1 files changed, 88 insertions, 1 deletions

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 4d52982b64..4a3dd14c39 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1193,7 +1193,78 @@
         <function>read</function> and <function>write</function>, and
         right after it add a blacklisting of
         <function>write</function>, then <function>write</function>
-        will be removed from the set.) </para></listitem>
+        will be removed from the set.)</para>
+
+        <para>As the number of possible system
+        calls is large, predefined sets of system calls are provided.
+        A set starts with <literal>@</literal> character, followed by
+        name of the set.
+
+        <table>
+          <title>Currently predefined system call sets</title>
+
+          <tgroup cols='2'>
+            <colspec colname='set' />
+            <colspec colname='description' />
+            <thead>
+              <row>
+                <entry>Set</entry>
+                <entry>Description</entry>
+              </row>
+            </thead>
+            <tbody>
+              <row>
+                <entry>@clock</entry>
+                <entry>System calls for changing the system clock (<function>adjtimex()</function>,
+                <function>settimeofday()</function>)</entry>
+              </row>
+              <row>
+                <entry>@io-event</entry>
+                <entry>Event loop use (<function>poll()</function>, <function>select()</function>,
+                <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+                <function>eventfd()</function>...)</entry>
+              </row>
+              <row>
+                <entry>@ipc</entry>
+                <entry>SysV IPC, POSIX Message Queues or other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+                <citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
+              </row>
+              <row>
+                <entry>@module</entry>
+                <entry>Kernel module control (<function>create_module()</function>, <function>init_module()</function>...)</entry>
+              </row>
+              <row>
+                <entry>@mount</entry>
+                <entry>File system mounting and unmounting (<function>chroot()</function>, <function>mount()</function>...)</entry>
+              </row>
+              <row>
+                <entry>@network-io</entry>
+                <entry>Socket I/O (including local AF_UNIX):
+                <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+                <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry>
+              </row>
+              <row>
+                <entry>@obsolete</entry>
+                <entry>Unusual, obsolete or unimplemented (<function>fattach()</function>, <function>gtty()</function>, <function>vm86()</function>...)</entry>
+              </row>
+              <row>
+                <entry>@privileged</entry>
+                <entry>All system calls which need superuser capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
+              </row>
+              <row>
+                <entry>@process</entry>
+                <entry>Process control, execution, namespaces (<function>execve()</function>, <function>kill()</function>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>...)</entry>
+              </row>
+              <row>
+                <entry>@raw-io</entry>
+                <entry>Raw I/O ports (<function>ioperm()</function>, <function>iopl()</function>, <function>pciconfig_read()</function>...)</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </table>
+
+        Note, that as new system calls are added to the kernel, additional system calls might be added to the groups
+        above, so the contents of the sets may change between systemd versions.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -1317,6 +1388,22 @@
         <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>MemoryDenyWriteExecute=</varname></term>
+
+        <listitem><para>Takes a boolean argument. If set, attempts to create memory mappings that are writable and
+        executable at the same time, or to change existing memory mappings to become executable are prohibited.
+        Specifically, a system call filter is added that rejects
+        <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+        system calls with both <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set
+        and <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+        system calls with <constant>PROT_EXEC</constant> set. Note that this option is incompatible with programs
+        that generate program code dynamically at runtime, such as JIT execution engines, or programs compiled making
+        use of the code "trampoline" feature of various C compilers. This option improves service security, as it makes
+        harder for software exploits to change running code dynamically.
+        </para></listitem>
+      </varlistentry>
+
     </variablelist>
   </refsect1>