summaryrefslogtreecommitdiff
path: root/man/systemd.exec.xml
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-06-04 18:07:55 +0200
committerLennart Poettering <lennart@poettering.net>2014-06-04 18:12:55 +0200
commit1b8689f94983b47bf190e77ddb03a8fc6af15fb3 (patch)
tree7bb1324b3b882adaa0b8bf786f8848ccec156a94 /man/systemd.exec.xml
parent4c02dd7153f970244950b5e00f7bdfea8d2ff0be (diff)
core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r--man/systemd.exec.xml25
1 files changed, 15 insertions, 10 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 3664303491..d426ac0899 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -935,16 +935,21 @@
</varlistentry>
<varlistentry>
- <term><varname>ReadOnlySystem=</varname></term>
+ <term><varname>ProtectSystem=</varname></term>
<listitem><para>Takes a boolean
- argument. If true, mounts the
- <filename>/usr</filename> and
- <filename>/boot</filename> directories
- read-only for processes invoked by
- this unit. This setting ensures that
- any modification of the vendor
- supplied operating system is
+ argument or
+ <literal>full</literal>. If true,
+ mounts the <filename>/usr</filename>
+ and <filename>/boot</filename>
+ directories read-only for processes
+ invoked by this unit. If set to
+ <literal>full</literal> the
+ <filename>/etc</filename> is mounted
+ read-only, too. This setting ensures
+ that any modification of the vendor
+ supplied operating system (and
+ optionally its configuration) is
prohibited for the service. It is
recommended to enable this setting for
all long-running services, unless they
@@ -962,7 +967,7 @@
</varlistentry>
<varlistentry>
- <term><varname>ProtectedHome=</varname></term>
+ <term><varname>ProtectHome=</varname></term>
<listitem><para>Takes a boolean
argument or
@@ -977,7 +982,7 @@
instead. It is recommended to enable
this setting for all long-running
services (in particular network-facing
- one), to ensure they cannot get access
+ ones), to ensure they cannot get access
to private user data, unless the
services actually require access to
the user's private data. Note however,