core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only

Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
author: Lennart Poettering <lennart@poettering.net> 2014-06-04 18:07:55 +0200
committer: Lennart Poettering <lennart@poettering.net> 2014-06-04 18:12:55 +0200
commit: 1b8689f94983b47bf190e77ddb03a8fc6af15fb3 (patch)
tree: 7bb1324b3b882adaa0b8bf786f8848ccec156a94 /man/systemd.exec.xml
parent: 4c02dd7153f970244950b5e00f7bdfea8d2ff0be (diff)
1 files changed, 15 insertions, 10 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 3664303491..d426ac0899 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -935,16 +935,21 @@
                         </varlistentry>
 
                         <varlistentry>
-                                <term><varname>ReadOnlySystem=</varname></term>
+                                <term><varname>ProtectSystem=</varname></term>
 
                                 <listitem><para>Takes a boolean
-                                argument. If true, mounts the
-                                <filename>/usr</filename> and
-                                <filename>/boot</filename> directories
-                                read-only for processes invoked by
-                                this unit. This setting ensures that
-                                any modification of the vendor
-                                supplied operating system is
+                                argument or
+                                <literal>full</literal>. If true,
+                                mounts the <filename>/usr</filename>
+                                and <filename>/boot</filename>
+                                directories read-only for processes
+                                invoked by this unit. If set to
+                                <literal>full</literal> the
+                                <filename>/etc</filename> is mounted
+                                read-only, too. This setting ensures
+                                that any modification of the vendor
+                                supplied operating system (and
+                                optionally its configuration) is
                                 prohibited for the service. It is
                                 recommended to enable this setting for
                                 all long-running services, unless they
@@ -962,7 +967,7 @@
                         </varlistentry>
 
                         <varlistentry>
-                                <term><varname>ProtectedHome=</varname></term>
+                                <term><varname>ProtectHome=</varname></term>
 
                                 <listitem><para>Takes a boolean
                                 argument or
@@ -977,7 +982,7 @@
                                 instead. It is recommended to enable
                                 this setting for all long-running
                                 services (in particular network-facing
-                                one), to ensure they cannot get access
+                                ones), to ensure they cannot get access
                                 to private user data, unless the
                                 services actually require access to
                                 the user's private data. Note however,
author	Lennart Poettering <lennart@poettering.net>	2014-06-04 18:07:55 +0200
committer	Lennart Poettering <lennart@poettering.net>	2014-06-04 18:12:55 +0200
commit	1b8689f94983b47bf190e77ddb03a8fc6af15fb3 (patch)
tree	7bb1324b3b882adaa0b8bf786f8848ccec156a94 /man/systemd.exec.xml
parent	4c02dd7153f970244950b5e00f7bdfea8d2ff0be (diff)