X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=f1bcf9b7bd645f2931fe96699db04ce833c4d947;hb=d22f1006a1910e32ff099330d70badaf2aec75c6;hp=ecf48a73c9d64418a151f5a2632a5421c925313c;hpb=0d3f7bb3a5bc6d5c0712f88a080fed388981bca3;p=elogind.git diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index ecf48a73c..f1bcf9b7b 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -248,7 +248,7 @@ Controls the CPU affinity of the executed processes. Takes a space-separated - list of CPU indexes. This option may + list of CPU indices. This option may be specified more than once in which case the specificed CPU affinity masks are merged. If the empty string is @@ -472,9 +472,9 @@ StandardError= Controls where file - descriptor 2 (STDERR) of the executed - processes is connected to. The - available options are identical to + descriptor 2 (STDERR) of the + executed processes is connected to. + The available options are identical to those of StandardOutput=, with one exception: if set to @@ -491,8 +491,8 @@ TTYPath= Sets the terminal - device node to use if standard input, - output or stderr are connected to a + device node to use if standard input, output, + or error are connected to a TTY (see above). Defaults to /dev/console. @@ -953,16 +953,33 @@ SELinuxContext= - Set the SELinux context of the - executed process. If set, this will override the - automated domain transition. However, the policy - still need to autorize the transition. This directive - is ignored if SELinux is disabled. If prefixed by -, - all errors will be ignored. See + Set the SELinux + security context of the executed + process. If set, this will override + the automated domain + transition. However, the policy still + needs to autorize the transition. This + directive is ignored if SELinux is + disabled. If prefixed by + -, all errors will + be ignored. See setexeccon3 for details. + + AppArmorProfile= + + Take a profile name as argument. + The process executed by the unit will switch to + this profile when started. Profiles must already + be loaded in the kernel, or the unit will fail. + This result in a non operation if AppArmor is not + enabled. If prefixed by -, all errors + will be ignored. + + + IgnoreSIGPIPE= @@ -993,11 +1010,11 @@ SystemCallFilter= - Takes a space-separated - list of system call + Takes a + space-separated list of system call names. If this setting is used, all system calls executed by the unit - process except for the listed ones + processes except for the listed ones will result in immediate process termination with the SIGSYS signal @@ -1006,12 +1023,13 @@ the effect is inverted: only the listed system calls will result in immediate process termination - (blacklisting). If this option is used, + (blacklisting). If running in user + mode and this option is used, NoNewPrivileges=yes - is implied. This feature makes use of - the Secure Computing Mode 2 interfaces - of the kernel ('seccomp filtering') - and is useful for enforcing a minimal + is implied. This feature makes use of the + Secure Computing Mode 2 interfaces of + the kernel ('seccomp filtering') and + is useful for enforcing a minimal sandboxing environment. Note that the execve, rt_sigreturn, @@ -1025,7 +1043,196 @@ merged. If the empty string is assigned, the filter is reset, all prior assignments will have no - effect. + effect. + + If you specify both types of + this option (i.e. whitelisting and + blacklisting), the first encountered + will take precedence and will dictate + the default action (termination or + approval of a system call). Then the + next occurrences of this option will + add or delete the listed system calls + from the set of the filtered system + calls, depending of its type and the + default action. (For example, if you have started + with a whitelisting of + read and + write, and right + after it add a blacklisting of + write, then + write will be + removed from the set.) + + + + + SystemCallErrorNumber= + + Takes an + errno error number + name to return when the system call + filter configured with + SystemCallFilter= + is triggered, instead of terminating + the process immediately. Takes an + error name such as + EPERM, + EACCES or + EUCLEAN. When this + setting is not used, or when the empty + string is assigned, the process will be + terminated immediately when the filter + is triggered. + + + + SystemCallArchitectures= + + Takes a space + separated list of architecture + identifiers to include in the system + call filter. The known architecture + identifiers are + x86, + x86-64, + x32, + arm as well as + the special identifier + native. Only + system calls of the specified + architectures will be permitted to + processes of this unit. This is an + effective way to disable compatibility + with non-native architectures for + processes, for example to prohibit + execution of 32-bit x86 binaries on + 64-bit x86-64 systems. The special + native identifier + implicitly maps to the native + architecture of the system (or more + strictly: to the architecture the + system manager is compiled for). If + running in user mode and this option + is used, + NoNewPrivileges=yes + is implied. Note that setting this + option to a non-empty list implies + that native is + included too. By default, this option + is set to the empty list, i.e. no + architecture system call filtering is + applied. + + + + RestrictAddressFamilies= + + Restricts the set of + socket address families accessible to + the processes of this unit. Takes a + space-separated list of address family + names to whitelist, such as + AF_UNIX, + AF_INET or + AF_INET6. When + prefixed with ~ + the listed address families will be + applied as blacklist, otherwise as + whitelist. Note that this restricts + access to the + socket2 + system call only. Sockets passed into + the process by other means (for + example, by using socket activation + with socket units, see + systemd.socket5) + are unaffected. Also, sockets created + with socketpair() + (which creates connected AF_UNIX + sockets only) are unaffected. Note + that this option has no effect on + 32bit x86 and is ignored (but works + correctly on x86-64). If running in user + mode and this option is used, + NoNewPrivileges=yes + is implied. By default no + restriction applies, all address + families are accessible to + processes. If assigned the empty + string any previous list changes are + undone. + + Use this option to limit + exposure of processes to remote + systems, in particular via exotic + network protocols. Note that in most + cases the local + AF_UNIX address + family should be included in the + configured whitelist as it is + frequently used for local + communication, including for + syslog2 + logging. + + + + Personality= + + Controls which + kernel architecture + uname2 + shall report, when invoked by unit + processes. Takes one of + x86 and + x86-64. This is + useful when running 32bit services on + a 64bit host system. If not specified + the personality is left unmodified and + thus reflects the personality of the + host system's + kernel. + + + + RuntimeDirectory= + RuntimeDirectoryMode= + + Takes a list of + directory names. If set one or more + directories by the specified names + will be created below + /run (for system + services) or below + $XDG_RUNTIME_DIR + (for user services) when the unit is + started and removed when the unit is + stopped. The directories will have the + access mode specified in + RuntimeDirectoryMode=, + and will be owned by the user and + group specified in + User= and + Group=. Use this to + manage one or more runtime directories + of the unit and bind their lifetime to + the daemon runtime. The specified + directory names must be relative, and + may not include a + /, i.e. must refer + to simple directories to create or + remove. This is particularly useful + for unpriviliges daemons that cannot + create runtime directories in + /run due to lack + of privileges, and to make sure the + runtime directory is cleaned up + automatically after use. For runtime + directories that require more complex + or different configuration or lifetime + guarantees, please consider using + tmpfiles.d5. @@ -1111,6 +1318,17 @@ tty. + + $MAINPID + + The PID of the units + main process if it is known. This is + only set for control processes as + invoked by + ExecReload= and + similar. + + $MANAGERPID @@ -1174,6 +1392,7 @@ systemd.kill5, systemd.resource-control5, systemd.directives7, + tmpfiles.d5, exec3