X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=f1bcf9b7bd645f2931fe96699db04ce833c4d947;hb=e66cf1a3f94fff48a572f6dbd19b43c9bcf7b8c7;hp=86ad7e223dd5a5c9da0008a0e81c673337ae1170;hpb=17df7223be064b1542dbe868e3b35cca977ee639;p=elogind.git
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 86ad7e223..f1bcf9b7b 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -248,7 +248,7 @@
Controls the CPU
affinity of the executed
processes. Takes a space-separated
- list of CPU indexes. This option may
+ list of CPU indices. This option may
be specified more than once in which
case the specificed CPU affinity masks
are merged. If the empty string is
@@ -472,9 +472,9 @@
StandardError=
Controls where file
- descriptor 2 (STDERR) of the executed
- processes is connected to. The
- available options are identical to
+ descriptor 2 (STDERR) of the
+ executed processes is connected to.
+ The available options are identical to
those of
StandardOutput=,
with one exception: if set to
@@ -491,8 +491,8 @@
TTYPath=
Sets the terminal
- device node to use if standard input,
- output or stderr are connected to a
+ device node to use if standard input, output,
+ or error are connected to a
TTY (see above). Defaults to
/dev/console.
@@ -967,6 +967,19 @@
for details.
+
+ AppArmorProfile=
+
+ Take a profile name as argument.
+ The process executed by the unit will switch to
+ this profile when started. Profiles must already
+ be loaded in the kernel, or the unit will fail.
+ This result in a non operation if AppArmor is not
+ enabled. If prefixed by -, all errors
+ will be ignored.
+
+
+
IgnoreSIGPIPE=
@@ -997,8 +1010,8 @@
SystemCallFilter=
- Takes a space-separated
- list of system call
+ Takes a
+ space-separated list of system call
names. If this setting is used, all
system calls executed by the unit
processes except for the listed ones
@@ -1010,12 +1023,13 @@
the effect is inverted: only the
listed system calls will result in
immediate process termination
- (blacklisting). If this option is used,
+ (blacklisting). If running in user
+ mode and this option is used,
NoNewPrivileges=yes
- is implied. This feature makes use of
- the Secure Computing Mode 2 interfaces
- of the kernel ('seccomp filtering')
- and is useful for enforcing a minimal
+ is implied. This feature makes use of the
+ Secure Computing Mode 2 interfaces of
+ the kernel ('seccomp filtering') and
+ is useful for enforcing a minimal
sandboxing environment. Note that the
execve,
rt_sigreturn,
@@ -1033,7 +1047,7 @@
If you specify both types of
this option (i.e. whitelisting and
- blacklisting) the first encountered
+ blacklisting), the first encountered
will take precedence and will dictate
the default action (termination or
approval of a system call). Then the
@@ -1041,14 +1055,14 @@
add or delete the listed system calls
from the set of the filtered system
calls, depending of its type and the
- default action (e.g. You have started
+ default action. (For example, if you have started
with a whitelisting of
read and
- write and right
+ write, and right
after it add a blacklisting of
write, then
write will be
- removed from the set).
+ removed from the set.)
@@ -1063,15 +1077,164 @@
is triggered, instead of terminating
the process immediately. Takes an
error name such as
- EPERM,
- EACCES or
- EUCLEAN. When this
+ EPERM,
+ EACCES or
+ EUCLEAN. When this
setting is not used, or when the empty
- string is assigned the process will be
+ string is assigned, the process will be
terminated immediately when the filter
is triggered.
+
+ SystemCallArchitectures=
+
+ Takes a space
+ separated list of architecture
+ identifiers to include in the system
+ call filter. The known architecture
+ identifiers are
+ x86,
+ x86-64,
+ x32,
+ arm as well as
+ the special identifier
+ native. Only
+ system calls of the specified
+ architectures will be permitted to
+ processes of this unit. This is an
+ effective way to disable compatibility
+ with non-native architectures for
+ processes, for example to prohibit
+ execution of 32-bit x86 binaries on
+ 64-bit x86-64 systems. The special
+ native identifier
+ implicitly maps to the native
+ architecture of the system (or more
+ strictly: to the architecture the
+ system manager is compiled for). If
+ running in user mode and this option
+ is used,
+ NoNewPrivileges=yes
+ is implied. Note that setting this
+ option to a non-empty list implies
+ that native is
+ included too. By default, this option
+ is set to the empty list, i.e. no
+ architecture system call filtering is
+ applied.
+
+
+
+ RestrictAddressFamilies=
+
+ Restricts the set of
+ socket address families accessible to
+ the processes of this unit. Takes a
+ space-separated list of address family
+ names to whitelist, such as
+ AF_UNIX,
+ AF_INET or
+ AF_INET6. When
+ prefixed with ~
+ the listed address families will be
+ applied as blacklist, otherwise as
+ whitelist. Note that this restricts
+ access to the
+ socket2
+ system call only. Sockets passed into
+ the process by other means (for
+ example, by using socket activation
+ with socket units, see
+ systemd.socket5)
+ are unaffected. Also, sockets created
+ with socketpair()
+ (which creates connected AF_UNIX
+ sockets only) are unaffected. Note
+ that this option has no effect on
+ 32bit x86 and is ignored (but works
+ correctly on x86-64). If running in user
+ mode and this option is used,
+ NoNewPrivileges=yes
+ is implied. By default no
+ restriction applies, all address
+ families are accessible to
+ processes. If assigned the empty
+ string any previous list changes are
+ undone.
+
+ Use this option to limit
+ exposure of processes to remote
+ systems, in particular via exotic
+ network protocols. Note that in most
+ cases the local
+ AF_UNIX address
+ family should be included in the
+ configured whitelist as it is
+ frequently used for local
+ communication, including for
+ syslog2
+ logging.
+
+
+
+ Personality=
+
+ Controls which
+ kernel architecture
+ uname2
+ shall report, when invoked by unit
+ processes. Takes one of
+ x86 and
+ x86-64. This is
+ useful when running 32bit services on
+ a 64bit host system. If not specified
+ the personality is left unmodified and
+ thus reflects the personality of the
+ host system's
+ kernel.
+
+
+
+ RuntimeDirectory=
+ RuntimeDirectoryMode=
+
+ Takes a list of
+ directory names. If set one or more
+ directories by the specified names
+ will be created below
+ /run (for system
+ services) or below
+ $XDG_RUNTIME_DIR
+ (for user services) when the unit is
+ started and removed when the unit is
+ stopped. The directories will have the
+ access mode specified in
+ RuntimeDirectoryMode=,
+ and will be owned by the user and
+ group specified in
+ User= and
+ Group=. Use this to
+ manage one or more runtime directories
+ of the unit and bind their lifetime to
+ the daemon runtime. The specified
+ directory names must be relative, and
+ may not include a
+ /, i.e. must refer
+ to simple directories to create or
+ remove. This is particularly useful
+ for unpriviliges daemons that cannot
+ create runtime directories in
+ /run due to lack
+ of privileges, and to make sure the
+ runtime directory is cleaned up
+ automatically after use. For runtime
+ directories that require more complex
+ or different configuration or lifetime
+ guarantees, please consider using
+ tmpfiles.d5.
+
+
@@ -1155,6 +1318,17 @@
tty.
+
+ $MAINPID
+
+ The PID of the units
+ main process if it is known. This is
+ only set for control processes as
+ invoked by
+ ExecReload= and
+ similar.
+
+
$MANAGERPID
@@ -1218,6 +1392,7 @@
systemd.kill5,
systemd.resource-control5,
systemd.directives7,
+ tmpfiles.d5,
exec3