From e9642be2cce7f5e90406980092a6f71f504a16af Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 18 Feb 2014 22:14:00 +0100 Subject: seccomp: add helper call to add all secondary archs to a seccomp filter And make use of it where appropriate for executing services and for nspawn. --- man/systemd.exec.xml | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) (limited to 'man') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 252992bc6..e82e1f59f 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1050,14 +1050,6 @@ write will be removed from the set.) - - Note that setting - SystemCallFilter= - implies a - SystemCallArchitectures= - setting of native - (see below), unless that option is - configured otherwise. @@ -1099,8 +1091,8 @@ unit. This is an effective way to disable compatibility with non-native architectures for processes, for - example to prohibit execution of 32-bit - x86 binaries on 64-bit x86-64 + example to prohibit execution of + 32-bit x86 binaries on 64-bit x86-64 systems. The special native identifier implicitly maps to the native @@ -1112,14 +1104,8 @@ native is included too. By default, this option is set to the empty list, i.e. no architecture - system call filtering is applied. Note - that configuring a system call filter - with - SystemCallFilter= - (above) implies a - native architecture - list, unless configured - otherwise. + system call filtering is + applied. -- cgit v1.2.3