man: ship systemd-udevd as the real manpage

[elogind.git] / man / systemd.exec.xml
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml

index c7da8e312e674e2c46211a350a7026aa6a294267..e1193d2d55c64288cf106209bb430218035e984b 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -9,16 +9,16 @@
    Copyright 2010 Lennart Poettering
  
    systemd is free software; you can redistribute it and/or modify it
    Copyright 2010 Lennart Poettering
  
    systemd is free software; you can redistribute it and/or modify it
-  under the terms of the GNU General Public License as published by
-  the Free Software Foundation; either version 2 of the License, or
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
    (at your option) any later version.
  
    systemd is distributed in the hope that it will be useful, but
    WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
    (at your option) any later version.
  
    systemd is distributed in the hope that it will be useful, but
    WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-  General Public License for more details.
+  Lesser General Public License for more details.
  
  
-  You should have received a copy of the GNU General Public License
+  You should have received a copy of the GNU Lesser General Public License
    along with systemd; If not, see <http://www.gnu.org/licenses/>.
  -->
  
    along with systemd; If not, see <http://www.gnu.org/licenses/>.
  -->
  
@@ -44,7 +44,7 @@
  
          <refnamediv>
                  <refname>systemd.exec</refname>
  
          <refnamediv>
                  <refname>systemd.exec</refname>
-                <refpurpose>systemd execution environment configuration</refpurpose>
+                <refpurpose>Execution environment configuration</refpurpose>
          </refnamediv>
  
          <refsynopsisdiv>
          </refnamediv>
  
          <refsynopsisdiv>
@@ -89,8 +89,12 @@
  
                                  <listitem><para>Takes an absolute
                                  directory path. Sets the working
  
                                  <listitem><para>Takes an absolute
                                  directory path. Sets the working
-                                directory for executed
-                                processes.</para></listitem>
+                                directory for executed processes. If
+                                not set defaults to the root directory
+                                when systemd is running as a system
+                                instance and the respective user's
+                                home directory if run as
+                                user.</para></listitem>
                          </varlistentry>
  
                          <varlistentry>
                          </varlistentry>
  
                          <varlistentry>
@@ -279,6 +283,11 @@
                                  assignments. Empty lines and lines
                                  starting with ; or # will be ignored,
                                  which may be used for commenting. The
                                  assignments. Empty lines and lines
                                  starting with ; or # will be ignored,
                                  which may be used for commenting. The
+                                parser strips leading and
+                                trailing whitespace from the values
+                                of assignments, unless you use
+                                double quotes (").
+                                The
                                  argument passed should be an absolute
                                  file name, optionally prefixed with
                                  "-", which indicates that if the file
                                  argument passed should be an absolute
                                  file name, optionally prefixed with
                                  "-", which indicates that if the file
@@ -361,8 +370,10 @@
                                  <option>tty</option>,
                                  <option>syslog</option>,
                                  <option>kmsg</option>,
                                  <option>tty</option>,
                                  <option>syslog</option>,
                                  <option>kmsg</option>,
+                                <option>journal</option>,
+                                <option>syslog+console</option>,
                                  <option>kmsg+console</option>,
                                  <option>kmsg+console</option>,
-                                <option>syslog+console</option> or
+                                <option>journal+console</option> or
                                  <option>socket</option>. If set to
                                  <option>inherit</option> the file
                                  descriptor of standard input is
                                  <option>socket</option>. If set to
                                  <option>inherit</option> the file
                                  descriptor of standard input is
@@ -387,8 +398,17 @@
                                  service. <option>kmsg</option>
                                  connects it with the kernel log buffer
                                  which is accessible via
                                  service. <option>kmsg</option>
                                  connects it with the kernel log buffer
                                  which is accessible via
-                                <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>syslog+console</option>
-                                and <option>kmsg+console</option> work
+                                <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>journal</option>
+                                connects it with the journal which is
+                                accessible via
+                                <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+                                (Note that everything that is written
+                                to syslog or kmsg is implicitly stored
+                                in the journal as well, those options
+                                are hence supersets of this
+                                one). <option>syslog+console</option>,
+                                <option>journal+console</option> and
+                                <option>kmsg+console</option> work
                                  similarly but copy the output to the
                                  system console as
                                  well. <option>socket</option> connects
                                  similarly but copy the output to the
                                  system console as
                                  well. <option>socket</option> connects
@@ -396,8 +416,13 @@
                                  socket activation, semantics are
                                  similar to the respective option of
                                  <varname>StandardInput=</varname>.
                                  socket activation, semantics are
                                  similar to the respective option of
                                  <varname>StandardInput=</varname>.
-                                This setting defaults to
-                                <option>inherit</option>.</para></listitem>
+                                This setting defaults to the value set
+                                with
+                                <option>DefaultStandardOutput=</option>
+                                in
+                                <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+                                which defaults to
+                                <option>journal</option>.</para></listitem>
                          </varlistentry>
                          <varlistentry>
                                  <term><varname>StandardError=</varname></term>
                          </varlistentry>
                          <varlistentry>
                                  <term><varname>StandardError=</varname></term>
@@ -411,7 +436,11 @@
                                  <option>inherit</option> the file
                                  descriptor used for standard output is
                                  duplicated for standard error. This
                                  <option>inherit</option> the file
                                  descriptor used for standard output is
                                  duplicated for standard error. This
-                                setting defaults to
+                                setting defaults to the value set with
+                                <option>DefaultStandardError=</option>
+                                in
+                                <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+                                which defaults to
                                  <option>inherit</option>.</para></listitem>
                          </varlistentry>
                          <varlistentry>
                                  <option>inherit</option>.</para></listitem>
                          </varlistentry>
                          <varlistentry>
@@ -526,7 +555,7 @@
                                  prefixes may be disabled with
                                  <varname>SyslogLevelPrefix=</varname>,
                                  see below. For details see
                                  prefixes may be disabled with
                                  <varname>SyslogLevelPrefix=</varname>,
                                  see below. For details see
-                                <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
+                                <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
  
                                  Defaults to
                                  <option>info</option>.</para></listitem>
  
                                  Defaults to
                                  <option>info</option>.</para></listitem>
@@ -548,7 +577,7 @@
                                  these prefixes is disabled and the
                                  logged lines are passed on as-is. For
                                  details about this prefixing see
                                  these prefixes is disabled and the
                                  logged lines are passed on as-is. For
                                  details about this prefixing see
-                                <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
+                                <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
                                  Defaults to true.</para></listitem>
                          </varlistentry>
  
                                  Defaults to true.</para></listitem>
                          </varlistentry>
  
@@ -556,16 +585,17 @@
                                  <term><varname>TimerSlackNSec=</varname></term>
                                  <listitem><para>Sets the timer slack
                                  in nanoseconds for the executed
                                  <term><varname>TimerSlackNSec=</varname></term>
                                  <listitem><para>Sets the timer slack
                                  in nanoseconds for the executed
-                                processes. The timer slack controls the
-                                accuracy of wake-ups triggered by
+                                processes. The timer slack controls
+                                the accuracy of wake-ups triggered by
                                  timers. See
                                  <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
                                  for more information. Note that in
                                  contrast to most other time span
                                  definitions this parameter takes an
                                  timers. See
                                  <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
                                  for more information. Note that in
                                  contrast to most other time span
                                  definitions this parameter takes an
-                                integer value in nano-seconds and does
-                                not understand any other
-                                units.</para></listitem>
+                                integer value in nano-seconds if no
+                                unit is specified. The usual time
+                                units are understood
+                                too.</para></listitem>
                          </varlistentry>
  
                          <varlistentry>
                          </varlistentry>
  
                          <varlistentry>
@@ -620,14 +650,19 @@
                                  conjunction with socket-activated
                                  services, and stream sockets (TCP) in
                                  particular. It has no effect on other
                                  conjunction with socket-activated
                                  services, and stream sockets (TCP) in
                                  particular. It has no effect on other
-                                socket types (e.g. datagram/UDP) and on processes
-                                unrelated to socket-based
+                                socket types (e.g. datagram/UDP) and
+                                on processes unrelated to socket-based
                                  activation. If the tcpwrap
                                  verification fails daemon start-up
                                  will fail and the connection is
                                  terminated. See
                                  <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                                  activation. If the tcpwrap
                                  verification fails daemon start-up
                                  will fail and the connection is
                                  terminated. See
                                  <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-                                for details.</para></listitem>
+                                for details. Note that this option may
+                                be used to do access control checks
+                                only. Shell commands and commands
+                                described in
+                                <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                                are not supported.</para></listitem>
                          </varlistentry>
  
                          <varlistentry>
                          </varlistentry>
  
                          <varlistentry>
@@ -648,17 +683,17 @@
                                  is prefixed with ~ all but the listed
                                  capabilities will be included, the
                                  effect of the assignment
                                  is prefixed with ~ all but the listed
                                  capabilities will be included, the
                                  effect of the assignment
-                                inverted. Note that this option does
-                                not actually set or unset any
-                                capabilities in the effective,
-                                permitted or inherited capability
-                                sets. That's what
-                                <varname>Capabilities=</varname> is
-                                for. If this option is not used the
+                                inverted. Note that this option also
+                                effects the respective capabilities in
+                                the effective, permitted and
+                                inheritable capability sets, on top of
+                                what <varname>Capabilities=</varname>
+                                does. If this option is not used the
                                  capability bounding set is not
                                  modified on process execution, hence
                                  no limits on the capabilities of the
                                  capability bounding set is not
                                  modified on process execution, hence
                                  no limits on the capabilities of the
-                                process are enforced.</para></listitem>
+                                process are
+                                enforced.</para></listitem>
                          </varlistentry>
  
                          <varlistentry>
                          </varlistentry>
  
                          <varlistentry>
@@ -751,6 +786,21 @@
                                  the group.</para></listitem>
                          </varlistentry>
  
                                  the group.</para></listitem>
                          </varlistentry>
  
+                        <varlistentry>
+                                <term><varname>ControlGroupPersistent=</varname></term>
+                                <listitem><para>Takes a boolean
+                                argument. If true, the control groups
+                                created for this unit will be marked
+                                to be persistent, i.e. systemd will
+                                not remove them when stopping the
+                                unit. The default is false, meaning
+                                that the control groups will be
+                                removed when the unit is stopped. For
+                                details about the semantics of this
+                                logic see <ulink
+                                url="http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups">PaxControlGroups</ulink>.</para></listitem>
+                        </varlistentry>
+
                          <varlistentry>
                                  <term><varname>ControlGroupAttribute=</varname></term>
  
                          <varlistentry>
                                  <term><varname>ControlGroupAttribute=</varname></term>
  
@@ -885,18 +935,18 @@
                                  <term><varname>BlockIOWriteBandwidth=</varname></term>
  
                                  <listitem><para>Set the per-device
                                  <term><varname>BlockIOWriteBandwidth=</varname></term>
  
                                  <listitem><para>Set the per-device
-                                overall block IO bandwith limit for
+                                overall block IO bandwidth limit for
                                  the executed processes. Takes a space
                                  separated pair of a file path and a
                                  the executed processes. Takes a space
                                  separated pair of a file path and a
-                                bandwith value (in bytes per second)
+                                bandwidth value (in bytes per second)
                                  to specify the device specific
                                  bandwidth. The file path may be
                                  specified as path to a block device
                                  node or as any other file in which
                                  case the backing block device of the
                                  file system of the file is determined.
                                  to specify the device specific
                                  bandwidth. The file path may be
                                  specified as path to a block device
                                  node or as any other file in which
                                  case the backing block device of the
                                  file system of the file is determined.
-                                If the bandwith is suffixed with K, M,
-                                G, or T the specified bandwith is
+                                If the bandwidth is suffixed with K, M,
+                                G, or T the specified bandwidth is
                                  parsed as Kilobytes, Megabytes,
                                  Gigabytes, resp. Terabytes (Example:
                                  "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
                                  parsed as Kilobytes, Megabytes,
                                  Gigabytes, resp. Terabytes (Example:
                                  "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
@@ -905,7 +955,7 @@
                                  and
                                  <literal>blkio.write_bps_device</literal>
                                  control group attributes. Use this
                                  and
                                  <literal>blkio.write_bps_device</literal>
                                  control group attributes. Use this
-                                option multiple times to set bandwith
+                                option multiple times to set bandwidth
                                  limits for multiple devices. For
                                  details about these control group
                                  attributes see <ulink
                                  limits for multiple devices. For
                                  details about these control group
                                  attributes see <ulink
@@ -1030,6 +1080,65 @@
                                  this service.</para></listitem>
                          </varlistentry>
  
                                  this service.</para></listitem>
                          </varlistentry>
  
+                        <varlistentry>
+                                <term><varname>IgnoreSIGPIPE=</varname></term>
+
+                                <listitem><para>Takes a boolean
+                                argument. If true causes SIGPIPE to be
+                                ignored in the executed
+                                process. Defaults to true, since
+                                SIGPIPE generally is useful only in
+                                shell pipelines.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><varname>NoNewPrivileges=</varname></term>
+
+                                <listitem><para>Takes a boolean
+                                argument. If true ensures that the
+                                service process and all its children
+                                can never gain new privileges. This
+                                option is more powerful than the respective
+                                secure bits flags (see above), as it
+                                also prohibits UID changes of any
+                                kind. This is the simplest, most
+                                effective way to ensure that a process
+                                and its children can never elevate
+                                privileges again.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><varname>SystemCallFilter=</varname></term>
+
+                                <listitem><para>Takes a space
+                                separated list of system call
+                                names. If this setting is used all
+                                system calls executed by the unit
+                                process except for the listed ones
+                                will result in immediate process
+                                termination with the SIGSYS signal
+                                (whitelisting). If the first character
+                                of the list is <literal>~</literal>
+                                the effect is inverted: only the
+                                listed system calls will result in
+                                immediate process termination
+                                (blacklisting). If this option is used
+                                <varname>NoNewPrivileges=yes</varname>
+                                is implied. This feature makes use of
+                                the Secure Computing Mode 2 interfaces
+                                of the kernel ('seccomp filtering')
+                                and is useful for enforcing a minimal
+                                sandboxing environment. Note that the
+                                <function>execve</function>,
+                                <function>rt_sigreturn</function>,
+                                <function>sigreturn</function>,
+                                <function>exit_group</function>,
+                                <function>exit</function> system calls
+                                are implicitly whitelisted and don't
+                                need to be listed
+                                explicitly.</para></listitem>
+                        </varlistentry>
+
                  </variablelist>
          </refsect1>
  
                  </variablelist>
          </refsect1>
  
@@ -1038,11 +1147,13 @@
                    <para>
                            <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                            <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                    <para>
                            <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                            <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+                          <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                            <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                            <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                            <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                            <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                            <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                            <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                            <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                            <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
-                          <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                          <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+                          <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
                    </para>
          </refsect1>
  
                    </para>
          </refsect1>