mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-24 21:34:08 +03:00
doc: explicitly document that /dev/mem and /dev/port are blocked by PrivateDevices=true
This commit is contained in:
parent
e778185bb5
commit
9221aec8d0
@ -931,9 +931,10 @@
|
||||
<listitem><para>Takes a boolean argument. If true, sets up a new /dev namespace for the executed processes and
|
||||
only adds API pseudo devices such as <filename>/dev/null</filename>, <filename>/dev/zero</filename> or
|
||||
<filename>/dev/random</filename> (as well as the pseudo TTY subsystem) to it, but no physical devices such as
|
||||
<filename>/dev/sda</filename>. This is useful to securely turn off physical device access by the executed
|
||||
process. Defaults to false. Enabling this option will also remove <constant>CAP_MKNOD</constant> from the
|
||||
capability bounding set for the unit (see above), and set <varname>DevicePolicy=closed</varname> (see
|
||||
<filename>/dev/sda</filename>, system memory <filename>/dev/mem</filename>, system ports
|
||||
<filename>/dev/port</filename> and others. This is useful to securely turn off physical device access by the
|
||||
executed process. Defaults to false. Enabling this option will also remove <constant>CAP_MKNOD</constant> from
|
||||
the capability bounding set for the unit (see above), and set <varname>DevicePolicy=closed</varname> (see
|
||||
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
for details). Note that using this setting will disconnect propagation of mounts from the service to the host
|
||||
(propagation in the opposite direction continues to work). This means that this setting may not be used for
|
||||
|
Loading…
Reference in New Issue
Block a user