X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=36643034913c91169fcce52b5b29a416ef42dfa3;hp=3f27d13c38201471e5ee2f2a9c76ce3eac931d8b;hb=417116f23432073162ebfcb286a7800846482eed;hpb=85b5673b337048fa881a5afb1d00d1a7b95950fb

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 3f27d13c3..366430349 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -764,7 +764,7 @@
                                 capability sets as documented in
                                 <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
                                 Note that these capability sets are
-                                usually influenced by the capabilities
+                                usually influenced (and filtered) by the capabilities
                                 attached to the executed file. Due to
                                 that
                                 <varname>CapabilityBoundingSet=</varname>
@@ -934,6 +934,63 @@
                                 accessible).</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><varname>ReadOnlySystem=</varname></term>
+
+                                <listitem><para>Takes a boolean
+                                argument. If true, mounts the
+                                <filename>/usr</filename> and
+                                <filename>/boot</filename> directories
+                                read-only for processes invoked by
+                                this unit. This setting ensures that
+                                any modification of the vendor
+                                supplied operating system is
+                                prohibited for the service. It is
+                                recommended to enable this setting for
+                                all long-running services, unless they
+                                are involved with system updates or
+                                need to modify the operating system in
+                                other ways. Note however, that
+                                processes retaining the CAP_SYS_ADMIN
+                                capability can undo the effect of this
+                                setting. This setting is hence
+                                particularly useful for daemons which
+                                have this capability removed, for
+                                example with
+                                <varname>CapabilityBoundingSet=</varname>. Defaults
+                                to off.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><varname>ProtectedHome=</varname></term>
+
+                                <listitem><para>Takes a boolean
+                                argument or
+                                <literal>read-only</literal>. If true,
+                                the directories
+                                <filename>/home</filename> and
+                                <filename>/run/user</filename> are
+                                made inaccessible and empty for
+                                processes invoked by this unit. If set
+                                to <literal>read-only</literal> the
+                                two directores are made read-only
+                                instead. It is recommended to enable
+                                this setting for all long-running
+                                services (in particular network-facing
+                                one), to ensure they cannot get access
+                                to private user data, unless the
+                                services actually require access to
+                                the user's private data. Note however,
+                                that processes retaining the
+                                CAP_SYS_ADMIN capability can undo the
+                                effect of this setting. This setting
+                                is hence particularly useful for
+                                daemons which have this capability
+                                removed, for example with
+                                <varname>CapabilityBoundingSet=</varname>. Defaults
+                                to off.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><varname>MountFlags=</varname></term>
 
@@ -968,6 +1025,8 @@
                                 namespace related options
                                 (<varname>PrivateTmp=</varname>,
                                 <varname>PrivateDevices=</varname>,
+                                <varname>ReadOnlySystem=</varname>,
+                                <varname>ProtectedHome=</varname>,
                                 <varname>ReadOnlyDirectories=</varname>,
                                 <varname>InaccessibleDirectories=</varname>
                                 and