diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-02-18 22:14:00 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-02-18 22:14:00 +0100 |
| commit | e9642be2cce7f5e90406980092a6f71f504a16af (patch) | |
| tree | 261c0a274329240ef9c79f618f28fcb51f0a6a07 /man | |
| parent | f3d5485b805de60ee71810eeb58e82d44ce24fe1 (diff) | |
seccomp: add helper call to add all secondary archs to a seccomp filter
And make use of it where appropriate for executing services and for
nspawn.
Diffstat (limited to 'man')
| -rw-r--r-- | man/systemd.exec.xml | 22 |
1 files changed, 4 insertions, 18 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 252992bc6..e82e1f59f 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1050,14 +1050,6 @@ <function>write</function> will be removed from the set.) </para></listitem> - - <para>Note that setting - <varname>SystemCallFilter=</varname> - implies a - <varname>SystemCallArchitectures=</varname> - setting of <literal>native</literal> - (see below), unless that option is - configured otherwise.</para> </varlistentry> <varlistentry> @@ -1099,8 +1091,8 @@ unit. This is an effective way to disable compatibility with non-native architectures for processes, for - example to prohibit execution of 32-bit - x86 binaries on 64-bit x86-64 + example to prohibit execution of + 32-bit x86 binaries on 64-bit x86-64 systems. The special <literal>native</literal> identifier implicitly maps to the native @@ -1112,14 +1104,8 @@ <literal>native</literal> is included too. By default, this option is set to the empty list, i.e. no architecture - system call filtering is applied. Note - that configuring a system call filter - with - <varname>SystemCallFilter=</varname> - (above) implies a - <literal>native</literal> architecture - list, unless configured - otherwise.</para></listitem> + system call filtering is + applied.</para></listitem> </varlistentry> </variablelist> |