log: introduce a macro to format message id

[elogind.git] / man / systemd.exec.xml

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 8d3b3da22e4ad5aa746cf4b59d42b82f5ff9f634..7ab9b5c1ed6824c07d6a71158af87c45ad7ac33b 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -44,7 +44,7 @@
 
         <refnamediv>
                 <refname>systemd.exec</refname>
 
         <refnamediv>
                 <refname>systemd.exec</refname>

-                <refpurpose>systemd execution environment configuration</refpurpose>
+                <refpurpose>Execution environment configuration</refpurpose>

         </refnamediv>
 
         <refsynopsisdiv>
         </refnamediv>
 
         <refsynopsisdiv>


@@ -89,8 +89,12 @@
 
                                 <listitem><para>Takes an absolute
                                 directory path. Sets the working
 
                                 <listitem><para>Takes an absolute
                                 directory path. Sets the working

-                                directory for executed
-                                processes.</para></listitem>
+                                directory for executed processes. If
+                                not set defaults to the root directory
+                                when systemd is running as a system
+                                instance and the respective user's
+                                home directory if run as
+                                user.</para></listitem>

                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>


@@ -467,7 +471,7 @@
                         </varlistentry>
                         <varlistentry>
                                 <term><varname>TTYVTDisallocate=</varname></term>
                         </varlistentry>
                         <varlistentry>
                                 <term><varname>TTYVTDisallocate=</varname></term>

-                                <listitem><para>If the the terminal
+                                <listitem><para>If the terminal

                                 device specified with
                                 <varname>TTYPath=</varname> is a
                                 virtual console terminal try to
                                 device specified with
                                 <varname>TTYPath=</varname> is a
                                 virtual console terminal try to


@@ -802,7 +806,7 @@
 
                                 <listitem><para>Set a specific control
                                 group attribute for executed
 
                                 <listitem><para>Set a specific control
                                 group attribute for executed

-                                processes, and (if needed) add the the
+                                processes, and (if needed) add the

                                 executed processes to a cgroup in the
                                 hierarchy of the controller the
                                 attribute belongs to. Takes two
                                 executed processes to a cgroup in the
                                 hierarchy of the controller the
                                 attribute belongs to. Takes two


@@ -931,18 +935,18 @@
                                 <term><varname>BlockIOWriteBandwidth=</varname></term>
 
                                 <listitem><para>Set the per-device
                                 <term><varname>BlockIOWriteBandwidth=</varname></term>
 
                                 <listitem><para>Set the per-device

-                                overall block IO bandwith limit for
+                                overall block IO bandwidth limit for

                                 the executed processes. Takes a space
                                 separated pair of a file path and a
                                 the executed processes. Takes a space
                                 separated pair of a file path and a

-                                bandwith value (in bytes per second)
+                                bandwidth value (in bytes per second)

                                 to specify the device specific
                                 bandwidth. The file path may be
                                 specified as path to a block device
                                 node or as any other file in which
                                 case the backing block device of the
                                 file system of the file is determined.
                                 to specify the device specific
                                 bandwidth. The file path may be
                                 specified as path to a block device
                                 node or as any other file in which
                                 case the backing block device of the
                                 file system of the file is determined.

-                                If the bandwith is suffixed with K, M,
-                                G, or T the specified bandwith is
+                                If the bandwidth is suffixed with K, M,
+                                G, or T the specified bandwidth is

                                 parsed as Kilobytes, Megabytes,
                                 Gigabytes, resp. Terabytes (Example:
                                 "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
                                 parsed as Kilobytes, Megabytes,
                                 Gigabytes, resp. Terabytes (Example:
                                 "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0


@@ -951,7 +955,7 @@
                                 and
                                 <literal>blkio.write_bps_device</literal>
                                 control group attributes. Use this
                                 and
                                 <literal>blkio.write_bps_device</literal>
                                 control group attributes. Use this

-                                option multiple times to set bandwith
+                                option multiple times to set bandwidth

                                 limits for multiple devices. For
                                 details about these control group
                                 attributes see <ulink
                                 limits for multiple devices. For
                                 details about these control group
                                 attributes see <ulink


@@ -1039,26 +1043,19 @@
                                 <option>shared</option>,
                                 <option>slave</option> or
                                 <option>private</option>, which
                                 <option>shared</option>,
                                 <option>slave</option> or
                                 <option>private</option>, which

-                                control whether namespaces set up with
-                                <varname>ReadWriteDirectories=</varname>,
-                                <varname>ReadOnlyDirectories=</varname>
-                                and
-                                <varname>InaccessibleDirectories=</varname>
-                                receive or propagate new mounts
-                                from/to the main namespace. See
+                                control whether the file system
+                                namespace set up for this unit's
+                                processes will receive or propagate
+                                new mounts. See

                                 <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>1</manvolnum></citerefentry>
                                 <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>1</manvolnum></citerefentry>

-                                for details. Defaults to
-                                <option>shared</option>, i.e. the new
-                                namespace will both receive new mount
-                                points from the main namespace as well
-                                as propagate new mounts to
-                                it.</para></listitem>
+                                for details. Default to
+                                <option>shared</option>.</para></listitem>

                         </varlistentry>
 
                         <varlistentry>
                                 <term><varname>UtmpIdentifier=</varname></term>
 
                         </varlistentry>
 
                         <varlistentry>
                                 <term><varname>UtmpIdentifier=</varname></term>
 

-                                <listitem><para>Takes a a four
+                                <listitem><para>Takes a four

                                 character identifier string for an
                                 utmp/wtmp entry for this service. This
                                 should only be set for services such
                                 character identifier string for an
                                 utmp/wtmp entry for this service. This
                                 should only be set for services such


@@ -1087,6 +1084,54 @@
                                 shell pipelines.</para></listitem>
                         </varlistentry>
 
                                 shell pipelines.</para></listitem>
                         </varlistentry>
 

+                        <varlistentry>
+                                <term><varname>NoNewPrivileges=</varname></term>
+
+                                <listitem><para>Takes a boolean
+                                argument. If true ensures that the
+                                service process and all its children
+                                can never gain new privileges. This
+                                option is more powerful than the respective
+                                secure bits flags (see above), as it
+                                also prohibits UID changes of any
+                                kind. This is the simplest, most
+                                effective way to ensure that a process
+                                and its children can never elevate
+                                privileges again.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><varname>SystemCallFilter=</varname></term>
+
+                                <listitem><para>Takes a space
+                                separated list of system call
+                                names. If this setting is used all
+                                system calls executed by the unit
+                                process except for the listed ones
+                                will result in immediate process
+                                termination with the SIGSYS signal
+                                (whitelisting). If the first character
+                                of the list is <literal>~</literal>
+                                the effect is inverted: only the
+                                listed system calls will result in
+                                immediate process termination
+                                (blacklisting). If this option is used
+                                <varname>NoNewPrivileges=yes</varname>
+                                is implied. This feature makes use of
+                                the Secure Computing Mode 2 interfaces
+                                of the kernel ('seccomp filtering')
+                                and is useful for enforcing a minimal
+                                sandboxing environment. Note that the
+                                <function>execve</function>,
+                                <function>rt_sigreturn</function>,
+                                <function>sigreturn</function>,
+                                <function>exit_group</function>,
+                                <function>exit</function> system calls
+                                are implicitly whitelisted and don't
+                                need to be listed
+                                explicitly.</para></listitem>
+                        </varlistentry>
+

                 </variablelist>
         </refsect1>
 
                 </variablelist>
         </refsect1>
 


@@ -1100,7 +1145,8 @@
                           <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                           <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                           <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                           <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                           <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                           <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,

-                          <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                          <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+                          <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>

                   </para>
         </refsect1>
 
                   </para>
         </refsect1>