chiark / gitweb /
man: cryptsetup-1.6.3 now allows partition device file in system mode
[elogind.git] / man / systemd.exec.xml
index 2778497647e5dcaf75b77875e25ff14b748f8e7b..7eaf52bc5bd59571a924cb613a67103d32dd623a 100644 (file)
                                 for the assignment.</para>
 
                                 <para>Example:
                                 for the assignment.</para>
 
                                 <para>Example:
-                                <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"</programlisting>
+                                <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
                                 gives three variables <literal>VAR1</literal>,
                                 gives three variables <literal>VAR1</literal>,
-                                <literal>VAR2</literal>, <literal>VAR3</literal>.
+                                <literal>VAR2</literal>, <literal>VAR3</literal>
+                                with the values <literal>word1 word2</literal>,
+                                <literal>word3</literal>, <literal>$word 5 6</literal>.
                                 </para>
 
                                 <para>
                                 </para>
 
                                 <para>
                                 processes and mounts private
                                 <filename>/tmp</filename> and
                                 <filename>/var/tmp</filename>
                                 processes and mounts private
                                 <filename>/tmp</filename> and
                                 <filename>/var/tmp</filename>
-                                directories inside it that are not
+                                directories inside it that is not
                                 shared by processes outside of the
                                 namespace. This is useful to secure
                                 access to temporary files of the
                                 shared by processes outside of the
                                 namespace. This is useful to secure
                                 access to temporary files of the
                                 <filename>/var/tmp</filename>
                                 impossible. All temporary data created
                                 by service will be removed after
                                 <filename>/var/tmp</filename>
                                 impossible. All temporary data created
                                 by service will be removed after
-                                service is stopped. Defaults to
+                                the service is stopped. Defaults to
                                 false. Note that it is possible to run
                                 two or more units within the same
                                 private <filename>/tmp</filename> and
                                 false. Note that it is possible to run
                                 two or more units within the same
                                 private <filename>/tmp</filename> and
                                 for details.</para></listitem>
                         </varlistentry>
 
                                 for details.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><varname>PrivateDevices=</varname></term>
+
+                                <listitem><para>Takes a boolean
+                                argument. If true, sets up a new /dev
+                                namespace for the executed processes
+                                and only adds API pseudo devices such
+                                as <filename>/dev/null</filename>,
+                                <filename>/dev/zero</filename> or
+                                <filename>/dev/random</filename> to
+                                it, but no physical devices such as
+                                <filename>/dev/sda</filename>. This is
+                                useful to securely turn off physical
+                                device access by the executed
+                                process. Defaults to
+                                false.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><varname>MountFlags=</varname></term>
 
                         <varlistentry>
                                 <term><varname>MountFlags=</varname></term>