X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=cc5442d45cf17be9b0c29051533cbf2428a44403;hp=413d81d330f1e6f93fc0f07512284786c6a626ef;hb=8d0e0ddda6501479eb69164687c83c1a7667b33a;hpb=4298d0b5128326621c8f537107c4c8b459490721
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 413d81d33..cc5442d45 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -340,9 +340,14 @@
The files listed with this
directive will be read shortly before
- the process is executed. Settings from
- these files override settings made
- with
+ the process is executed (more
+ specifically, after all
+ processes from a previous unit state
+ terminated. This means you can
+ generate these files in one unit
+ state, and read it with this option in
+ the next). Settings from these files
+ override settings made with
Environment=. If
the same variable is set twice from
these files, the files will be read in
@@ -686,31 +691,6 @@
for details.
-
- TCPWrapName=
- If this is a
- socket-activated service, this sets the
- tcpwrap service name to check the
- permission for the current connection
- with. This is only useful in
- conjunction with socket-activated
- services, and stream sockets (TCP) in
- particular. It has no effect on other
- socket types (e.g. datagram/UDP) and
- on processes unrelated to socket-based
- activation. If the tcpwrap
- verification fails, daemon start-up
- will fail and the connection is
- terminated. See
- tcpd8
- for details. Note that this option may
- be used to do access control checks
- only. Shell commands and commands
- described in
- hosts_options5
- are not supported.
-
-
CapabilityBoundingSet=
@@ -784,7 +764,7 @@
capability sets as documented in
cap_from_text3.
Note that these capability sets are
- usually influenced by the capabilities
+ usually influenced (and filtered) by the capabilities
attached to the executed file. Due to
that
CapabilityBoundingSet=
@@ -797,8 +777,8 @@
ReadOnlyDirectories=InaccessibleDirectories=
- Sets up a new
- file system namespace for executed
+ Sets up a new file
+ system namespace for executed
processes. These options may be used
to limit access a process might have
to the main file system
@@ -819,16 +799,14 @@
processes inside the namespace. Note
that restricting access with these
options does not extend to submounts
- of a directory. You must list
- submounts separately in these settings
- to ensure the same limited
- access. These options may be specified
+ of a directory that are created later
+ on. These options may be specified
more than once in which case all
directories listed will have limited
access from within the namespace. If
the empty string is assigned to this
- option, the specific list is reset, and
- all prior assignments have no
+ option, the specific list is reset,
+ and all prior assignments have no
effect.Paths in
ReadOnlyDirectories=
@@ -837,7 +815,15 @@
may be prefixed with
-, in which case
they will be ignored when they do not
- exist.
+ exist. Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to
+ install mount points in the main mount
+ namespace.
@@ -857,18 +843,61 @@
processes via
/tmp or
/var/tmp
- impossible. All temporary data created
- by service will be removed after
- the service is stopped. Defaults to
- false. Note that it is possible to run
- two or more units within the same
- private /tmp and
+ impossible. If this is enabled, all
+ temporary files created by a service
+ in these directories will be removed
+ after the service is stopped. Defaults
+ to false. It is possible to run two or
+ more units within the same private
+ /tmp and
/var/tmp
namespace by using the
JoinsNamespaceOf=
directive, see
systemd.unit5
- for details.
+ for details. Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to install
+ mount points in the main mount
+ namespace.
+
+
+
+ PrivateDevices=
+
+ Takes a boolean
+ argument. If true, sets up a new /dev
+ namespace for the executed processes
+ and only adds API pseudo devices such
+ as /dev/null,
+ /dev/zero or
+ /dev/random (as
+ well as the pseudo TTY subsystem) to
+ it, but no physical devices such as
+ /dev/sda. This is
+ useful to securely turn off physical
+ device access by the executed
+ process. Defaults to false. Enabling
+ this option will also remove
+ CAP_MKNOD from
+ the capability bounding set for the
+ unit (see above), and set
+ DevicePolicy=closed
+ (see
+ systemd.resource-control5
+ for details). Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to
+ install mount points in the main mount
+ namespace.
@@ -884,32 +913,84 @@
available to the executed process.
This is useful to securely turn off
network access by the executed
- process. Defaults to false. Note that
- it is possible to run two or more
- units within the same private network
+ process. Defaults to false. It is
+ possible to run two or more units
+ within the same private network
namespace by using the
JoinsNamespaceOf=
directive, see
systemd.unit5
- for details.
+ for details. Note that this option
+ will disconnect all socket families
+ from the host, this includes
+ AF_NETLINK and AF_UNIX. The latter has
+ the effect that AF_UNIX sockets in the
+ abstract socket namespace will become
+ unavailable to the processes (however,
+ those located in the file system will
+ continue to be
+ accessible).
- PrivateDevices=
+ ProtectSystem=Takes a boolean
- argument. If true, sets up a new /dev
- namespace for the executed processes
- and only adds API pseudo devices such
- as /dev/null,
- /dev/zero or
- /dev/random to
- it, but no physical devices such as
- /dev/sda. This is
- useful to securely turn off physical
- device access by the executed
- process. Defaults to
- false.
+ argument or
+ full. If true,
+ mounts the /usr
+ directory read-only for processes
+ invoked by this unit. If set to
+ full, the
+ /etc directory is mounted
+ read-only, too. This setting ensures
+ that any modification of the vendor
+ supplied operating system (and
+ optionally its configuration) is
+ prohibited for the service. It is
+ recommended to enable this setting for
+ all long-running services, unless they
+ are involved with system updates or
+ need to modify the operating system in
+ other ways. Note however that
+ processes retaining the CAP_SYS_ADMIN
+ capability can undo the effect of this
+ setting. This setting is hence
+ particularly useful for daemons which
+ have this capability removed, for
+ example with
+ CapabilityBoundingSet=. Defaults
+ to off.
+
+
+
+ ProtectHome=
+
+ Takes a boolean
+ argument or
+ read-only. If true,
+ the directories
+ /home and
+ /run/user are
+ made inaccessible and empty for
+ processes invoked by this unit. If set
+ to read-only, the
+ two directores are made read-only
+ instead. It is recommended to enable
+ this setting for all long-running
+ services (in particular network-facing
+ ones), to ensure they cannot get access
+ to private user data, unless the
+ services actually require access to
+ the user's private data. Note however
+ that processes retaining the
+ CAP_SYS_ADMIN capability can undo the
+ effect of this setting. This setting
+ is hence particularly useful for
+ daemons which have this capability
+ removed, for example with
+ CapabilityBoundingSet=. Defaults
+ to off.
@@ -920,13 +1001,45 @@
,
or
, which
- control whether the file system
- namespace set up for this unit's
- processes will receive or propagate
- new mounts. See
+ control whether mounts in the file
+ system namespace set up for this
+ unit's processes will receive or
+ propagate mounts or unmounts. See
mount2
- for details. Default to
- .
+ for details. Defaults to
+ . Use
+ to ensure that
+ mounts and unmounts are propagated
+ from the host to the container and
+ vice versa. Use
+ to run processes so that none of their
+ mounts and unmounts will propagate to
+ the host. Use
+ to also ensure that no mounts and
+ unmounts from the host will propagate
+ into the unit processes'
+ namespace. Note that
+ means that file
+ systems mounted on the host might stay
+ mounted continously in the unit's
+ namespace, and thus keep the device
+ busy. Note that the file system
+ namespace related options
+ (PrivateTmp=,
+ PrivateDevices=,
+ ReadOnlySystem=,
+ ProtectedHome=,
+ ReadOnlyDirectories=,
+ InaccessibleDirectories=
+ and
+ ReadWriteDirectories=)
+ require that mount and unmount
+ propagation from the unit's file
+ system namespace is disabled, and
+ hence downgrade
+ to
+ .
+
@@ -970,7 +1083,7 @@
AppArmorProfile=
- Take a profile name as argument.
+ Takes a profile name as argument.
The process executed by the unit will switch to
this profile when started. Profiles must already
be loaded in the kernel, or the unit will fail.
@@ -1010,8 +1123,8 @@
SystemCallFilter=
- Takes a space-separated
- list of system call
+ Takes a
+ space-separated list of system call
names. If this setting is used, all
system calls executed by the unit
processes except for the listed ones
@@ -1023,12 +1136,13 @@
the effect is inverted: only the
listed system calls will result in
immediate process termination
- (blacklisting). If this option is used,
+ (blacklisting). If running in user
+ mode and this option is used,
NoNewPrivileges=yes
- is implied. This feature makes use of
- the Secure Computing Mode 2 interfaces
- of the kernel ('seccomp filtering')
- and is useful for enforcing a minimal
+ is implied. This feature makes use of the
+ Secure Computing Mode 2 interfaces of
+ the kernel ('seccomp filtering') and
+ is useful for enforcing a minimal
sandboxing environment. Note that the
execve,
rt_sigreturn,
@@ -1096,28 +1210,31 @@
x86,
x86-64,
x32,
- arm as well as the
- special identifier
- native. Only system
- calls of the specified architectures
- will be permitted to processes of this
- unit. This is an effective way to
- disable compatibility with non-native
- architectures for processes, for
- example to prohibit execution of
- 32-bit x86 binaries on 64-bit x86-64
- systems. The special
+ arm as well as
+ the special identifier
+ native. Only
+ system calls of the specified
+ architectures will be permitted to
+ processes of this unit. This is an
+ effective way to disable compatibility
+ with non-native architectures for
+ processes, for example to prohibit
+ execution of 32-bit x86 binaries on
+ 64-bit x86-64 systems. The special
native identifier
implicitly maps to the native
architecture of the system (or more
strictly: to the architecture the
- system manager is compiled for). Note
- that setting this option to a
- non-empty list implies that
- native is included
- too. By default, this option is set to
- the empty list, i.e. no architecture
- system call filtering is
+ system manager is compiled for). If
+ running in user mode and this option
+ is used,
+ NoNewPrivileges=yes
+ is implied. Note that setting this
+ option to a non-empty list implies
+ that native is
+ included too. By default, this option
+ is set to the empty list, i.e. no
+ architecture system call filtering is
applied.
@@ -1148,19 +1265,22 @@
(which creates connected AF_UNIX
sockets only) are unaffected. Note
that this option has no effect on
- 32bit x86 and is ignored (but works
- correctly on x86-64). By default no
+ 32-bit x86 and is ignored (but works
+ correctly on x86-64). If running in user
+ mode and this option is used,
+ NoNewPrivileges=yes
+ is implied. By default, no
restriction applies, all address
families are accessible to
processes. If assigned the empty
- string any previous list changes are
+ string, any previous list changes are
undone.Use this option to limit
exposure of processes to remote
systems, in particular via exotic
network protocols. Note that in most
- cases the local
+ cases, the local
AF_UNIX address
family should be included in the
configured whitelist as it is
@@ -1180,14 +1300,54 @@
processes. Takes one of
x86 and
x86-64. This is
- useful when running 32bit services on
- a 64bit host system. If not specified
+ useful when running 32-bit services on
+ a 64-bit host system. If not specified,
the personality is left unmodified and
thus reflects the personality of the
host system's
kernel.
+
+ RuntimeDirectory=
+ RuntimeDirectoryMode=
+
+ Takes a list of
+ directory names. If set, one or more
+ directories by the specified names
+ will be created below
+ /run (for system
+ services) or below
+ $XDG_RUNTIME_DIR
+ (for user services) when the unit is
+ started, and removed when the unit is
+ stopped. The directories will have the
+ access mode specified in
+ RuntimeDirectoryMode=,
+ and will be owned by the user and
+ group specified in
+ User= and
+ Group=. Use this to
+ manage one or more runtime directories
+ of the unit and bind their lifetime to
+ the daemon runtime. The specified
+ directory names must be relative, and
+ may not include a
+ /, i.e. must refer
+ to simple directories to create or
+ remove. This is particularly useful
+ for unprivileged daemons that cannot
+ create runtime directories in
+ /run due to lack
+ of privileges, and to make sure the
+ runtime directory is cleaned up
+ automatically after use. For runtime
+ directories that require more complex
+ or different configuration or lifetime
+ guarantees, please consider using
+ tmpfiles.d5.
+
+
@@ -1328,7 +1488,7 @@
systemd.setenv= (see
systemd1). Additional
variables may also be set through PAM,
- c.f. pam_env8.
+ cf. pam_env8.
@@ -1345,6 +1505,7 @@
systemd.kill5,
systemd.resource-control5,
systemd.directives7,
+ tmpfiles.d5,
exec3