core: Add AppArmor profile switching

[elogind.git] / man / systemd.exec.xml
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml

index 4281c03cf6fff150e2d408b262e3ab9a9bdbc06c..19839937c71f2eadf25bc4912c1ed8f2576bf2d2 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -248,7 +248,7 @@
                                  <listitem><para>Controls the CPU
                                  affinity of the executed
                                  processes. Takes a space-separated
                                  <listitem><para>Controls the CPU
                                  affinity of the executed
                                  processes. Takes a space-separated
-                                list of CPU indexes. This option may
+                                list of CPU indices. This option may
                                  be specified more than once in which
                                  case the specificed CPU affinity masks
                                  are merged. If the empty string is
                                  be specified more than once in which
                                  case the specificed CPU affinity masks
                                  are merged. If the empty string is
@@ -472,9 +472,9 @@
                          <varlistentry>
                                  <term><varname>StandardError=</varname></term>
                                  <listitem><para>Controls where file
                          <varlistentry>
                                  <term><varname>StandardError=</varname></term>
                                  <listitem><para>Controls where file
-                                descriptor 2 (STDERR) of the executed
-                                processes is connected to. The
-                                available options are identical to
+                                descriptor 2 (STDERR) of the
+                                executed processes is connected to.
+                                The available options are identical to
                                  those of
                                  <varname>StandardOutput=</varname>,
                                  with one exception: if set to
                                  those of
                                  <varname>StandardOutput=</varname>,
                                  with one exception: if set to
@@ -491,8 +491,8 @@
                          <varlistentry>
                                  <term><varname>TTYPath=</varname></term>
                                  <listitem><para>Sets the terminal
                          <varlistentry>
                                  <term><varname>TTYPath=</varname></term>
                                  <listitem><para>Sets the terminal
-                                device node to use if standard input,
-                                output or stderr are connected to a
+                                device node to use if standard input, output,
+                                or error are connected to a
                                  TTY (see above). Defaults to
                                  <filename>/dev/console</filename>.</para></listitem>
                          </varlistentry>
                                  TTY (see above). Defaults to
                                  <filename>/dev/console</filename>.</para></listitem>
                          </varlistentry>
@@ -953,14 +953,33 @@
                          <varlistentry>
                                  <term><varname>SELinuxContext=</varname></term>
  
                          <varlistentry>
                                  <term><varname>SELinuxContext=</varname></term>
  
-                                <listitem><para>Set the SELinux context of the
-                                executed process. If set, this will override the
-                                automated domain transition. However, the policy
-                                still need to autorize the transition. See
+                                <listitem><para>Set the SELinux
+                                security context of the executed
+                                process. If set, this will override
+                                the automated domain
+                                transition. However, the policy still
+                                needs to autorize the transition. This
+                                directive is ignored if SELinux is
+                                disabled. If prefixed by
+                                <literal>-</literal>, all errors will
+                                be ignored. See
                                  <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
                                  for details.</para></listitem>
                          </varlistentry>
  
                                  <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
                                  for details.</para></listitem>
                          </varlistentry>
  
+                        <varlistentry>
+                                <term><varname>AppArmorProfile=</varname></term>
+
+                                <listitem><para>Take a profile name as argument.
+                                The process executed by the unit will switch to
+                                this profile when started. Profiles must already
+                                be loaded in the kernel, or the unit will fail.
+                                This result in a non operation if AppArmor is not
+                                enabled. If prefixed by <literal>-</literal>, all errors
+                                will be ignored.
+                                </para></listitem>
+                        </varlistentry>
+
                          <varlistentry>
                                  <term><varname>IgnoreSIGPIPE=</varname></term>
  
                          <varlistentry>
                                  <term><varname>IgnoreSIGPIPE=</varname></term>
  
@@ -995,7 +1014,7 @@
                                  list of system call
                                  names. If this setting is used, all
                                  system calls executed by the unit
                                  list of system call
                                  names. If this setting is used, all
                                  system calls executed by the unit
-                                process except for the listed ones
+                                processes except for the listed ones
                                  will result in immediate process
                                  termination with the
                                  <constant>SIGSYS</constant> signal
                                  will result in immediate process
                                  termination with the
                                  <constant>SIGSYS</constant> signal
@@ -1023,9 +1042,102 @@
                                  merged. If the empty string is
                                  assigned, the filter is reset, all
                                  prior assignments will have no
                                  merged. If the empty string is
                                  assigned, the filter is reset, all
                                  prior assignments will have no
-                                effect.</para></listitem>
+                                effect.</para>
+
+                                <para>If you specify both types of
+                                this option (i.e. whitelisting and
+                                blacklisting), the first encountered
+                                will take precedence and will dictate
+                                the default action (termination or
+                                approval of a system call). Then the
+                                next occurrences of this option will
+                                add or delete the listed system calls
+                                from the set of the filtered system
+                                calls, depending of its type and the
+                                default action. (For example, if you have started
+                                with a whitelisting of
+                                <function>read</function> and
+                                <function>write</function>, and right
+                                after it add a blacklisting of
+                                <function>write</function>, then
+                                <function>write</function> will be
+                                removed from the set.)
+                                </para></listitem>
                          </varlistentry>
  
                          </varlistentry>
  
+                        <varlistentry>
+                                <term><varname>SystemCallErrorNumber=</varname></term>
+
+                                <listitem><para>Takes an
+                                <literal>errno</literal> error number
+                                name to return when the system call
+                                filter configured with
+                                <varname>SystemCallFilter=</varname>
+                                is triggered, instead of terminating
+                                the process immediately. Takes an
+                                error name such as
+                                <constant>EPERM</constant>,
+                                <constant>EACCES</constant> or
+                                <constant>EUCLEAN</constant>. When this
+                                setting is not used, or when the empty
+                                string is assigned, the process will be
+                                terminated immediately when the filter
+                                is triggered.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><varname>SystemCallArchitectures=</varname></term>
+
+                                <listitem><para>Takes a space
+                                separated list of architecture
+                                identifiers to include in the system
+                                call filter. The known architecture
+                                identifiers are
+                                <constant>x86</constant>,
+                                <constant>x86-64</constant>,
+                                <constant>x32</constant>,
+                                <constant>arm</constant> as well as the
+                                special identifier
+                                <constant>native</constant>. Only system
+                                calls of the specified architectures
+                                will be permitted to processes of this
+                                unit. This is an effective way to
+                                disable compatibility with non-native
+                                architectures for processes, for
+                                example to prohibit execution of
+                                32-bit x86 binaries on 64-bit x86-64
+                                systems. The special
+                                <constant>native</constant> identifier
+                                implicitly maps to the native
+                                architecture of the system (or more
+                                strictly: to the architecture the
+                                system manager is compiled for). Note
+                                that setting this option to a
+                                non-empty list implies that
+                                <constant>native</constant> is included
+                                too. By default, this option is set to
+                                the empty list, i.e. no architecture
+                                system call filtering is
+                                applied.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><varname>Personality=</varname></term>
+
+                                <listitem><para>Controls which
+                                kernel architecture
+                                <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+                                shall report, when invoked by unit
+                                processes. Takes one of
+                                <constant>x86</constant> and
+                                <constant>x86-64</constant>. This is
+                                useful when running 32bit services on
+                                a 64bit host system. If not specified
+                                the personality is left unmodified and
+                                thus reflects the personality of the
+                                host system's
+                                kernel.</para></listitem>
+                        </varlistentry>
                  </variablelist>
          </refsect1>
  
                  </variablelist>
          </refsect1>
  
@@ -1109,6 +1221,17 @@
                                  tty.</para></listitem>
                          </varlistentry>
  
                                  tty.</para></listitem>
                          </varlistentry>
  
+                        <varlistentry>
+                                <term><varname>$MAINPID</varname></term>
+
+                                <listitem><para>The PID of the units
+                                main process if it is known. This is
+                                only set for control processes as
+                                invoked by
+                                <varname>ExecReload=</varname> and
+                                similar.  </para></listitem>
+                        </varlistentry>
+
                          <varlistentry>
                                  <term><varname>$MANAGERPID</varname></term>
  
                          <varlistentry>
                                  <term><varname>$MANAGERPID</varname></term>