diff options
Diffstat (limited to 'man')
-rw-r--r-- | man/systemd-detect-virt.xml | 16 | ||||
-rw-r--r-- | man/systemd-vconsole-setup.service.xml | 28 | ||||
-rw-r--r-- | man/systemd.exec.xml | 23 | ||||
-rw-r--r-- | man/systemd.unit.xml | 3 | ||||
-rw-r--r-- | man/udev.xml | 4 |
5 files changed, 54 insertions, 20 deletions
diff --git a/man/systemd-detect-virt.xml b/man/systemd-detect-virt.xml index 61a5f8937f..996c2fa256 100644 --- a/man/systemd-detect-virt.xml +++ b/man/systemd-detect-virt.xml @@ -50,7 +50,8 @@ <refsynopsisdiv> <cmdsynopsis> - <command>systemd-detect-virt <arg choice="opt" rep="repeat">OPTIONS</arg></command> + <command>systemd-detect-virt</command> + <arg choice="opt" rep="repeat">OPTIONS</arg> </cmdsynopsis> </refsynopsisdiv> @@ -218,6 +219,16 @@ </varlistentry> <varlistentry> + <term><option>--private-users</option></term> + + <listitem><para>Detect whether invoked in a user namespace. In this mode, no + output is written, but the return value indicates whether the process was invoked + inside of a user namespace or not. See + <citerefentry project='man-pages'><refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for more information.</para></listitem> + </varlistentry> + + <varlistentry> <term><option>-q</option></term> <term><option>--quiet</option></term> @@ -243,7 +254,8 @@ <para> <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>, - <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> + <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, + <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry> </para> </refsect1> diff --git a/man/systemd-vconsole-setup.service.xml b/man/systemd-vconsole-setup.service.xml index e048258621..f2da2a7b77 100644 --- a/man/systemd-vconsole-setup.service.xml +++ b/man/systemd-vconsole-setup.service.xml @@ -43,23 +43,35 @@ <refnamediv> <refname>systemd-vconsole-setup.service</refname> <refname>systemd-vconsole-setup</refname> - <refpurpose>Configure the virtual console at boot</refpurpose> + <refpurpose>Configure the virtual consoles</refpurpose> </refnamediv> <refsynopsisdiv> <para><filename>systemd-vconsole-setup.service</filename></para> - <para><filename>/usr/lib/systemd/systemd-vconsole-setup</filename></para> + <cmdsynopsis> + <command>/usr/lib/systemd/systemd-vconsole-setup</command> + <arg choice="opt">TTY</arg> + </cmdsynopsis> </refsynopsisdiv> <refsect1> <title>Description</title> - <para><filename>systemd-vconsole-setup.service</filename> is an - early boot service that configures the virtual console font and - console keymap. Internally it calls - <citerefentry project='mankier'><refentrytitle>loadkeys</refentrytitle><manvolnum>1</manvolnum></citerefentry> - and - <citerefentry project='die-net'><refentrytitle>setfont</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> + <para><filename>systemd-vconsole-setup</filename> is a helper used to prepare either all virtual consoles, or — if + the optional <replaceable>TTY</replaceable> parameter is provided — a specific one. When the system is booting up + it's called by <citerefentry><command>udev</command></citerefentry> during vtconsole subsystem initialization. + <productname>Systemd</productname> also calls it internally as needed via + <filename>systemd-vconsole-setup.service</filename>. The helper calls + <citerefentry project='mankier'><refentrytitle>loadkeys</refentrytitle><manvolnum>1</manvolnum></citerefentry> and + <citerefentry project='die-net'><refentrytitle>setfont</refentrytitle><manvolnum>8</manvolnum></citerefentry> + internally. + </para> + + <para> + You may want to use this helper whenever you change <filename>vconsole.conf</filename> to + refresh the settings on your consoles — either through the <command>systemctl restart</command> / + <command>systemctl start</command> command or directly through the executable. + </para> <para>See <citerefentry><refentrytitle>vconsole.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index f9a15d8db0..54ec7e29ca 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1234,13 +1234,22 @@ <varlistentry> <term><varname>NoNewPrivileges=</varname></term> - <listitem><para>Takes a boolean argument. If true, ensures - that the service process and all its children can never gain - new privileges. This option is more powerful than the - respective secure bits flags (see above), as it also prohibits - UID changes of any kind. This is the simplest, most effective - way to ensure that a process and its children can never - elevate privileges again.</para></listitem> + <listitem><para>Takes a boolean argument. If true, ensures that the service + process and all its children can never gain new privileges. This option is more + powerful than the respective secure bits flags (see above), as it also prohibits + UID changes of any kind. This is the simplest and most effective way to ensure that + a process and its children can never elevate privileges again. Defaults to false, + but in the user manager instance certain settings force + <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting. + Those is the case when <varname>SystemCallFilter=</varname>, + <varname>SystemCallArchitectures=</varname>, + <varname>RestrictAddressFamilies=</varname>, + <varname>PrivateDevices=</varname>, + <varname>ProtectKernelTunables=</varname>, + <varname>ProtectKernelModules=</varname>, + <varname>MemoryDenyWriteExecute=</varname>, or + <varname>RestrictRealtime=</varname> are specified. + </para></listitem> </varlistentry> <varlistentry> diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 04efee2891..40c4cfd854 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -908,7 +908,8 @@ <varname>systemd-nspawn</varname>, <varname>docker</varname>, <varname>rkt</varname> to test - against a specific implementation. See + against a specific implementation, or + <varname>private-users</varname> to check whether we are running in a user namespace. See <citerefentry><refentrytitle>systemd-detect-virt</refentrytitle><manvolnum>1</manvolnum></citerefentry> for a full list of known virtualization technologies and their identifiers. If multiple virtualization technologies are diff --git a/man/udev.xml b/man/udev.xml index dd5563605c..3359fb0865 100644 --- a/man/udev.xml +++ b/man/udev.xml @@ -577,8 +577,8 @@ <para>The <varname>NAME</varname>, <varname>SYMLINK</varname>, <varname>PROGRAM</varname>, <varname>OWNER</varname>, - <varname>GROUP</varname>, <varname>MODE</varname>, and - <varname>RUN</varname> fields support simple string substitutions. + <varname>GROUP</varname>, <varname>MODE</varname>, <varname>SECLABEL</varname>, + and <varname>RUN</varname> fields support simple string substitutions. The <varname>RUN</varname> substitutions are performed after all rules have been processed, right before the program is executed, allowing for the use of device properties set by earlier matching rules. For all other |