chiark / gitweb /
~ianmdlvl / elogind.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
core: rework syscall filter
[elogind.git] / man / systemd.exec.xml
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 0c6ca5acfb347212eef790704ab64202f249ec17..86ad7e223dd5a5c9da0008a0e81c673337ae1170 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1001,7 +1001,7 @@
                                 list of system call
                                 names. If this setting is used, all
                                 system calls executed by the unit
                                 list of system call
                                 names. If this setting is used, all
                                 system calls executed by the unit
-                                process except for the listed ones
+                                processes except for the listed ones
                                 will result in immediate process
                                 termination with the
                                 <constant>SIGSYS</constant> signal
                                 will result in immediate process
                                 termination with the
                                 <constant>SIGSYS</constant> signal
@@ -1031,23 +1031,47 @@
                                 prior assignments will have no
                                 effect.</para>
 
                                 prior assignments will have no
                                 effect.</para>
 
-                                <para>If you specify both types of this option
-                                (i.e. whitelisting and blacklisting) the first
-                                encountered will take precedence and will
-                                dictate the default action (termination
-                                or approval of a system call). Then the
-                                next occurrences of this option will add or
-                                delete the listed system calls from the set
-                                of the filtered system calls, depending of
-                                its type and the default action (e.g. You
-                                have started with a whitelisting of <function>
-                                read</function> and <function>write</function>
-                                and right after it add a blacklisting of
-                                <function>write</function>, then <function>
-                                write</function> will be removed from the set)
+                                <para>If you specify both types of
+                                this option (i.e. whitelisting and
+                                blacklisting) the first encountered
+                                will take precedence and will dictate
+                                the default action (termination or
+                                approval of a system call). Then the
+                                next occurrences of this option will
+                                add or delete the listed system calls
+                                from the set of the filtered system
+                                calls, depending of its type and the
+                                default action (e.g. You have started
+                                with a whitelisting of
+                                <function>read</function> and
+                                <function>write</function> and right
+                                after it add a blacklisting of
+                                <function>write</function>, then
+                                <function>write</function> will be
+                                removed from the set).
                                 </para></listitem>
                         </varlistentry>
 
                                 </para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><varname>SystemCallErrorNumber=</varname></term>
+
+                                <listitem><para>Takes an
+                                <literal>errno</literal> error number
+                                name to return when the system call
+                                filter configured with
+                                <varname>SystemCallFilter=</varname>
+                                is triggered, instead of terminating
+                                the process immediately. Takes an
+                                error name such as
+                                <literal>EPERM</literal>,
+                                <literal>EACCES</literal> or
+                                <literal>EUCLEAN</literal>. When this
+                                setting is not used, or when the empty
+                                string is assigned the process will be
+                                terminated immediately when the filter
+                                is triggered.</para></listitem>
+                        </varlistentry>
+
                 </variablelist>
         </refsect1>
 
                 </variablelist>
         </refsect1>
 
Unnamed repository; edit this file 'description' to name the repository.