X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=01356e4c459ac9b1b01874cb313331a0f6d3c53e;hp=86ad7e223dd5a5c9da0008a0e81c673337ae1170;hb=57183d117a1d6a96d71ce99d648beb0d2b36228d;hpb=351a19b17d51ba0a5737f35d3c5deb8e7975fdee
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 86ad7e223..01356e4c4 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1050,6 +1050,14 @@
write will be
removed from the set).
+
+ Note that setting
+ SystemCallFilter=
+ implies a
+ SystemCallArchitectures=
+ setting of native
+ (see below), unless that option is
+ configured otherwise.
@@ -1072,6 +1080,48 @@
is triggered.
+
+ SystemCallArchitectures=
+
+ Takes a space
+ separated list of architecture
+ identifiers to include in the system
+ call filter. The known architecture
+ identifiers are
+ x86,
+ x86-64,
+ x32,
+ arm as well as the
+ special identifier
+ native. Only system
+ calls of the specified architectures
+ will be permitted to processes of this
+ unit. This is an effective way to
+ disable compatibility with non-native
+ architectures for processes, for
+ example to prohibit execution of 32bit
+ x86 binaries on 64bit x86-64
+ systems. The special
+ native identifier
+ implicitly maps to the native
+ architecture of the system (or more
+ strictly: to the architecture the
+ system manager is compiled for). Note
+ that setting this option to a
+ non-empty list implies that
+ native is included
+ too. By default this option is set to
+ the empty list, i.e. no architecture
+ system call filtering is applied. Note
+ that configuring a system call filter
+ with
+ SystemCallFilter=
+ (above) implies a
+ native architecture
+ list, unless configured
+ otherwise.
+
+