<listitem><para>Controls the CPU
affinity of the executed
processes. Takes a space-separated
- list of CPU indexes. This option may
+ list of CPU indices. This option may
be specified more than once in which
case the specificed CPU affinity masks
are merged. If the empty string is
<varlistentry>
<term><varname>StandardError=</varname></term>
<listitem><para>Controls where file
- descriptor 2 (STDERR) of the executed
- processes is connected to. The
- available options are identical to
+ descriptor 2 (STDERR) of the
+ executed processes is connected to.
+ The available options are identical to
those of
<varname>StandardOutput=</varname>,
with one exception: if set to
<varlistentry>
<term><varname>TTYPath=</varname></term>
<listitem><para>Sets the terminal
- device node to use if standard input,
- output or stderr are connected to a
+ device node to use if standard input, output,
+ or error are connected to a
TTY (see above). Defaults to
<filename>/dev/console</filename>.</para></listitem>
</varlistentry>
for details.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>AppArmorProfile=</varname></term>
+
+ <listitem><para>Take a profile name as argument.
+ The process executed by the unit will switch to
+ this profile when started. Profiles must already
+ be loaded in the kernel, or the unit will fail.
+ This result in a non operation if AppArmor is not
+ enabled. If prefixed by <literal>-</literal>, all errors
+ will be ignored.
+ </para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>IgnoreSIGPIPE=</varname></term>
<para>If you specify both types of
this option (i.e. whitelisting and
- blacklisting) the first encountered
+ blacklisting), the first encountered
will take precedence and will dictate
the default action (termination or
approval of a system call). Then the
add or delete the listed system calls
from the set of the filtered system
calls, depending of its type and the
- default action (e.g. You have started
+ default action. (For example, if you have started
with a whitelisting of
<function>read</function> and
- <function>write</function> and right
+ <function>write</function>, and right
after it add a blacklisting of
<function>write</function>, then
<function>write</function> will be
- removed from the set).
+ removed from the set.)
</para></listitem>
</varlistentry>
is triggered, instead of terminating
the process immediately. Takes an
error name such as
- <literal>EPERM</literal>,
- <literal>EACCES</literal> or
- <literal>EUCLEAN</literal>. When this
+ <constant>EPERM</constant>,
+ <constant>EACCES</constant> or
+ <constant>EUCLEAN</constant>. When this
setting is not used, or when the empty
- string is assigned the process will be
+ string is assigned, the process will be
terminated immediately when the filter
is triggered.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>SystemCallArchitectures=</varname></term>
+
+ <listitem><para>Takes a space
+ separated list of architecture
+ identifiers to include in the system
+ call filter. The known architecture
+ identifiers are
+ <constant>x86</constant>,
+ <constant>x86-64</constant>,
+ <constant>x32</constant>,
+ <constant>arm</constant> as well as the
+ special identifier
+ <constant>native</constant>. Only system
+ calls of the specified architectures
+ will be permitted to processes of this
+ unit. This is an effective way to
+ disable compatibility with non-native
+ architectures for processes, for
+ example to prohibit execution of
+ 32-bit x86 binaries on 64-bit x86-64
+ systems. The special
+ <constant>native</constant> identifier
+ implicitly maps to the native
+ architecture of the system (or more
+ strictly: to the architecture the
+ system manager is compiled for). Note
+ that setting this option to a
+ non-empty list implies that
+ <constant>native</constant> is included
+ too. By default, this option is set to
+ the empty list, i.e. no architecture
+ system call filtering is
+ applied.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>Personality=</varname></term>
+
+ <listitem><para>Controls which
+ kernel architecture
+ <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ shall report, when invoked by unit
+ processes. Takes one of
+ <constant>x86</constant> and
+ <constant>x86-64</constant>. This is
+ useful when running 32bit services on
+ a 64bit host system. If not specified
+ the personality is left unmodified and
+ thus reflects the personality of the
+ host system's
+ kernel.</para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
tty.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>$MAINPID</varname></term>
+
+ <listitem><para>The PID of the units
+ main process if it is known. This is
+ only set for control processes as
+ invoked by
+ <varname>ExecReload=</varname> and
+ similar. </para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>$MANAGERPID</varname></term>
~ianmdlvl / elogind.git / blobdiff