719
719
for details. Takes a whitespace
720
720
separated list of capability names as
722
<citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
722
<citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
723
e.g. <literal>CAP_SYS_ADMIN
725
CAP_SYS_PTRACE</literal>.
723
726
Capabilities listed will be included
724
727
in the bounding set, all others are
725
728
removed. If the list of capabilities
726
is prefixed with ~ all but the listed
727
capabilities will be included, the
728
effect of the assignment
729
inverted. Note that this option also
730
effects the respective capabilities in
731
the effective, permitted and
732
inheritable capability sets, on top of
733
what <varname>Capabilities=</varname>
729
is prefixed with <literal>~</literal>
730
all but the listed capabilities will
731
be included, the effect of the
732
assignment inverted. Note that this
733
option also affects the respective
734
capabilities in the effective,
735
permitted and inheritable capability
737
<varname>Capabilities=</varname>
734
738
does. If this option is not used the
735
739
capability bounding set is not
736
740
modified on process execution, hence
737
741
no limits on the capabilities of the
738
742
process are enforced. This option may
739
743
appear more than once in which case
740
the bounding sets are merged. If the empty
741
string is assigned to this option the
742
bounding set is reset, and all prior
744
effect.</para></listitem>
744
the bounding sets are merged. If the
745
empty string is assigned to this
746
option the bounding set is reset to
747
the empty capability set, and all
748
prior settings have no effect. If set
749
to <literal>~</literal> (without any
750
further argument) the bounding set is
751
reset to the full set of available
752
capabilities, also undoing any
753
previous settings.</para></listitem>
816
825
in specific paths in specific kernel
817
826
controller hierarchies. It is not
818
827
recommended to manipulate the service
819
control group path in the systemd
820
named hierarchy. For details about
828
control group path in the private
829
systemd named hierarchy
830
(i.e. <literal>name=systemd</literal>),
831
and doing this might result in
832
undefined behaviour. For details about
821
833
control groups see <ulink
822
834
url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>.</para>