chiark / gitweb /
~ianmdlvl / elogind.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
execute: support syscall filtering using seccomp filters
[elogind.git] / man / systemd.exec.xml
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index e6f49c9fd0769b49454c5d6a80fbcac8c055c13a..6e55d8dfcf87c62b279bcf4a07dd6f83bbfd0fe5 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -9,16 +9,16 @@
   Copyright 2010 Lennart Poettering
 
   systemd is free software; you can redistribute it and/or modify it
   Copyright 2010 Lennart Poettering
 
   systemd is free software; you can redistribute it and/or modify it
-  under the terms of the GNU General Public License as published by
-  the Free Software Foundation; either version 2 of the License, or
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
   (at your option) any later version.
 
   systemd is distributed in the hope that it will be useful, but
   WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
   (at your option) any later version.
 
   systemd is distributed in the hope that it will be useful, but
   WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-  General Public License for more details.
+  Lesser General Public License for more details.
 
 
-  You should have received a copy of the GNU General Public License
+  You should have received a copy of the GNU Lesser General Public License
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 -->
 
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 -->
 
@@ -44,7 +44,7 @@
 
         <refnamediv>
                 <refname>systemd.exec</refname>
 
         <refnamediv>
                 <refname>systemd.exec</refname>
-                <refpurpose>systemd execution environment configuration</refpurpose>
+                <refpurpose>Execution environment configuration</refpurpose>
         </refnamediv>
 
         <refsynopsisdiv>
         </refnamediv>
 
         <refsynopsisdiv>
@@ -89,8 +89,12 @@
 
                                 <listitem><para>Takes an absolute
                                 directory path. Sets the working
 
                                 <listitem><para>Takes an absolute
                                 directory path. Sets the working
-                                directory for executed
-                                processes.</para></listitem>
+                                directory for executed processes. If
+                                not set defaults to the root directory
+                                when systemd is running as a system
+                                instance and the respective user's
+                                home directory if run as
+                                user.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
@@ -551,7 +555,7 @@
                                 prefixes may be disabled with
                                 <varname>SyslogLevelPrefix=</varname>,
                                 see below. For details see
                                 prefixes may be disabled with
                                 <varname>SyslogLevelPrefix=</varname>,
                                 see below. For details see
-                                <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
+                                <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
 
                                 Defaults to
                                 <option>info</option>.</para></listitem>
 
                                 Defaults to
                                 <option>info</option>.</para></listitem>
@@ -573,7 +577,7 @@
                                 these prefixes is disabled and the
                                 logged lines are passed on as-is. For
                                 details about this prefixing see
                                 these prefixes is disabled and the
                                 logged lines are passed on as-is. For
                                 details about this prefixing see
-                                <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
+                                <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
                                 Defaults to true.</para></listitem>
                         </varlistentry>
 
                                 Defaults to true.</para></listitem>
                         </varlistentry>
 
@@ -581,16 +585,17 @@
                                 <term><varname>TimerSlackNSec=</varname></term>
                                 <listitem><para>Sets the timer slack
                                 in nanoseconds for the executed
                                 <term><varname>TimerSlackNSec=</varname></term>
                                 <listitem><para>Sets the timer slack
                                 in nanoseconds for the executed
-                                processes. The timer slack controls the
-                                accuracy of wake-ups triggered by
+                                processes. The timer slack controls
+                                the accuracy of wake-ups triggered by
                                 timers. See
                                 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
                                 for more information. Note that in
                                 contrast to most other time span
                                 definitions this parameter takes an
                                 timers. See
                                 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
                                 for more information. Note that in
                                 contrast to most other time span
                                 definitions this parameter takes an
-                                integer value in nano-seconds and does
-                                not understand any other
-                                units.</para></listitem>
+                                integer value in nano-seconds if no
+                                unit is specified. The usual time
+                                units are understood
+                                too.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
@@ -678,17 +683,17 @@
                                 is prefixed with ~ all but the listed
                                 capabilities will be included, the
                                 effect of the assignment
                                 is prefixed with ~ all but the listed
                                 capabilities will be included, the
                                 effect of the assignment
-                                inverted. Note that this option does
-                                not actually set or unset any
-                                capabilities in the effective,
-                                permitted or inherited capability
-                                sets. That's what
-                                <varname>Capabilities=</varname> is
-                                for. If this option is not used the
+                                inverted. Note that this option also
+                                effects the respective capabilities in
+                                the effective, permitted and
+                                inheritable capability sets, on top of
+                                what <varname>Capabilities=</varname>
+                                does. If this option is not used the
                                 capability bounding set is not
                                 modified on process execution, hence
                                 no limits on the capabilities of the
                                 capability bounding set is not
                                 modified on process execution, hence
                                 no limits on the capabilities of the
-                                process are enforced.</para></listitem>
+                                process are
+                                enforced.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
@@ -930,18 +935,18 @@
                                 <term><varname>BlockIOWriteBandwidth=</varname></term>
 
                                 <listitem><para>Set the per-device
                                 <term><varname>BlockIOWriteBandwidth=</varname></term>
 
                                 <listitem><para>Set the per-device
-                                overall block IO bandwith limit for
+                                overall block IO bandwidth limit for
                                 the executed processes. Takes a space
                                 separated pair of a file path and a
                                 the executed processes. Takes a space
                                 separated pair of a file path and a
-                                bandwith value (in bytes per second)
+                                bandwidth value (in bytes per second)
                                 to specify the device specific
                                 bandwidth. The file path may be
                                 specified as path to a block device
                                 node or as any other file in which
                                 case the backing block device of the
                                 file system of the file is determined.
                                 to specify the device specific
                                 bandwidth. The file path may be
                                 specified as path to a block device
                                 node or as any other file in which
                                 case the backing block device of the
                                 file system of the file is determined.
-                                If the bandwith is suffixed with K, M,
-                                G, or T the specified bandwith is
+                                If the bandwidth is suffixed with K, M,
+                                G, or T the specified bandwidth is
                                 parsed as Kilobytes, Megabytes,
                                 Gigabytes, resp. Terabytes (Example:
                                 "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
                                 parsed as Kilobytes, Megabytes,
                                 Gigabytes, resp. Terabytes (Example:
                                 "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
@@ -950,7 +955,7 @@
                                 and
                                 <literal>blkio.write_bps_device</literal>
                                 control group attributes. Use this
                                 and
                                 <literal>blkio.write_bps_device</literal>
                                 control group attributes. Use this
-                                option multiple times to set bandwith
+                                option multiple times to set bandwidth
                                 limits for multiple devices. For
                                 details about these control group
                                 attributes see <ulink
                                 limits for multiple devices. For
                                 details about these control group
                                 attributes see <ulink
@@ -1086,6 +1091,54 @@
                                 shell pipelines.</para></listitem>
                         </varlistentry>
 
                                 shell pipelines.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><varname>NoNewPrivileges=</varname></term>
+
+                                <listitem><para>Takes a boolean
+                                argument. If true ensures that the
+                                service process and all its children
+                                can never gain new privileges. This
+                                option is more powerful than the respective
+                                secure bits flags (see above), as it
+                                also prohibits UID changes of any
+                                kind. This is the simplest, most
+                                effective way to ensure that a process
+                                and its children can never elevate
+                                privileges again.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><varname>SystemCallFilter=</varname></term>
+
+                                <listitem><para>Takes a space
+                                separated list of system call
+                                names. If this setting is used all
+                                system calls executed by the unit
+                                process except for the listed ones
+                                will result in immediate process
+                                termination with the SIGSYS signal
+                                (whitelisting). If the first character
+                                of the list is <literal>~</literal>
+                                the effect is inverted: only the
+                                listed system calls will result in
+                                immediate process termination
+                                (blacklisting). If this option is used
+                                <varname>NoNewPrivileges=yes</varname>
+                                is implied. This feature makes use of
+                                the Secure Computing Mode 2 interfaces
+                                of the kernel ('seccomp filtering')
+                                and is useful for enforcing a minimal
+                                sandboxing environment. Note that the
+                                <function>execve</function>,
+                                <function>rt_sigreturn</function>,
+                                <function>sigreturn</function>,
+                                <function>exit_group</function>,
+                                <function>exit</function> system calls
+                                are implicitly whitelisted and don't
+                                need to be listed
+                                explicitly.</para></listitem>
+                        </varlistentry>
+
                 </variablelist>
         </refsect1>
 
                 </variablelist>
         </refsect1>
 
Unnamed repository; edit this file 'description' to name the repository.