<listitem><para>Controls the CPU
affinity of the executed
processes. Takes a space-separated
- list of CPU indexes. This option may
+ list of CPU indices. This option may
be specified more than once in which
case the specificed CPU affinity masks
are merged. If the empty string is
add or delete the listed system calls
from the set of the filtered system
calls, depending of its type and the
- default action (e.g. You have started
+ default action. (For example, if you have started
with a whitelisting of
<function>read</function> and
<function>write</function>, and right
after it add a blacklisting of
<function>write</function>, then
<function>write</function> will be
- removed from the set).
+ removed from the set.)
</para></listitem>
-
- <para>Note that setting
- <varname>SystemCallFilter=</varname>
- implies a
- <varname>SystemCallArchitectures=</varname>
- setting of <literal>native</literal>
- (see below), unless that option is
- configured otherwise.</para>
</varlistentry>
<varlistentry>
unit. This is an effective way to
disable compatibility with non-native
architectures for processes, for
- example to prohibit execution of 32-bit
- x86 binaries on 64-bit x86-64
+ example to prohibit execution of
+ 32-bit x86 binaries on 64-bit x86-64
systems. The special
<literal>native</literal> identifier
implicitly maps to the native
<literal>native</literal> is included
too. By default, this option is set to
the empty list, i.e. no architecture
- system call filtering is applied. Note
- that configuring a system call filter
- with
- <varname>SystemCallFilter=</varname>
- (above) implies a
- <literal>native</literal> architecture
- list, unless configured
- otherwise.</para></listitem>
+ system call filtering is
+ applied.</para></listitem>
</varlistentry>
</variablelist>
~ianmdlvl / elogind.git / blobdiff