diff options
Diffstat (limited to 'man')
| -rw-r--r-- | man/kernel-install.xml | 9 | ||||
| -rw-r--r-- | man/sd_watchdog_enabled.xml | 4 | ||||
| -rw-r--r-- | man/systemd.exec.xml | 50 | ||||
| -rw-r--r-- | man/tmpfiles.d.xml | 28 |
4 files changed, 63 insertions, 28 deletions
diff --git a/man/kernel-install.xml b/man/kernel-install.xml index 4a8a46cef4..99b7970457 100644 --- a/man/kernel-install.xml +++ b/man/kernel-install.xml @@ -89,11 +89,12 @@ <listitem> <para><command>kernel-install</command> creates the directory <filename>/boot/<replaceable>MACHINE-ID</replaceable>/<replaceable>KERNEL-VERSION</replaceable>/</filename> - and calls every executable + and calls executables from <filename>/usr/lib/kernel/install.d/*.install</filename> and <filename>/etc/kernel/install.d/*.install</filename> with the arguments - <programlisting>add <replaceable>KERNEL-VERSION</replaceable> <filename>/boot/<replaceable>MACHINE-ID</replaceable>/<replaceable>KERNEL-VERSION</replaceable>/</filename></programlisting> + <programlisting>add <replaceable>KERNEL-VERSION</replaceable> \ + <filename>/boot/<replaceable>MACHINE-ID</replaceable>/<replaceable>KERNEL-VERSION</replaceable>/</filename> <replaceable>KERNEL-IMAGE</replaceable></programlisting> </para> <para>The kernel-install plugin <filename>50-depmod.install</filename> runs depmod for the <replaceable>KERNEL-VERSION</replaceable>.</para> @@ -119,7 +120,7 @@ <varlistentry> <term><command>remove <replaceable>KERNEL-VERSION</replaceable></command></term> <listitem> - <para>Calls every executable <filename>/usr/lib/kernel/install.d/*.install</filename> + <para>Calls executables from <filename>/usr/lib/kernel/install.d/*.install</filename> and <filename>/etc/kernel/install.d/*.install</filename> with the arguments <programlisting>remove <replaceable>KERNEL-VERSION</replaceable> <filename>/boot/<replaceable>MACHINE-ID</replaceable>/<replaceable>KERNEL-VERSION</replaceable>/</filename></programlisting> </para> @@ -138,7 +139,7 @@ <refsect1> <title>Exit status</title> - <para>If every executable returns with 0, 0 is returned, a non-zero failure code otherwise.</para> + <para>If every executable returns 0 or 77, 0 is returned, and a non-zero failure code otherwise.</para> </refsect1> <refsect1> diff --git a/man/sd_watchdog_enabled.xml b/man/sd_watchdog_enabled.xml index 3de9899453..759d9303c6 100644 --- a/man/sd_watchdog_enabled.xml +++ b/man/sd_watchdog_enabled.xml @@ -121,7 +121,7 @@ <xi:include href="libsystemd-pkgconfig.xml" xpointer="pkgconfig-text"/> - <para>Internally, this functions parses the + <para>Internally, this function parses the <varname>$WATCHDOG_PID</varname> and <varname>$WATCHDOG_USEC</varname> environment variable. The call will ignore these variables if <varname>$WATCHDOG_PID</varname> @@ -148,7 +148,7 @@ <listitem><para>Set by the system manager for supervised process for which watchdog support is enabled, and contains - the watchdog timeout in µs See above for + the watchdog timeout in µs. See above for details.</para></listitem> </varlistentry> </variablelist> diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 0973f4047a..3b39a9c912 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1234,22 +1234,16 @@ <varlistentry> <term><varname>NoNewPrivileges=</varname></term> - <listitem><para>Takes a boolean argument. If true, ensures that the service - process and all its children can never gain new privileges through - <function>execve</function> (e.g. via setuid or setgid bits, or filesystem - capabilities). This is the simplest and most effective way to ensure that - a process and its children can never elevate privileges again. Defaults to false, - but in the user manager instance certain settings force - <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting. - This is the case when <varname>SystemCallFilter=</varname>, - <varname>SystemCallArchitectures=</varname>, - <varname>RestrictAddressFamilies=</varname>, - <varname>PrivateDevices=</varname>, - <varname>ProtectKernelTunables=</varname>, - <varname>ProtectKernelModules=</varname>, - <varname>MemoryDenyWriteExecute=</varname>, or - <varname>RestrictRealtime=</varname> are specified. - </para></listitem> + <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its children can + never gain new privileges through <function>execve()</function> (e.g. via setuid or setgid bits, or filesystem + capabilities). This is the simplest and most effective way to ensure that a process and its children can never + elevate privileges again. Defaults to false, but in the user manager instance certain settings force + <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting. This is the case when + <varname>SystemCallFilter=</varname>, <varname>SystemCallArchitectures=</varname>, + <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>, + <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>, + <varname>ProtectKernelModules=</varname>, <varname>MemoryDenyWriteExecute=</varname>, or + <varname>RestrictRealtime=</varname> are specified.</para></listitem> </varlistentry> <varlistentry> @@ -1468,6 +1462,30 @@ </varlistentry> <varlistentry> + <term><varname>RestrictNamespaces=</varname></term> + + <listitem><para>Restricts access to Linux namespace functionality for the processes of this unit. For details + about Linux namespaces, see + <citerefentry><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>. Either takes a + boolean argument, or a space-separated list of namespace type identifiers. If false (the default), no + restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is + prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of + any combination of: <constant>cgroup</constant>, <constant>ipc</constant>, <constant>net</constant>, + <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant> and <constant>uts</constant>. Any + namespace type listed is made accessible to the unit's processes, access to namespace types not listed is + prohibited (whitelisting). By prepending the list with a single tilda character (<literal>~</literal>) the + effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are + permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied, + which is equivalent to false. Internally, this setting limits access to the + <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>, + <citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and + <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking + the specified flags parameters into account. Note that — if this option is used — in addition to restricting + creation and switching of the specified types of namespaces (or all of them, if true) access to the + <function>setns()</function> system call with a zero flags parameter is prohibited.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>ProtectKernelModules=</varname></term> <listitem><para>Takes a boolean argument. If true, explicit module loading will diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml index e040a1636d..555e9c2d56 100644 --- a/man/tmpfiles.d.xml +++ b/man/tmpfiles.d.xml @@ -117,8 +117,8 @@ type, path, mode, ownership, age, and argument fields:</para> <programlisting>#Type Path Mode UID GID Age Argument - d /run/user 0755 root root 10d - - L /tmp/foobar - - - - /dev/null</programlisting> +d /run/user 0755 root root 10d - +L /tmp/foobar - - - - /dev/null</programlisting> <para>Fields may be enclosed within quotes and contain C-style escapes.</para> @@ -159,7 +159,7 @@ <term><varname>d</varname></term> <listitem><para>Create a directory. The mode and ownership will be adjusted if specified and the directory already exists. Contents of this directory are subject - to time based cleanup if the time argument is specified.</para></listitem> + to time based cleanup if the age argument is specified.</para></listitem> </varlistentry> <varlistentry> @@ -171,9 +171,13 @@ <varlistentry> <term><varname>e</varname></term> - <listitem><para>Similar to <varname>d</varname>, but the directory will not be - created if it does not exist. Lines of this type accept shell-style globs in - place of normal path names.</para></listitem> + <listitem><para>Similar to <varname>d</varname>, but the directory will not be created if + it does not exist. Lines of this type accept shell-style globs in place of normal path + names. For this entry to be useful, at least one of the mode, uid, gid, or age arguments + must be specified, since otherwise this entry has no effect. If the age argument is + <literal>0</literal>, contents of the directory will be unconditionally deleted every time + <command>systemd-tmpfiles --clean</command> is run. This can be useful when combined with + <varname>!</varname>, see the examples.</para></listitem> </varlistentry> <varlistentry> @@ -680,6 +684,18 @@ e /var/chache/dnf/ - - - 30d <filename>/var/chache/dnf/</filename> will be removed after they have not been accessed in 30 days.</para> </example> + + <example> + <title>Empty the contents of a cache directory on boot</title> + + <programlisting># /usr/lib/tmpfiles.d/krb5rcache.conf +e! /var/cache/krb5rcache - - - 0 +</programlisting> + + <para>Any files and subdirectories in <filename>/var/cache/krb5rcache/</filename> + will be removed on boot. The directory will not be created. + </para> + </example> </refsect1> <refsect1> |