1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-24 21:34:08 +03:00

doc: move ProtectKernelModules= documentation near ProtectKernelTunalbes=

This commit is contained in:
Djalal Harouni 2016-11-14 08:32:06 +01:00
parent 6a8c2d5915
commit 8526555680

View File

@ -1101,6 +1101,30 @@
make some IPC file system objects inaccessible.</para></listitem> make some IPC file system objects inaccessible.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><varname>ProtectKernelModules=</varname></term>
<listitem><para>Takes a boolean argument. If true, explicit module loading will
be denied. This allows to turn off module load and unload operations on modular
kernels. It is recommended to turn this on for most services that do not need special
file systems or extra kernel modules to work. Default to off. Enabling this option
removes <constant>CAP_SYS_MODULE</constant> from the capability bounding set for
the unit, and installs a system call filter to block module system calls,
also <filename>/usr/lib/modules</filename> is made inaccessible. For this
setting the same restrictions regarding mount propagation and privileges
apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above.
Note that limited automatic module loading due to user configuration or kernel
mapping tables might still happen as side effect of requested user operations,
both privileged and unprivileged. To disable module auto-load feature please see
<citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
<constant>kernel.modules_disabled</constant> mechanism and
<filename>/proc/sys/kernel/modules_disabled</filename> documentation.
If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
is implied.
</para></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><varname>ProtectControlGroups=</varname></term> <term><varname>ProtectControlGroups=</varname></term>
@ -1495,30 +1519,6 @@
</para></listitem> </para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><varname>ProtectKernelModules=</varname></term>
<listitem><para>Takes a boolean argument. If true, explicit module loading will
be denied. This allows to turn off module load and unload operations on modular
kernels. It is recommended to turn this on for most services that do not need special
file systems or extra kernel modules to work. Default to off. Enabling this option
removes <constant>CAP_SYS_MODULE</constant> from the capability bounding set for
the unit, and installs a system call filter to block module system calls,
also <filename>/usr/lib/modules</filename> is made inaccessible. For this
setting the same restrictions regarding mount propagation and privileges
apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above.
Note that limited automatic module loading due to user configuration or kernel
mapping tables might still happen as side effect of requested user operations,
both privileged and unprivileged. To disable module auto-load feature please see
<citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
<constant>kernel.modules_disabled</constant> mechanism and
<filename>/proc/sys/kernel/modules_disabled</filename> documentation.
If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
is implied.
</para></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><varname>Personality=</varname></term> <term><varname>Personality=</varname></term>