diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index c31ab980fc..bd259708f5 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1038,14 +1038,19 @@
After= dependencies on all mount units necessary to access /tmp and
/var/tmp. Moreover an implicitly After= ordering on
systemd-tmpfiles-setup.service8
- is added.
+ is added.
+
+ Note that the implementation of this setting might be impossible (for example if mount namespaces
+ are not available), and the unit should be written in a way that does not solely rely on this setting for
+ security.
PrivateDevices=
- Takes a boolean argument. If true, sets up a new /dev namespace for the executed processes and
- only adds API pseudo devices such as /dev/null, /dev/zero or
+ Takes a boolean argument. If true, sets up a new /dev mount for the
+ executed processes and only adds API pseudo devices such as /dev/null,
+ /dev/zero or
/dev/random (as well as the pseudo TTY subsystem) to it, but no physical devices such as
/dev/sda, system memory /dev/mem, system ports
/dev/port and others. This is useful to securely turn off physical device access by the
@@ -1056,8 +1061,8 @@
systemd.resource-control5
for details). Note that using this setting will disconnect propagation of mounts from the service to the host
(propagation in the opposite direction continues to work). This means that this setting may not be used for
- services which shall be able to install mount points in the main mount namespace. The /dev namespace will be
- mounted read-only and 'noexec'. The latter may break old programs which try to set up executable memory by
+ services which shall be able to install mount points in the main mount namespace. The new /dev
+ will be mounted read-only and 'noexec'. The latter may break old programs which try to set up executable memory by
using mmap2 of
/dev/zero instead of using MAP_ANON. This setting is implied if
DynamicUser= is set. For this setting the same restrictions regarding mount propagation and
@@ -1065,7 +1070,11 @@
If turned on and if running in user mode, or in system mode, but without the CAP_SYS_ADMIN
capability (e.g. setting User=), NoNewPrivileges=yes
is implied.
-
+
+
+ Note that the implementation of this setting might be impossible (for example if mount namespaces
+ are not available), and the unit should be written in a way that does not solely rely on this setting for
+ security.
@@ -1076,7 +1085,7 @@
configures only the loopback network device
lo inside it. No other network devices will
be available to the executed process. This is useful to
- securely turn off network access by the executed process.
+ turn off network access by the executed process.
Defaults to false. It is possible to run two or more units
within the same private network namespace by using the
JoinsNamespaceOf= directive, see
@@ -1086,7 +1095,11 @@
The latter has the effect that AF_UNIX sockets in the abstract
socket namespace will become unavailable to the processes
(however, those located in the file system will continue to be
- accessible).
+ accessible).
+
+ Note that the implementation of this setting might be impossible (for example if network namespaces
+ are not available), and the unit should be written in a way that does not solely rely on this setting for
+ security.
@@ -1108,7 +1121,11 @@
This setting is particularly useful in conjunction with
RootDirectory=/RootImage=, as the need to synchronize the user and group
databases in the root directory and on the host is reduced, as the only users and groups who need to be matched
- are root, nobody and the unit's own user and group.
+ are root, nobody and the unit's own user and group.
+
+ Note that the implementation of this setting might be impossible (for example if user namespaces
+ are not available), and the unit should be written in a way that does not solely rely on this setting for
+ security.