X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=c419424d9d6d0603587dc71b8b8e31baabe8bbeb;hb=2424a4755d38f360cfce2ff192776ff91f739c2d;hp=36643034913c91169fcce52b5b29a416ef42dfa3;hpb=417116f23432073162ebfcb286a7800846482eed;p=elogind.git
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 366430349..c419424d9 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -777,8 +777,8 @@
ReadOnlyDirectories=
InaccessibleDirectories=
- Sets up a new
- file system namespace for executed
+ Sets up a new file
+ system namespace for executed
processes. These options may be used
to limit access a process might have
to the main file system
@@ -799,16 +799,14 @@
processes inside the namespace. Note
that restricting access with these
options does not extend to submounts
- of a directory. You must list
- submounts separately in these settings
- to ensure the same limited
- access. These options may be specified
+ of a directory that are created later
+ on. These options may be specified
more than once in which case all
directories listed will have limited
access from within the namespace. If
the empty string is assigned to this
- option, the specific list is reset, and
- all prior assignments have no
+ option, the specific list is reset,
+ and all prior assignments have no
effect.
Paths in
ReadOnlyDirectories=
@@ -935,16 +933,20 @@
- ReadOnlySystem=
+ ProtectSystem=
Takes a boolean
- argument. If true, mounts the
- /usr and
- /boot directories
- read-only for processes invoked by
- this unit. This setting ensures that
- any modification of the vendor
- supplied operating system is
+ argument or
+ full. If true,
+ mounts the /usr
+ directory read-only for processes
+ invoked by this unit. If set to
+ full the
+ /etc is mounted
+ read-only, too. This setting ensures
+ that any modification of the vendor
+ supplied operating system (and
+ optionally its configuration) is
prohibited for the service. It is
recommended to enable this setting for
all long-running services, unless they
@@ -962,7 +964,7 @@
- ProtectedHome=
+ ProtectHome=
Takes a boolean
argument or
@@ -977,7 +979,7 @@
instead. It is recommended to enable
this setting for all long-running
services (in particular network-facing
- one), to ensure they cannot get access
+ ones), to ensure they cannot get access
to private user data, unless the
services actually require access to
the user's private data. Note however,