chiark / gitweb /
~ianmdlvl / elogind.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
coredump: log coredump even if core dumping fails
[elogind.git] / man / systemd.exec.xml
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 36643034913c91169fcce52b5b29a416ef42dfa3..c419424d9d6d0603587dc71b8b8e31baabe8bbeb 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -777,8 +777,8 @@
                                 <term><varname>ReadOnlyDirectories=</varname></term>
                                 <term><varname>InaccessibleDirectories=</varname></term>
 
                                 <term><varname>ReadOnlyDirectories=</varname></term>
                                 <term><varname>InaccessibleDirectories=</varname></term>
 
-                                <listitem><para>Sets up a new
-                                file system namespace for executed
+                                <listitem><para>Sets up a new file
+                                system namespace for executed
                                 processes. These options may be used
                                 to limit access a process might have
                                 to the main file system
                                 processes. These options may be used
                                 to limit access a process might have
                                 to the main file system
@@ -799,16 +799,14 @@
                                 processes inside the namespace. Note
                                 that restricting access with these
                                 options does not extend to submounts
                                 processes inside the namespace. Note
                                 that restricting access with these
                                 options does not extend to submounts
-                                of a directory. You must list
-                                submounts separately in these settings
-                                to ensure the same limited
-                                access. These options may be specified
+                                of a directory that are created later
+                                on. These options may be specified
                                 more than once in which case all
                                 directories listed will have limited
                                 access from within the namespace. If
                                 the empty string is assigned to this
                                 more than once in which case all
                                 directories listed will have limited
                                 access from within the namespace. If
                                 the empty string is assigned to this
-                                option, the specific list is reset, and
-                                all prior assignments have no
+                                option, the specific list is reset,
+                                and all prior assignments have no
                                 effect.</para>
                                 <para>Paths in
                                 <varname>ReadOnlyDirectories=</varname>
                                 effect.</para>
                                 <para>Paths in
                                 <varname>ReadOnlyDirectories=</varname>
@@ -935,16 +933,20 @@
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
-                                <term><varname>ReadOnlySystem=</varname></term>
+                                <term><varname>ProtectSystem=</varname></term>
 
                                 <listitem><para>Takes a boolean
 
                                 <listitem><para>Takes a boolean
-                                argument. If true, mounts the
-                                <filename>/usr</filename> and
-                                <filename>/boot</filename> directories
-                                read-only for processes invoked by
-                                this unit. This setting ensures that
-                                any modification of the vendor
-                                supplied operating system is
+                                argument or
+                                <literal>full</literal>. If true,
+                                mounts the <filename>/usr</filename>
+                                directory read-only for processes
+                                invoked by this unit. If set to
+                                <literal>full</literal> the
+                                <filename>/etc</filename> is mounted
+                                read-only, too. This setting ensures
+                                that any modification of the vendor
+                                supplied operating system (and
+                                optionally its configuration) is
                                 prohibited for the service. It is
                                 recommended to enable this setting for
                                 all long-running services, unless they
                                 prohibited for the service. It is
                                 recommended to enable this setting for
                                 all long-running services, unless they
@@ -962,7 +964,7 @@
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
-                                <term><varname>ProtectedHome=</varname></term>
+                                <term><varname>ProtectHome=</varname></term>
 
                                 <listitem><para>Takes a boolean
                                 argument or
 
                                 <listitem><para>Takes a boolean
                                 argument or
@@ -977,7 +979,7 @@
                                 instead. It is recommended to enable
                                 this setting for all long-running
                                 services (in particular network-facing
                                 instead. It is recommended to enable
                                 this setting for all long-running
                                 services (in particular network-facing
-                                one), to ensure they cannot get access
+                                ones), to ensure they cannot get access
                                 to private user data, unless the
                                 services actually require access to
                                 the user's private data. Note however,
                                 to private user data, unless the
                                 services actually require access to
                                 the user's private data. Note however,
Unnamed repository; edit this file 'description' to name the repository.