diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2023-02-17 05:50:17 +0100 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2023-02-23 07:09:13 +0100 |
| commit | c2da3bf2376440526e87da6124660d22ac2079d6 (patch) | |
| tree | be6e5db0567dd6207635f4155a9c8902d0680a25 /man/systemd.exec.xml | |
| parent | core/namespace: introduce a new namespace mount mode PRIVATE_SYSFS (diff) | |
| download | systemd-c2da3bf2376440526e87da6124660d22ac2079d6.tar.xz systemd-c2da3bf2376440526e87da6124660d22ac2079d6.zip | |
core/namespace: mount new sysfs when new network namespace is requested
Even when a mount namespace is created, previously host's sysfs is used,
especially with RootDirectory= or RootImage=, thus service processes can
still access the properties of the network interfaces in the main network
namespace through sysfs.
This makes, sysfs is remounted with the new network namespace tag, except
when PrivateMounts= is explicitly disabled. Hence, the properties of the
network interfaces in the main network namespace cannot be accessed by
service processes through sysfs.
Fixes #26422.
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index bad21ceb0c..daa2a595f0 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1663,6 +1663,10 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> not available), and the unit should be written in a way that does not solely rely on this setting for security.</para> + <para>When this option is enabled, <varname>PrivateMounts=</varname> is implied unless it is + explicitly disabled, and <filename>/sys</filename> will be remounted to associate it with the new + network namespace.</para> + <para>When this option is used on a socket unit any sockets bound on behalf of this unit will be bound within a private network namespace. This may be combined with <varname>JoinsNamespaceOf=</varname> to listen on sockets inside of network namespaces of other @@ -1684,6 +1688,10 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> <varname>NetworkNamespacePath=</varname> configured, as otherwise the network namespace of those units is reused.</para> + <para>When this option is enabled, <varname>PrivateMounts=</varname> is implied unless it is + explicitly disabled, and <filename>/sys</filename> will be remounted to associate it with the new + network namespace.</para> + <para>When this option is used on a socket unit any sockets bound on behalf of this unit will be bound within the specified network namespace.</para> |