mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-24 21:34:08 +03:00
doc: move ProtectKernelModules= documentation near ProtectKernelTunalbes=
This commit is contained in:
parent
6a8c2d5915
commit
8526555680
@ -1101,6 +1101,30 @@
|
|||||||
make some IPC file system objects inaccessible.</para></listitem>
|
make some IPC file system objects inaccessible.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><varname>ProtectKernelModules=</varname></term>
|
||||||
|
|
||||||
|
<listitem><para>Takes a boolean argument. If true, explicit module loading will
|
||||||
|
be denied. This allows to turn off module load and unload operations on modular
|
||||||
|
kernels. It is recommended to turn this on for most services that do not need special
|
||||||
|
file systems or extra kernel modules to work. Default to off. Enabling this option
|
||||||
|
removes <constant>CAP_SYS_MODULE</constant> from the capability bounding set for
|
||||||
|
the unit, and installs a system call filter to block module system calls,
|
||||||
|
also <filename>/usr/lib/modules</filename> is made inaccessible. For this
|
||||||
|
setting the same restrictions regarding mount propagation and privileges
|
||||||
|
apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above.
|
||||||
|
Note that limited automatic module loading due to user configuration or kernel
|
||||||
|
mapping tables might still happen as side effect of requested user operations,
|
||||||
|
both privileged and unprivileged. To disable module auto-load feature please see
|
||||||
|
<citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||||
|
<constant>kernel.modules_disabled</constant> mechanism and
|
||||||
|
<filename>/proc/sys/kernel/modules_disabled</filename> documentation.
|
||||||
|
If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
|
||||||
|
capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
|
||||||
|
is implied.
|
||||||
|
</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>ProtectControlGroups=</varname></term>
|
<term><varname>ProtectControlGroups=</varname></term>
|
||||||
|
|
||||||
@ -1495,30 +1519,6 @@
|
|||||||
</para></listitem>
|
</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><varname>ProtectKernelModules=</varname></term>
|
|
||||||
|
|
||||||
<listitem><para>Takes a boolean argument. If true, explicit module loading will
|
|
||||||
be denied. This allows to turn off module load and unload operations on modular
|
|
||||||
kernels. It is recommended to turn this on for most services that do not need special
|
|
||||||
file systems or extra kernel modules to work. Default to off. Enabling this option
|
|
||||||
removes <constant>CAP_SYS_MODULE</constant> from the capability bounding set for
|
|
||||||
the unit, and installs a system call filter to block module system calls,
|
|
||||||
also <filename>/usr/lib/modules</filename> is made inaccessible. For this
|
|
||||||
setting the same restrictions regarding mount propagation and privileges
|
|
||||||
apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above.
|
|
||||||
Note that limited automatic module loading due to user configuration or kernel
|
|
||||||
mapping tables might still happen as side effect of requested user operations,
|
|
||||||
both privileged and unprivileged. To disable module auto-load feature please see
|
|
||||||
<citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
||||||
<constant>kernel.modules_disabled</constant> mechanism and
|
|
||||||
<filename>/proc/sys/kernel/modules_disabled</filename> documentation.
|
|
||||||
If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
|
|
||||||
capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
|
|
||||||
is implied.
|
|
||||||
</para></listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>Personality=</varname></term>
|
<term><varname>Personality=</varname></term>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user