From e568a92d994608d96719585362389be5e5d3d0e7 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Tue, 27 Feb 2018 16:59:03 +0900 Subject: [PATCH] man: suggests TemporaryFileSystem= when people want to nest bind mounts inside InaccessiblePaths= (#8288) Suggested by @sourcejedi in #8242. Closes #7895, #7153, and #2780. --- man/systemd.exec.xml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index ba07d0feb2..daae94e372 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -916,9 +916,13 @@ CapabilityBoundingSet=~CAP_B CAP_C reading only, writing will be refused even if the usual file access controls would permit this. Nest ReadWritePaths= inside of ReadOnlyPaths= in order to provide writable subdirectories within read-only directories. Use ReadWritePaths= in order to whitelist - specific paths for write access if ProtectSystem=strict is used. Paths listed in - InaccessiblePaths= will be made inaccessible for processes inside the namespace (along with - everything below them in the file system hierarchy). + specific paths for write access if ProtectSystem=strict is used. + + Paths listed in InaccessiblePaths= will be made inaccessible for processes inside + the namespace along with everything below them in the file system hierarchy. This may be more restrictive than + desired, because it is not possible to nest ReadWritePaths=, ReadOnlyPaths=, + BindPaths=, or BindReadOnlyPaths= inside it. For a more flexible option, + see TemporaryFileSystem=. Note that restricting access with these options does not extend to submounts of a directory that are created later on. Non-directory paths may be specified as well. These options may be specified more than once, -- 2.25.1