X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=c08feba27e2fa13be636ce9718e46f1e134aa118;hb=73e231abde39f22097df50542c745e01de879836;hp=86ad7e223dd5a5c9da0008a0e81c673337ae1170;hpb=17df7223be064b1542dbe868e3b35cca977ee639;p=elogind.git
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 86ad7e223..c08feba27 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -472,9 +472,9 @@
StandardError=
Controls where file
- descriptor 2 (STDERR) of the executed
- processes is connected to. The
- available options are identical to
+ descriptor 2 (standard error) of the
+ executed processes is connected to.
+ The available options are identical to
those of
StandardOutput=,
with one exception: if set to
@@ -491,8 +491,8 @@
TTYPath=
Sets the terminal
- device node to use if standard input,
- output or stderr are connected to a
+ device node to use if standard input, output,
+ or error are connected to a
TTY (see above). Defaults to
/dev/console.
@@ -1033,7 +1033,7 @@
If you specify both types of
this option (i.e. whitelisting and
- blacklisting) the first encountered
+ blacklisting), the first encountered
will take precedence and will dictate
the default action (termination or
approval of a system call). Then the
@@ -1044,12 +1044,20 @@
default action (e.g. You have started
with a whitelisting of
read and
- write and right
+ write, and right
after it add a blacklisting of
write, then
write will be
removed from the set).
+
+ Note that setting
+ SystemCallFilter=
+ implies a
+ SystemCallArchitectures=
+ setting of native
+ (see below), unless that option is
+ configured otherwise.
@@ -1067,11 +1075,53 @@
EACCES or
EUCLEAN. When this
setting is not used, or when the empty
- string is assigned the process will be
+ string is assigned, the process will be
terminated immediately when the filter
is triggered.
+
+ SystemCallArchitectures=
+
+ Takes a space
+ separated list of architecture
+ identifiers to include in the system
+ call filter. The known architecture
+ identifiers are
+ x86,
+ x86-64,
+ x32,
+ arm as well as the
+ special identifier
+ native. Only system
+ calls of the specified architectures
+ will be permitted to processes of this
+ unit. This is an effective way to
+ disable compatibility with non-native
+ architectures for processes, for
+ example to prohibit execution of 32-bit
+ x86 binaries on 64-bit x86-64
+ systems. The special
+ native identifier
+ implicitly maps to the native
+ architecture of the system (or more
+ strictly: to the architecture the
+ system manager is compiled for). Note
+ that setting this option to a
+ non-empty list implies that
+ native is included
+ too. By default, this option is set to
+ the empty list, i.e. no architecture
+ system call filtering is applied. Note
+ that configuring a system call filter
+ with
+ SystemCallFilter=
+ (above) implies a
+ native architecture
+ list, unless configured
+ otherwise.
+
+