|
|
a19bc6 |
From 734c3a184c3b196412e15e4db1b7419f13b901b4 Mon Sep 17 00:00:00 2001
|
|
|
a19bc6 |
From: Ismo Puustinen <ismo.puustinen@intel.com>
|
|
|
a19bc6 |
Date: Mon, 11 Jan 2016 09:36:14 +0200
|
|
|
a19bc6 |
Subject: [PATCH] man: add AmbientCapabilities entry.
|
|
|
a19bc6 |
|
|
|
a19bc6 |
Cherry-picked from: ece8797
|
|
|
a19bc6 |
Resolves: #1387398
|
|
|
a19bc6 |
---
|
|
|
a19bc6 |
man/systemd.exec.xml | 29 +++++++++++++++++++++++++++++
|
|
|
a19bc6 |
1 file changed, 29 insertions(+)
|
|
|
a19bc6 |
|
|
|
a19bc6 |
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
|
|
|
a19bc6 |
index aa5831c..1b14ced 100644
|
|
|
a19bc6 |
--- a/man/systemd.exec.xml
|
|
|
a19bc6 |
+++ b/man/systemd.exec.xml
|
|
|
a19bc6 |
@@ -767,6 +767,35 @@
|
|
|
a19bc6 |
</varlistentry>
|
|
|
a19bc6 |
|
|
|
a19bc6 |
<varlistentry>
|
|
|
a19bc6 |
+ <term><varname>AmbientCapabilities=</varname></term>
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ <listitem><para>Controls which capabilities to include in the
|
|
|
a19bc6 |
+ ambient capability set for the executed process. Takes a
|
|
|
a19bc6 |
+ whitespace-separated list of capability names as read by
|
|
|
a19bc6 |
+ <citerefentry project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
|
|
a19bc6 |
+ e.g. <constant>CAP_SYS_ADMIN</constant>,
|
|
|
a19bc6 |
+ <constant>CAP_DAC_OVERRIDE</constant>,
|
|
|
a19bc6 |
+ <constant>CAP_SYS_PTRACE</constant>. This option may appear more than
|
|
|
a19bc6 |
+ once in which case the ambient capability sets are merged.
|
|
|
a19bc6 |
+ If the list of capabilities is prefixed with <literal>~</literal>, all
|
|
|
a19bc6 |
+ but the listed capabilities will be included, the effect of the
|
|
|
a19bc6 |
+ assignment inverted. If the empty string is
|
|
|
a19bc6 |
+ assigned to this option, the ambient capability set is reset to
|
|
|
a19bc6 |
+ the empty capability set, and all prior settings have no effect.
|
|
|
a19bc6 |
+ If set to <literal>~</literal> (without any further argument), the
|
|
|
a19bc6 |
+ ambient capability set is reset to the full set of available
|
|
|
a19bc6 |
+ capabilities, also undoing any previous settings. Note that adding
|
|
|
a19bc6 |
+ capabilities to ambient capability set adds them to the process's
|
|
|
a19bc6 |
+ inherited capability set.
|
|
|
a19bc6 |
+ </para><para>
|
|
|
a19bc6 |
+ Ambient capability sets are useful if you want to execute a process
|
|
|
a19bc6 |
+ as a non-privileged user but still want to give it some capabilities.
|
|
|
a19bc6 |
+ Note that in this case option <constant>keep-caps</constant> is
|
|
|
a19bc6 |
+ automatically added to <varname>SecureBits=</varname> to retain the
|
|
|
a19bc6 |
+ capabilities over the user change.</para></listitem>
|
|
|
a19bc6 |
+ </varlistentry>
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ <varlistentry>
|
|
|
a19bc6 |
<term><varname>SecureBits=</varname></term>
|
|
|
a19bc6 |
<listitem><para>Controls the secure bits set for the executed
|
|
|
a19bc6 |
process. Takes a space-separated combination of options from
|