X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=36643034913c91169fcce52b5b29a416ef42dfa3;hp=3f27d13c38201471e5ee2f2a9c76ce3eac931d8b;hb=417116f23432073162ebfcb286a7800846482eed;hpb=85b5673b337048fa881a5afb1d00d1a7b95950fb
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 3f27d13c3..366430349 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -764,7 +764,7 @@
capability sets as documented in
cap_from_text3.
Note that these capability sets are
- usually influenced by the capabilities
+ usually influenced (and filtered) by the capabilities
attached to the executed file. Due to
that
CapabilityBoundingSet=
@@ -934,6 +934,63 @@
accessible).
+
+ ReadOnlySystem=
+
+ Takes a boolean
+ argument. If true, mounts the
+ /usr and
+ /boot directories
+ read-only for processes invoked by
+ this unit. This setting ensures that
+ any modification of the vendor
+ supplied operating system is
+ prohibited for the service. It is
+ recommended to enable this setting for
+ all long-running services, unless they
+ are involved with system updates or
+ need to modify the operating system in
+ other ways. Note however, that
+ processes retaining the CAP_SYS_ADMIN
+ capability can undo the effect of this
+ setting. This setting is hence
+ particularly useful for daemons which
+ have this capability removed, for
+ example with
+ CapabilityBoundingSet=. Defaults
+ to off.
+
+
+
+ ProtectedHome=
+
+ Takes a boolean
+ argument or
+ read-only. If true,
+ the directories
+ /home and
+ /run/user are
+ made inaccessible and empty for
+ processes invoked by this unit. If set
+ to read-only the
+ two directores are made read-only
+ instead. It is recommended to enable
+ this setting for all long-running
+ services (in particular network-facing
+ one), to ensure they cannot get access
+ to private user data, unless the
+ services actually require access to
+ the user's private data. Note however,
+ that processes retaining the
+ CAP_SYS_ADMIN capability can undo the
+ effect of this setting. This setting
+ is hence particularly useful for
+ daemons which have this capability
+ removed, for example with
+ CapabilityBoundingSet=. Defaults
+ to off.
+
+
MountFlags=
@@ -968,6 +1025,8 @@
namespace related options
(PrivateTmp=,
PrivateDevices=,
+ ReadOnlySystem=,
+ ProtectedHome=,
ReadOnlyDirectories=,
InaccessibleDirectories=
and