X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=2f75915c2076d6aa4c31bb65d2020422c99b448e;hb=02dd6e189a6d2b7f3884ad4cdb3d8c85e009c565;hp=ba4e808ddd2af6345bdfa7159176b23acaf181ca;hpb=43638332c4236ac2db44b0524ea5ade4f918e602;p=elogind.git
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index ba4e808dd..2f75915c2 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -103,7 +103,7 @@
directory path. Sets the root
directory for executed processes, with
the
- chroot2
+ chroot2
system call. If this is used, it must
be ensured that the process and all
its auxiliary files are available in
@@ -248,7 +248,7 @@
Controls the CPU
affinity of the executed
processes. Takes a space-separated
- list of CPU indexes. This option may
+ list of CPU indices. This option may
be specified more than once in which
case the specificed CPU affinity masks
are merged. If the empty string is
@@ -295,14 +295,16 @@
for the assignment.Example:
- Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"
+ Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
gives three variables VAR1,
- VAR2, VAR3.
+ VAR2, VAR3
+ with the values word1 word2,
+ word3, $word 5 6.
See
- environ7
+ environ7
for details about environment variables.
@@ -338,9 +340,14 @@
The files listed with this
directive will be read shortly before
- the process is executed. Settings from
- these files override settings made
- with
+ the process is executed (more
+ specifically, after all
+ processes from a previous unit state
+ terminated. This means you can
+ generate these files in one unit
+ state, and read it with this option in
+ the next). Settings from these files
+ override settings made with
Environment=. If
the same variable is set twice from
these files, the files will be read in
@@ -436,12 +443,12 @@
for other processes to release the
terminal.
connects standard output to the
- syslog3
+ syslog3
system syslog
service.
connects it with the kernel log buffer
which is accessible via
- dmesg1.
+ dmesg1.
connects it with the journal which is
accessible via
journalctl1
@@ -470,9 +477,9 @@
StandardError=Controls where file
- descriptor 2 (STDERR) of the executed
- processes is connected to. The
- available options are identical to
+ descriptor 2 (STDERR) of the
+ executed processes is connected to.
+ The available options are identical to
those of
StandardOutput=,
with one exception: if set to
@@ -489,8 +496,8 @@
TTYPath=Sets the terminal
- device node to use if standard input,
- output or stderr are connected to a
+ device node to use if standard input, output,
+ or error are connected to a
TTY (see above). Defaults to
/dev/console.
@@ -561,7 +568,7 @@
,
or
. See
- syslog3
+ syslog3
for details. This option is only
useful when
StandardOutput= or
@@ -583,7 +590,7 @@
,
,
. See
- syslog3
+ syslog3
for details. This option is only
useful when
StandardOutput= or
@@ -680,35 +687,10 @@
User= setting. If
not set, no PAM session will be opened
for the executed processes. See
- pam8
+ pam8
for details.
-
- TCPWrapName=
- If this is a
- socket-activated service, this sets the
- tcpwrap service name to check the
- permission for the current connection
- with. This is only useful in
- conjunction with socket-activated
- services, and stream sockets (TCP) in
- particular. It has no effect on other
- socket types (e.g. datagram/UDP) and
- on processes unrelated to socket-based
- activation. If the tcpwrap
- verification fails, daemon start-up
- will fail and the connection is
- terminated. See
- tcpd8
- for details. Note that this option may
- be used to do access control checks
- only. Shell commands and commands
- described in
- hosts_options5
- are not supported.
-
-
CapabilityBoundingSet=
@@ -716,7 +698,7 @@
capabilities to include in the
capability bounding set for the
executed process. See
- capabilities7
+ capabilities7
for details. Takes a whitespace-separated
list of capability names as read by
cap_from_name3,
@@ -757,7 +739,7 @@
SecureBits=Controls the secure
bits set for the executed process. See
- capabilities7
+ capabilities7
for details. Takes a list of strings:
,
,
@@ -775,14 +757,14 @@
Capabilities=Controls the
- capabilities7
+ capabilities7
set for the executed process. Take a
capability string describing the
effective, permitted and inherited
capability sets as documented in
cap_from_text3.
Note that these capability sets are
- usually influenced by the capabilities
+ usually influenced (and filtered) by the capabilities
attached to the executed file. Due to
that
CapabilityBoundingSet=
@@ -795,8 +777,8 @@
ReadOnlyDirectories=InaccessibleDirectories=
- Sets up a new
- file system namespace for executed
+ Sets up a new file
+ system namespace for executed
processes. These options may be used
to limit access a process might have
to the main file system
@@ -817,16 +799,14 @@
processes inside the namespace. Note
that restricting access with these
options does not extend to submounts
- of a directory. You must list
- submounts separately in these settings
- to ensure the same limited
- access. These options may be specified
+ of a directory that are created later
+ on. These options may be specified
more than once in which case all
directories listed will have limited
access from within the namespace. If
the empty string is assigned to this
- option, the specific list is reset, and
- all prior assignments have no
+ option, the specific list is reset,
+ and all prior assignments have no
effect.Paths in
ReadOnlyDirectories=
@@ -835,7 +815,15 @@
may be prefixed with
-, in which case
they will be ignored when they do not
- exist.
+ exist. Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to
+ install mount points in the main mount
+ namespace.
@@ -846,19 +834,70 @@
system namespace for the executed
processes and mounts private
/tmp and
- /var/tmp directories
- inside it, that are not shared by
- processes outside of the
+ /var/tmp
+ directories inside it that is not
+ shared by processes outside of the
namespace. This is useful to secure
access to temporary files of the
process, but makes sharing between
processes via
/tmp or
/var/tmp
- impossible. All temporary data created
- by service will be removed after service
- is stopped. Defaults to
- false.
+ impossible. If this is enabled, all
+ temporary files created by a service
+ in these directories will be removed
+ after the service is stopped. Defaults
+ to false. It is possible to run two or
+ more units within the same private
+ /tmp and
+ /var/tmp
+ namespace by using the
+ JoinsNamespaceOf=
+ directive, see
+ systemd.unit5
+ for details. Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to install
+ mount points in the main mount
+ namespace.
+
+
+
+ PrivateDevices=
+
+ Takes a boolean
+ argument. If true, sets up a new /dev
+ namespace for the executed processes
+ and only adds API pseudo devices such
+ as /dev/null,
+ /dev/zero or
+ /dev/random (as
+ well as the pseudo TTY subsystem) to
+ it, but no physical devices such as
+ /dev/sda. This is
+ useful to securely turn off physical
+ device access by the executed
+ process. Defaults to false. Enabling
+ this option will also remove
+ CAP_MKNOD from
+ the capability bounding set for the
+ unit (see above), and set
+ DevicePolicy=closed
+ (see
+ systemd.resource-control5
+ for details). Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to
+ install mount points in the main mount
+ namespace.
@@ -874,8 +913,84 @@
available to the executed process.
This is useful to securely turn off
network access by the executed
- process. Defaults to
- false.
+ process. Defaults to false. It is
+ possible to run two or more units
+ within the same private network
+ namespace by using the
+ JoinsNamespaceOf=
+ directive, see
+ systemd.unit5
+ for details. Note that this option
+ will disconnect all socket families
+ from the host, this includes
+ AF_NETLINK and AF_UNIX. The latter has
+ the effect that AF_UNIX sockets in the
+ abstract socket namespace will become
+ unavailable to the processes (however,
+ those located in the file system will
+ continue to be
+ accessible).
+
+
+
+ ProtectSystem=
+
+ Takes a boolean
+ argument or
+ full. If true,
+ mounts the /usr
+ directory read-only for processes
+ invoked by this unit. If set to
+ full, the
+ /etc directory is mounted
+ read-only, too. This setting ensures
+ that any modification of the vendor
+ supplied operating system (and
+ optionally its configuration) is
+ prohibited for the service. It is
+ recommended to enable this setting for
+ all long-running services, unless they
+ are involved with system updates or
+ need to modify the operating system in
+ other ways. Note however that
+ processes retaining the CAP_SYS_ADMIN
+ capability can undo the effect of this
+ setting. This setting is hence
+ particularly useful for daemons which
+ have this capability removed, for
+ example with
+ CapabilityBoundingSet=. Defaults
+ to off.
+
+
+
+ ProtectHome=
+
+ Takes a boolean
+ argument or
+ read-only. If true,
+ the directories
+ /home and
+ /run/user are
+ made inaccessible and empty for
+ processes invoked by this unit. If set
+ to read-only, the
+ two directores are made read-only
+ instead. It is recommended to enable
+ this setting for all long-running
+ services (in particular network-facing
+ ones), to ensure they cannot get access
+ to private user data, unless the
+ services actually require access to
+ the user's private data. Note however
+ that processes retaining the
+ CAP_SYS_ADMIN capability can undo the
+ effect of this setting. This setting
+ is hence particularly useful for
+ daemons which have this capability
+ removed, for example with
+ CapabilityBoundingSet=. Defaults
+ to off.
@@ -886,13 +1001,45 @@
,
or
, which
- control whether the file system
- namespace set up for this unit's
- processes will receive or propagate
- new mounts. See
+ control whether mounts in the file
+ system namespace set up for this
+ unit's processes will receive or
+ propagate mounts or unmounts. See
mount2
- for details. Default to
- .
+ for details. Defaults to
+ . Use
+ to ensure that
+ mounts and unmounts are propagated
+ from the host to the container and
+ vice versa. Use
+ to run processes so that none of their
+ mounts and unmounts will propagate to
+ the host. Use
+ to also ensure that no mounts and
+ unmounts from the host will propagate
+ into the unit processes'
+ namespace. Note that
+ means that file
+ systems mounted on the host might stay
+ mounted continously in the unit's
+ namespace, and thus keep the device
+ busy. Note that the file system
+ namespace related options
+ (PrivateTmp=,
+ PrivateDevices=,
+ ReadOnlySystem=,
+ ProtectedHome=,
+ ReadOnlyDirectories=,
+ InaccessibleDirectories=
+ and
+ ReadWriteDirectories=)
+ require that mount and unmount
+ propagation from the unit's file
+ system namespace is disabled, and
+ hence downgrade
+ to
+ .
+
@@ -916,6 +1063,36 @@
this service.
+
+ SELinuxContext=
+
+ Set the SELinux
+ security context of the executed
+ process. If set, this will override
+ the automated domain
+ transition. However, the policy still
+ needs to autorize the transition. This
+ directive is ignored if SELinux is
+ disabled. If prefixed by
+ -, all errors will
+ be ignored. See
+ setexeccon3
+ for details.
+
+
+
+ AppArmorProfile=
+
+ Takes a profile name as argument.
+ The process executed by the unit will switch to
+ this profile when started. Profiles must already
+ be loaded in the kernel, or the unit will fail.
+ This result in a non operation if AppArmor is not
+ enabled. If prefixed by -, all errors
+ will be ignored.
+
+
+
IgnoreSIGPIPE=
@@ -946,11 +1123,11 @@
SystemCallFilter=
- Takes a space-separated
- list of system call
+ Takes a
+ space-separated list of system call
names. If this setting is used, all
system calls executed by the unit
- process except for the listed ones
+ processes except for the listed ones
will result in immediate process
termination with the
SIGSYS signal
@@ -959,12 +1136,13 @@
the effect is inverted: only the
listed system calls will result in
immediate process termination
- (blacklisting). If this option is used,
+ (blacklisting). If running in user
+ mode and this option is used,
NoNewPrivileges=yes
- is implied. This feature makes use of
- the Secure Computing Mode 2 interfaces
- of the kernel ('seccomp filtering')
- and is useful for enforcing a minimal
+ is implied. This feature makes use of the
+ Secure Computing Mode 2 interfaces of
+ the kernel ('seccomp filtering') and
+ is useful for enforcing a minimal
sandboxing environment. Note that the
execve,
rt_sigreturn,
@@ -978,7 +1156,196 @@
merged. If the empty string is
assigned, the filter is reset, all
prior assignments will have no
- effect.
+ effect.
+
+ If you specify both types of
+ this option (i.e. whitelisting and
+ blacklisting), the first encountered
+ will take precedence and will dictate
+ the default action (termination or
+ approval of a system call). Then the
+ next occurrences of this option will
+ add or delete the listed system calls
+ from the set of the filtered system
+ calls, depending of its type and the
+ default action. (For example, if you have started
+ with a whitelisting of
+ read and
+ write, and right
+ after it add a blacklisting of
+ write, then
+ write will be
+ removed from the set.)
+
+
+
+
+ SystemCallErrorNumber=
+
+ Takes an
+ errno error number
+ name to return when the system call
+ filter configured with
+ SystemCallFilter=
+ is triggered, instead of terminating
+ the process immediately. Takes an
+ error name such as
+ EPERM,
+ EACCES or
+ EUCLEAN. When this
+ setting is not used, or when the empty
+ string is assigned, the process will be
+ terminated immediately when the filter
+ is triggered.
+
+
+
+ SystemCallArchitectures=
+
+ Takes a space
+ separated list of architecture
+ identifiers to include in the system
+ call filter. The known architecture
+ identifiers are
+ x86,
+ x86-64,
+ x32,
+ arm as well as
+ the special identifier
+ native. Only
+ system calls of the specified
+ architectures will be permitted to
+ processes of this unit. This is an
+ effective way to disable compatibility
+ with non-native architectures for
+ processes, for example to prohibit
+ execution of 32-bit x86 binaries on
+ 64-bit x86-64 systems. The special
+ native identifier
+ implicitly maps to the native
+ architecture of the system (or more
+ strictly: to the architecture the
+ system manager is compiled for). If
+ running in user mode and this option
+ is used,
+ NoNewPrivileges=yes
+ is implied. Note that setting this
+ option to a non-empty list implies
+ that native is
+ included too. By default, this option
+ is set to the empty list, i.e. no
+ architecture system call filtering is
+ applied.
+
+
+
+ RestrictAddressFamilies=
+
+ Restricts the set of
+ socket address families accessible to
+ the processes of this unit. Takes a
+ space-separated list of address family
+ names to whitelist, such as
+ AF_UNIX,
+ AF_INET or
+ AF_INET6. When
+ prefixed with ~
+ the listed address families will be
+ applied as blacklist, otherwise as
+ whitelist. Note that this restricts
+ access to the
+ socket2
+ system call only. Sockets passed into
+ the process by other means (for
+ example, by using socket activation
+ with socket units, see
+ systemd.socket5)
+ are unaffected. Also, sockets created
+ with socketpair()
+ (which creates connected AF_UNIX
+ sockets only) are unaffected. Note
+ that this option has no effect on
+ 32-bit x86 and is ignored (but works
+ correctly on x86-64). If running in user
+ mode and this option is used,
+ NoNewPrivileges=yes
+ is implied. By default, no
+ restriction applies, all address
+ families are accessible to
+ processes. If assigned the empty
+ string, any previous list changes are
+ undone.
+
+ Use this option to limit
+ exposure of processes to remote
+ systems, in particular via exotic
+ network protocols. Note that in most
+ cases, the local
+ AF_UNIX address
+ family should be included in the
+ configured whitelist as it is
+ frequently used for local
+ communication, including for
+ syslog2
+ logging.
+
+
+
+ Personality=
+
+ Controls which
+ kernel architecture
+ uname2
+ shall report, when invoked by unit
+ processes. Takes one of
+ x86 and
+ x86-64. This is
+ useful when running 32-bit services on
+ a 64-bit host system. If not specified,
+ the personality is left unmodified and
+ thus reflects the personality of the
+ host system's
+ kernel.
+
+
+
+ RuntimeDirectory=
+ RuntimeDirectoryMode=
+
+ Takes a list of
+ directory names. If set, one or more
+ directories by the specified names
+ will be created below
+ /run (for system
+ services) or below
+ $XDG_RUNTIME_DIR
+ (for user services) when the unit is
+ started, and removed when the unit is
+ stopped. The directories will have the
+ access mode specified in
+ RuntimeDirectoryMode=,
+ and will be owned by the user and
+ group specified in
+ User= and
+ Group=. Use this to
+ manage one or more runtime directories
+ of the unit and bind their lifetime to
+ the daemon runtime. The specified
+ directory names must be relative, and
+ may not include a
+ /, i.e. must refer
+ to simple directories to create or
+ remove. This is particularly useful
+ for unprivileged daemons that cannot
+ create runtime directories in
+ /run due to lack
+ of privileges, and to make sure the
+ runtime directory is cleaned up
+ automatically after use. For runtime
+ directories that require more complex
+ or different configuration or lifetime
+ guarantees, please consider using
+ tmpfiles.d5.
@@ -1021,10 +1388,13 @@
$USER
+ $LOGNAME$HOME
+ $SHELL
- User name and home
- directory. Set for the units which
+ User name (twice), home
+ directory, and the login shell.
+ The variables are set for the units that
have User= set,
which includes user
systemd instances.
@@ -1050,17 +1420,28 @@
$XDG_VTNRThe identifier of the
- session, and the seat name, and
+ session, the seat name, and
virtual terminal of the session. Set
by
pam_systemd8
for login sessions.
$XDG_SEAT and
- $XDG_VTNR will be
- only set when attached to a seat and a
+ $XDG_VTNR will
+ only be set when attached to a seat and a
tty.
+
+ $MAINPID
+
+ The PID of the units
+ main process if it is known. This is
+ only set for control processes as
+ invoked by
+ ExecReload= and
+ similar.
+
+
$MANAGERPID
@@ -1080,6 +1461,20 @@
sd_listen_fds3.
+
+
+ $TERM
+
+ Terminal type, set
+ only for units connected to a terminal
+ (StandardInput=tty,
+ StandardOutput=tty,
+ or
+ StandardError=tty).
+ See
+ termcap5.
+
+ Additional variables may be configured by the
@@ -1093,7 +1488,7 @@
systemd.setenv= (see
systemd1). Additional
variables may also be set through PAM,
- c.f. pam_env8.
+ cf. pam_env8.
@@ -1108,9 +1503,10 @@
systemd.swap5,
systemd.mount5,
systemd.kill5,
- systemd.cgroup5,
+ systemd.resource-control5,
systemd.directives7,
- exec3
+ tmpfiles.d5,
+ exec3