1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

man: document ProtectProc= and ProcSubset=

This commit is contained in:
Lennart Poettering 2020-08-06 15:26:53 +02:00
parent 24da96a1bd
commit a54342b371

View File

@ -267,6 +267,55 @@
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>ProtectProc=</varname></term>
<listitem><para>Takes one of <literal>noaccess</literal>, <literal>invisible</literal>,
<literal>ptraceable</literal> or <literal>default</literal> (which it defaults to). When set, this
controls the <literal>hidepid=</literal> mount option of the <literal>procfs</literal> instance for
the unit that controls which directories with process metainformation
(<filename>/proc/<replaceable>PID</replaceable></filename>) are visible and accessible: when set to
<literal>noaccess</literal> the ability to access most of other users' process metadata in
<filename>/proc/</filename> is taken away for processes of the service. When set to
<literal>invisible</literal> processes owned by other users are hidden from
<filename>/proc/</filename>. If <literal>ptraceable</literal> all processes that cannot be
<function>ptrace()</function>'ed by a process are hidden to it. If <literal>default</literal> no
restrictions on <filename>/proc/</filename> access or visibility are made. For further details see
<ulink url="https://www.kernel.org/doc/html/latest/filesystems/proc.html#mount-options">The /proc
Filesystem</ulink>. It is generally recommended to run most system services with this option set to
<literal>invisible</literal>. This option is implemented via file system namespacing, and thus cannot
be used with services that shall be able to install mount points in the host file system
hierarchy. It also cannot be used for services that need to access metainformation about other users'
processes. This option implies <varname>MountAPIVFS=</varname>.</para>
<para>If the kernel doesn't support per-mount point <option>hidepid=</option> mount options this
setting remains without effect, and the unit's processes will be able to access and see other process
as if the option was not used.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>ProcSubset=</varname></term>
<listitem><para>Takes one of <literal>all</literal> (the default) and <literal>pid</literal>. If
the latter all files and directories not directly associated with process management and introspection
are made invisible in the <filename>/proc/</filename> file system configured for the unit's
processes. This controls the <literal>subset=</literal> mount option of the <literal>procfs</literal>
instance for the unit. For further details see <ulink
url="https://www.kernel.org/doc/html/latest/filesystems/proc.html#mount-options">The /proc
Filesystem</ulink>. Note that Linux exposes various kernel APIs via <filename>/proc/</filename>,
which are made unavailable with this setting. Since these APIs are used frequently this option is
useful only in a few, specific cases, and is not suitable for most non-trivial programs.</para>
<para>Much like <varname>ProtectProc=</varname> above, this is implemented via file system mount
namespacing, and hence the same restrictions apply: it is only available to system services, it
disables mount propagation to the host mount table, and it implies
<varname>MountAPIVFS=</varname>. Also, like <varname>ProtectProc=</varname> this setting is gracefully
disabled if the used kernel does not support the <literal>subset=</literal> mount option of
<literal>procfs</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>BindPaths=</varname></term>
<term><varname>BindReadOnlyPaths=</varname></term>