core: add new ConditionArchitecture() that checks the architecture returned by uname...

[elogind.git] / man / systemd.exec.xml
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml

index 86ad7e223dd5a5c9da0008a0e81c673337ae1170..7dbe05d265123e08411eedacfbbb7dd606551591 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -248,7 +248,7 @@
                                  <listitem><para>Controls the CPU
                                  affinity of the executed
                                  processes. Takes a space-separated
                                  <listitem><para>Controls the CPU
                                  affinity of the executed
                                  processes. Takes a space-separated
-                                list of CPU indexes. This option may
+                                list of CPU indices. This option may
                                  be specified more than once in which
                                  case the specificed CPU affinity masks
                                  are merged. If the empty string is
                                  be specified more than once in which
                                  case the specificed CPU affinity masks
                                  are merged. If the empty string is
@@ -472,9 +472,9 @@
                          <varlistentry>
                                  <term><varname>StandardError=</varname></term>
                                  <listitem><para>Controls where file
                          <varlistentry>
                                  <term><varname>StandardError=</varname></term>
                                  <listitem><para>Controls where file
-                                descriptor 2 (STDERR) of the executed
-                                processes is connected to. The
-                                available options are identical to
+                                descriptor 2 (STDERR) of the
+                                executed processes is connected to.
+                                The available options are identical to
                                  those of
                                  <varname>StandardOutput=</varname>,
                                  with one exception: if set to
                                  those of
                                  <varname>StandardOutput=</varname>,
                                  with one exception: if set to
@@ -491,8 +491,8 @@
                          <varlistentry>
                                  <term><varname>TTYPath=</varname></term>
                                  <listitem><para>Sets the terminal
                          <varlistentry>
                                  <term><varname>TTYPath=</varname></term>
                                  <listitem><para>Sets the terminal
-                                device node to use if standard input,
-                                output or stderr are connected to a
+                                device node to use if standard input, output,
+                                or error are connected to a
                                  TTY (see above). Defaults to
                                  <filename>/dev/console</filename>.</para></listitem>
                          </varlistentry>
                                  TTY (see above). Defaults to
                                  <filename>/dev/console</filename>.</para></listitem>
                          </varlistentry>
@@ -1033,7 +1033,7 @@
  
                                  <para>If you specify both types of
                                  this option (i.e. whitelisting and
  
                                  <para>If you specify both types of
                                  this option (i.e. whitelisting and
-                                blacklisting) the first encountered
+                                blacklisting), the first encountered
                                  will take precedence and will dictate
                                  the default action (termination or
                                  approval of a system call). Then the
                                  will take precedence and will dictate
                                  the default action (termination or
                                  approval of a system call). Then the
@@ -1041,14 +1041,14 @@
                                  add or delete the listed system calls
                                  from the set of the filtered system
                                  calls, depending of its type and the
                                  add or delete the listed system calls
                                  from the set of the filtered system
                                  calls, depending of its type and the
-                                default action (e.g. You have started
+                                default action. (For example, if you have started
                                  with a whitelisting of
                                  <function>read</function> and
                                  with a whitelisting of
                                  <function>read</function> and
-                                <function>write</function> and right
+                                <function>write</function>, and right
                                  after it add a blacklisting of
                                  <function>write</function>, then
                                  <function>write</function> will be
                                  after it add a blacklisting of
                                  <function>write</function>, then
                                  <function>write</function> will be
-                                removed from the set).
+                                removed from the set.)
                                  </para></listitem>
                          </varlistentry>
  
                                  </para></listitem>
                          </varlistentry>
  
@@ -1063,15 +1063,68 @@
                                  is triggered, instead of terminating
                                  the process immediately. Takes an
                                  error name such as
                                  is triggered, instead of terminating
                                  the process immediately. Takes an
                                  error name such as
-                                <literal>EPERM</literal>,
-                                <literal>EACCES</literal> or
-                                <literal>EUCLEAN</literal>. When this
+                                <constant>EPERM</constant>,
+                                <constant>EACCES</constant> or
+                                <constant>EUCLEAN</constant>. When this
                                  setting is not used, or when the empty
                                  setting is not used, or when the empty
-                                string is assigned the process will be
+                                string is assigned, the process will be
                                  terminated immediately when the filter
                                  is triggered.</para></listitem>
                          </varlistentry>
  
                                  terminated immediately when the filter
                                  is triggered.</para></listitem>
                          </varlistentry>
  
+                        <varlistentry>
+                                <term><varname>SystemCallArchitectures=</varname></term>
+
+                                <listitem><para>Takes a space
+                                separated list of architecture
+                                identifiers to include in the system
+                                call filter. The known architecture
+                                identifiers are
+                                <constant>x86</constant>,
+                                <constant>x86-64</constant>,
+                                <constant>x32</constant>,
+                                <constant>arm</constant> as well as the
+                                special identifier
+                                <constant>native</constant>. Only system
+                                calls of the specified architectures
+                                will be permitted to processes of this
+                                unit. This is an effective way to
+                                disable compatibility with non-native
+                                architectures for processes, for
+                                example to prohibit execution of
+                                32-bit x86 binaries on 64-bit x86-64
+                                systems. The special
+                                <constant>native</constant> identifier
+                                implicitly maps to the native
+                                architecture of the system (or more
+                                strictly: to the architecture the
+                                system manager is compiled for). Note
+                                that setting this option to a
+                                non-empty list implies that
+                                <constant>native</constant> is included
+                                too. By default, this option is set to
+                                the empty list, i.e. no architecture
+                                system call filtering is
+                                applied.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><varname>Personality=</varname></term>
+
+                                <listitem><para>Controls which
+                                kernel architecture
+                                <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+                                shall report, when invoked by unit
+                                processes. Takes one of
+                                <constant>x86</constant> and
+                                <constant>x86-64</constant>. This is
+                                useful when running 32bit services on
+                                a 64bit host system. If not specified
+                                the personality is left unmodified and
+                                thus reflects the personality of the
+                                host system's
+                                kernel.</para></listitem>
+                        </varlistentry>
                  </variablelist>
          </refsect1>
  
                  </variablelist>
          </refsect1>
  
@@ -1155,6 +1208,17 @@
                                  tty.</para></listitem>
                          </varlistentry>
  
                                  tty.</para></listitem>
                          </varlistentry>
  
+                        <varlistentry>
+                                <term><varname>$MAINPID</varname></term>
+
+                                <listitem><para>The PID of the units
+                                main process if it is known. This is
+                                only set for control processes as
+                                invoked by
+                                <varname>ExecReload=</varname> and
+                                similar.  </para></listitem>
+                        </varlistentry>
+
                          <varlistentry>
                                  <term><varname>$MANAGERPID</varname></term>
  
                          <varlistentry>
                                  <term><varname>$MANAGERPID</varname></term>