diff options
| -rw-r--r-- | docs/TRANSIENT-SETTINGS.md | 1 | ||||
| -rw-r--r-- | man/systemd.exec.xml | 27 |
2 files changed, 22 insertions, 6 deletions
diff --git a/docs/TRANSIENT-SETTINGS.md b/docs/TRANSIENT-SETTINGS.md index 9f93e3b836..271d8ab1e3 100644 --- a/docs/TRANSIENT-SETTINGS.md +++ b/docs/TRANSIENT-SETTINGS.md @@ -192,6 +192,7 @@ All execution-related settings are available for transient units. ✓ PrivateUsers= ✓ ProtectSystem= ✓ ProtectHome= +✓ ProtectClock= ✓ MountFlags= ✓ MountAPIVFS= ✓ Personality= diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index c4cada2f27..b7f44c9473 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -405,11 +405,11 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>, <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>, <varname>ProtectKernelModules=</varname>, <varname>ProtectKernelLogs=</varname>, - <varname>MemoryDenyWriteExecute=</varname>, <varname>RestrictRealtime=</varname>, - <varname>RestrictSUIDSGID=</varname>, <varname>DynamicUser=</varname> or <varname>LockPersonality=</varname> - are specified. Note that even if this setting is overridden by them, <command>systemctl show</command> shows the - original value of this setting. Also see <ulink - url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New Privileges + <varname>ProtectClock=</varname>, <varname>MemoryDenyWriteExecute=</varname>, + <varname>RestrictRealtime=</varname>, <varname>RestrictSUIDSGID=</varname>, <varname>DynamicUser=</varname> + or <varname>LockPersonality=</varname> are specified. Note that even if this setting is overridden by them, + <command>systemctl show</command> shows the original value of this setting. + Also see <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New Privileges Flag</ulink>.</para></listitem> </varlistentry> @@ -1297,6 +1297,21 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> </varlistentry> <varlistentry> + <term><varname>ProtectClock=</varname></term> + + <listitem><para>Takes a boolean argument. If set, writes to the hardware clock or system clock will be denied. + It is recommended to turn this on for most services that do not need modify the clock. Defaults to off. Enabling + this option removes <constant>CAP_SYS_TIME</constant> and <constant>CAP_WAKE_ALARM</constant> from the + capability bounding set for this unit, installs a system call filter to block calls that can set the + clock, and <varname>DeviceAllow=char-rtc r</varname> is implied. This ensures <filename>/dev/rtc0</filename>, + <filename>/dev/rtc1</filename>, etc are made read only to the service. See + <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for the details about <varname>DeviceAllow=</varname>.</para> + + <xi:include href="system-only.xml" xpointer="singular"/></listitem> + </varlistentry> + + <varlistentry> <term><varname>ProtectKernelTunables=</varname></term> <listitem><para>Takes a boolean argument. If true, kernel variables accessible through @@ -1807,7 +1822,7 @@ SystemCallErrorNumber=EPERM</programlisting> mappings. Specifically these are the options <varname>PrivateTmp=</varname>, <varname>PrivateDevices=</varname>, <varname>ProtectSystem=</varname>, <varname>ProtectHome=</varname>, <varname>ProtectKernelTunables=</varname>, <varname>ProtectControlGroups=</varname>, - <varname>ProtectKernelLogs=</varname>, <varname>ReadOnlyPaths=</varname>, + <varname>ProtectKernelLogs=</varname>, <varname>ProtectClock=</varname>, <varname>ReadOnlyPaths=</varname>, <varname>InaccessiblePaths=</varname> and <varname>ReadWritePaths=</varname>.</para></listitem> </varlistentry> |