mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-23 17:34:00 +03:00
doc: move ProtectKernelModules= documentation near ProtectKernelTunalbes=
This commit is contained in:
parent
6a8c2d5915
commit
8526555680
@ -1101,6 +1101,30 @@
|
||||
make some IPC file system objects inaccessible.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>ProtectKernelModules=</varname></term>
|
||||
|
||||
<listitem><para>Takes a boolean argument. If true, explicit module loading will
|
||||
be denied. This allows to turn off module load and unload operations on modular
|
||||
kernels. It is recommended to turn this on for most services that do not need special
|
||||
file systems or extra kernel modules to work. Default to off. Enabling this option
|
||||
removes <constant>CAP_SYS_MODULE</constant> from the capability bounding set for
|
||||
the unit, and installs a system call filter to block module system calls,
|
||||
also <filename>/usr/lib/modules</filename> is made inaccessible. For this
|
||||
setting the same restrictions regarding mount propagation and privileges
|
||||
apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above.
|
||||
Note that limited automatic module loading due to user configuration or kernel
|
||||
mapping tables might still happen as side effect of requested user operations,
|
||||
both privileged and unprivileged. To disable module auto-load feature please see
|
||||
<citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
<constant>kernel.modules_disabled</constant> mechanism and
|
||||
<filename>/proc/sys/kernel/modules_disabled</filename> documentation.
|
||||
If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
|
||||
capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
|
||||
is implied.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>ProtectControlGroups=</varname></term>
|
||||
|
||||
@ -1495,30 +1519,6 @@
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>ProtectKernelModules=</varname></term>
|
||||
|
||||
<listitem><para>Takes a boolean argument. If true, explicit module loading will
|
||||
be denied. This allows to turn off module load and unload operations on modular
|
||||
kernels. It is recommended to turn this on for most services that do not need special
|
||||
file systems or extra kernel modules to work. Default to off. Enabling this option
|
||||
removes <constant>CAP_SYS_MODULE</constant> from the capability bounding set for
|
||||
the unit, and installs a system call filter to block module system calls,
|
||||
also <filename>/usr/lib/modules</filename> is made inaccessible. For this
|
||||
setting the same restrictions regarding mount propagation and privileges
|
||||
apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above.
|
||||
Note that limited automatic module loading due to user configuration or kernel
|
||||
mapping tables might still happen as side effect of requested user operations,
|
||||
both privileged and unprivileged. To disable module auto-load feature please see
|
||||
<citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
<constant>kernel.modules_disabled</constant> mechanism and
|
||||
<filename>/proc/sys/kernel/modules_disabled</filename> documentation.
|
||||
If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
|
||||
capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
|
||||
is implied.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Personality=</varname></term>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user