naccyde / rpms / systemd

Forked from rpms/systemd a year ago
Clone
803fb7
From 734c3a184c3b196412e15e4db1b7419f13b901b4 Mon Sep 17 00:00:00 2001
803fb7
From: Ismo Puustinen <ismo.puustinen@intel.com>
803fb7
Date: Mon, 11 Jan 2016 09:36:14 +0200
803fb7
Subject: [PATCH] man: add AmbientCapabilities entry.
803fb7
803fb7
Cherry-picked from: ece8797
803fb7
Resolves: #1387398
803fb7
---
803fb7
 man/systemd.exec.xml | 29 +++++++++++++++++++++++++++++
803fb7
 1 file changed, 29 insertions(+)
803fb7
803fb7
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
803fb7
index aa5831cc2..1b14ced78 100644
803fb7
--- a/man/systemd.exec.xml
803fb7
+++ b/man/systemd.exec.xml
803fb7
@@ -766,6 +766,35 @@
803fb7
         settings.</para></listitem>
803fb7
       </varlistentry>
803fb7
 
803fb7
+      <varlistentry>
803fb7
+        <term><varname>AmbientCapabilities=</varname></term>
803fb7
+
803fb7
+        <listitem><para>Controls which capabilities to include in the
803fb7
+        ambient capability set for the executed process. Takes a
803fb7
+        whitespace-separated list of capability names as read by
803fb7
+        <citerefentry project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
803fb7
+        e.g. <constant>CAP_SYS_ADMIN</constant>,
803fb7
+        <constant>CAP_DAC_OVERRIDE</constant>,
803fb7
+        <constant>CAP_SYS_PTRACE</constant>. This option may appear more than
803fb7
+        once in which case the ambient capability sets are merged.
803fb7
+        If the list of capabilities is prefixed with <literal>~</literal>, all
803fb7
+        but the listed capabilities will be included, the effect of the
803fb7
+        assignment inverted. If the empty string is
803fb7
+        assigned to this option, the ambient capability set is reset to
803fb7
+        the empty capability set, and all prior settings have no effect.
803fb7
+        If set to <literal>~</literal> (without any further argument), the
803fb7
+        ambient capability set is reset to the full set of available
803fb7
+        capabilities, also undoing any previous settings. Note that adding
803fb7
+        capabilities to ambient capability set adds them to the process's
803fb7
+        inherited capability set.
803fb7
+        </para><para>
803fb7
+        Ambient capability sets are useful if you want to execute a process
803fb7
+        as a non-privileged user but still want to give it some capabilities.
803fb7
+        Note that in this case option <constant>keep-caps</constant> is
803fb7
+        automatically added to <varname>SecureBits=</varname> to retain the
803fb7
+        capabilities over the user change.</para></listitem>
803fb7
+      </varlistentry>
803fb7
+
803fb7
       <varlistentry>
803fb7
         <term><varname>SecureBits=</varname></term>
803fb7
         <listitem><para>Controls the secure bits set for the executed