry>