On Tue, 13.12.16 10:52, Przemek Klosowski (przemek.klosowski@xxxxxxxx) wrote: > On 12/12/2016 04:02 PM, Lennart Poettering wrote: > > Hmm, yeah, I should probably blog more about all the nice sandboxing > > features we have now in systemd. There's quite some stuff now we > > should enable wherever we can. Specifically ProtectSystem=, > > ProtectHome=, ProtectKernelTunables=, ProtectKernelModules=, > > ProtectedControlGroups=, PrivateUsers=, PrivateTmp=, PrivateDevices=, > > PrivateNetwork=, SystemCallFilter=, RestrictAddressFamilies=, > > RestrictNamespaces=, MemoryDenyWriteExecute=, RestrictRealtime=. > > > > For now, the only docs available for them are the man pages. Not all > > of them are available on all currently maintained Fedoras, but a good > > chunk is. > > That wasn't quite easy to find although it does make sense in retrospect: > > man systemd.exec > > man -k ProtectSystem and man systemd|grep ProtectSystem didn't show anything > because they don't really index the man pages. While looking for this, I > came up with a useful technique for combing through man pages: maybe it'll > be useful to someone: Try "man 7 systemd.directives": https://www.freedesktop.org/software/systemd/man/systemd.directives.html Neat, eh? Lennart -- Lennart Poettering, Red Hat _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
