1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-24 21:34:08 +03:00

doc: explicitly document that /dev/mem and /dev/port are blocked by PrivateDevices=true

This commit is contained in:
Djalal Harouni 2016-09-19 21:46:17 +02:00
parent e778185bb5
commit 9221aec8d0

View File

@ -931,9 +931,10 @@
<listitem><para>Takes a boolean argument. If true, sets up a new /dev namespace for the executed processes and
only adds API pseudo devices such as <filename>/dev/null</filename>, <filename>/dev/zero</filename> or
<filename>/dev/random</filename> (as well as the pseudo TTY subsystem) to it, but no physical devices such as
<filename>/dev/sda</filename>. This is useful to securely turn off physical device access by the executed
process. Defaults to false. Enabling this option will also remove <constant>CAP_MKNOD</constant> from the
capability bounding set for the unit (see above), and set <varname>DevicePolicy=closed</varname> (see
<filename>/dev/sda</filename>, system memory <filename>/dev/mem</filename>, system ports
<filename>/dev/port</filename> and others. This is useful to securely turn off physical device access by the
executed process. Defaults to false. Enabling this option will also remove <constant>CAP_MKNOD</constant> from
the capability bounding set for the unit (see above), and set <varname>DevicePolicy=closed</varname> (see
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details). Note that using this setting will disconnect propagation of mounts from the service to the host
(propagation in the opposite direction continues to work). This means that this setting may not be used for