On Tue, 13.12.16 10:52, Przemek Klosowski (przemek.klosowski(a)nist.gov) wrote:
On 12/12/2016 04:02 PM, Lennart Poettering wrote:
> Hmm, yeah, I should probably blog more about all the nice sandboxing
> features we have now in systemd. There's quite some stuff now we
> should enable wherever we can. Specifically ProtectSystem=,
> ProtectHome=, ProtectKernelTunables=, ProtectKernelModules=,
> ProtectedControlGroups=, PrivateUsers=, PrivateTmp=, PrivateDevices=,
> PrivateNetwork=, SystemCallFilter=, RestrictAddressFamilies=,
> RestrictNamespaces=, MemoryDenyWriteExecute=, RestrictRealtime=.
>
> For now, the only docs available for them are the man pages. Not all
> of them are available on all currently maintained Fedoras, but a good
> chunk is.
That wasn't quite easy to find although it does make sense in retrospect:
man systemd.exec
man -k ProtectSystem and man systemd|grep ProtectSystem didn't show anything
because they don't really index the man pages. While looking for this, I
came up with a useful technique for combing through man pages: maybe it'll
be useful to someone:
Try "man 7 systemd.directives":
https://www.freedesktop.org/software/systemd/man/systemd.directives.html
Neat, eh?
Lennart
--
Lennart Poettering, Red Hat