man: systemd.exec: cleanup "only X will be permitted" ... "but X=X+1"

> Only system calls of the *specified* architectures will be permitted to
> processes of this unit.

(my emphasis)

> Note that setting this option to a non-empty list implies that
> native is included too.

Attempting to use "implies" in the later sentence, in a way that
contradicts the very clear meaning of the earlier sentence... it's too
much.
This commit is contained in:
Alan Jenkins 2018-01-31 15:39:13 +00:00
parent 46659f7deb
commit 62a0680bf2

View File

@ -1429,15 +1429,15 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
filter. The known architecture identifiers are the same as for <varname>ConditionArchitecture=</varname>
described in <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
as well as <constant>x32</constant>, <constant>mips64-n32</constant>, <constant>mips64-le-n32</constant>, and
the special identifier <constant>native</constant>. Only system calls of the specified architectures will be
permitted to processes of this unit. This is an effective way to disable compatibility with non-native
architectures for processes, for example to prohibit execution of 32-bit x86 binaries on 64-bit x86-64
systems. The special <constant>native</constant> identifier implicitly maps to the native architecture of the
system (or more strictly: to the architecture the system manager is compiled for). If running in user mode, or
in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting
<varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is implied. Note that setting this
option to a non-empty list implies that <constant>native</constant> is included too. By default, this option is
set to the empty list, i.e. no system call architecture filtering is applied.</para>
the special identifier <constant>native</constant>. If this setting is used, processes of this unit will only
be permitted to call native system calls, and system calls of the specified architectures. This is an
effective way to disable compatibility with non-native architectures for processes, for example to prohibit
execution of 32-bit x86 binaries on 64-bit x86-64 systems. The special <constant>native</constant> identifier
implicitly maps to the native architecture of the system (or more precisely: to the architecture the system
manager is compiled for). If running in user mode, or in system mode, but without the
<constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=nobody</varname>),
<varname>NoNewPrivileges=yes</varname> is implied. By default, this option is set to the empty list, i.e. no
system call architecture filtering is applied.</para>
<para>Note that system call filtering is not equally effective on all architectures. For example, on x86
filtering of network socket-related calls is not possible, due to ABI limitations — a limitation that x86-64