shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
Code

man/systemd.exec: list inaccessible files for ProtectKernelTunables

Browse Source 
(cherry picked from commit 163bb43cea)
This commit is contained in:
Maximilian Wilhelm 2024-06-19 13:41:39 +02:00 committed by Luca Boccassi
parent 90b5cb35e9
commit 3e435e970d
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
man/systemd.exec.xml
View File

@ -2021,8 +2021,9 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
<filename>/proc/sys/</filename>, <filename>/sys/</filename>, <filename>/proc/sysrq-trigger</filename>,
<filename>/proc/latency_stats</filename>, <filename>/proc/acpi</filename>,
<filename>/proc/timer_stats</filename>, <filename>/proc/fs</filename> and <filename>/proc/irq</filename> will
be made read-only to all processes of the unit. Usually, tunable kernel variables should be initialized only at
boot-time, for example with the
be made read-only and <filename>/proc/kallsyms</filename> as well as <filename>/proc/kcore</filename> will be
inaccessible to all processes of the unit.
Usually, tunable kernel variables should be initialized only at boot-time, for example with the
<citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> mechanism. Few
services need to write to these at runtime; it is hence recommended to turn this on for most services. For this
setting the same restrictions regarding mount propagation and privileges apply as for