summaryrefslogtreecommitdiff
path: root/man/systemd.exec.xml
AgeCommit message (Collapse)Author
2014-02-26exec: imply NoNewPriviliges= only when seccomp filters are used in user modeLennart Poettering
2014-02-26core: add new RestrictAddressFamilies= switchLennart Poettering
This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
2014-02-21core: Add AppArmor profile switchingMichael Scherer
This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. It also add a new build requirement on libapparmor for using this feature.
2014-02-19man: document $MAINPIDLennart Poettering
2014-02-19core: add Personality= option for units to set the personality for spawned ↵Lennart Poettering
processes
2014-02-18seccomp: add helper call to add all secondary archs to a seccomp filterLennart Poettering
And make use of it where appropriate for executing services and for nspawn.
2014-02-17doc: resolve missing/extraneous words or inappropriate formsJan Engelhardt
Issues fixed: * missing words required by grammar * duplicated or extraneous words * inappropriate forms (e.g. singular/plural), and declinations * orthographic misspellings
2014-02-17doc: update punctuationJan Engelhardt
Resolve spotted issues related to missing or extraneous commas, dashes.
2014-02-14man: replace STDOUT with standard output, etc.Zbigniew Jędrzejewski-Szmek
Actually 'STDOUT' is something that doesn't appear anywhere: in the stdlib we have 'stdin', and there's only the constant STDOUT_FILENO, so there's no reason to use capitals. When refering to code, STDOUT/STDOUT/STDERR are replaced with stdin/stdout/stderr, and in other places they are replaced with normal phrases like standard output, etc.
2014-02-14man: fix grammatical errors and other formatting issuesJason St. John
* standardize capitalization of STDIN, STDOUT, and STDERR * reword some sentences for clarity * reflow some very long lines to be shorter than ~80 characters * add some missing <literal>, <constant>, <varname>, <option>, and <filename> tags
2014-02-13core: add SystemCallArchitectures= unit setting to allow disabling of non-nativeLennart Poettering
architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-12core: rework syscall filterLennart Poettering
- Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12syscallfilter: port to libseccompRonny Chevalier
2014-02-10nspawn,man: use a common vocabulary when referring to selinux security contextsLennart Poettering
Let's always call the security labels the same way: SMACK: "Smack Label" SELINUX: "SELinux Security Context" And the low-level encapsulation is called "seclabel". Now let's hope we stick to this vocabulary in future, too, and don't mix "label"s and "security contexts" and so on wildly.
2014-02-10exec: Add support for ignoring errors on SELinuxContext by prefixing it with ↵Michael Scherer
-, like for others settings. Also remove call to security_check_context, as this doesn't serve anything, since setexeccon will fail anyway.
2014-02-10exec: Add SELinuxContext configuration itemMichael Scherer
This permit to let system administrators decide of the domain of a service. This can be used with templated units to have each service in a différent domain ( for example, a per customer database, using MLS or anything ), or can be used to force a non selinux enabled system (jvm, erlang, etc) to start in a different domain for each service.
2014-01-20exec: introduce PrivateDevices= switch to provide services with a private /devLennart Poettering
Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that sets up a private /dev with only the API pseudo-devices like /dev/null, /dev/zero, /dev/random, but not any physical devices in them.
2014-01-09man: mention which variables will be expanded in ExecStartZbigniew Jędrzejewski-Szmek
2013-12-25man: grammar and wording improvementsJan Engelhardt
This is a recurring submission and includes corrections to: - missing words, preposition choice. - change of /lib to /usr/lib, because that is what most distros are using as the system-wide location for systemd/udev files.
2013-12-25man: improvements to comma placementJan Engelhardt
This is a recurring submission and includes corrections to: comma placement.
2013-11-27service: add the ability for units to join other unit's PrivateNetwork= and ↵Lennart Poettering
PrivateTmp= namespaces
2013-10-15man: wording and grammar updatesJan Engelhardt
This is a recurring submission and includes corrections to various issue spotted. I guess I can just skip over reporting ubiquitous comma placement fixes…
2013-10-02execute.c: always set $SHELLZbigniew Jędrzejewski-Szmek
In e6dca81 $SHELL was added to user@.service. Let's instead provide it to all units which have a user.
2013-09-27man: drop references to "cgroup" wher appropriateLennart Poettering
Since cgroups are mostly now an implementation detail of systemd lets deemphasize it a bit in the man pages. This renames systemd.cgroup(5) to systemd.resource-control(5) and uses the term "resource control" rather than "cgroup" where appropriate. This leaves the word "cgroup" in at a couple of places though, like for example systemd-cgtop and systemd-cgls where cgroup stuff is at the core of what is happening.
2013-09-17man: add a list of environment variablesZbigniew Jędrzejewski-Szmek
2013-09-12man: wording and grammar updatesJan Engelhardt
This is a recurring submission and includes corrections to various issue spotted. I guess I can just skip over reporting ubiquitous comma placement fixes… Highligts in this particular commit: - the "unsigned" type qualifier is completed to form a full type "unsigned int" - alphabetic -> lexicographic (that way we automatically define how numbers get sorted)
2013-09-12man: Add a note about what environment variables are available by defaultZbigniew Jędrzejewski-Szmek
2013-09-10man: wording and grammar updatesJan Engelhardt
This includes regularly-submitted corrections to comma setting and orthographical mishaps that appeared in man/ in recent commits. In this particular commit: - the usual comma fixes - expand contractions (this is prose)
2013-08-23"-" prefix for InaccessibleDirectories and ReadOnlyDirectoriesMaciej Wereski
2013-07-19man: drop the old cgroup settings from the man pagesLennart Poettering
2013-07-16man: use HTTPS links for links that support itJason St. John
2013-07-13man: wording and grammar updateJan Engelhardt
2013-07-12man: document the slice and scope units, add systemd.cgroup(5)Zbigniew Jędrzejewski-Szmek
2013-07-02man: add more formatting markupZbigniew Jędrzejewski-Szmek
2013-07-02man: improve grammar and word formatting in numerous man pagesJason St. John
Use proper grammar, word usage, adjective hyphenation, commas, capitalization, spelling, etc. To improve readability, some run-on sentences or sentence fragments were revised. [zj: remove the space from 'file name', 'host name', and 'time zone'.]
2013-06-26man: use <constant> for various constants which look ugly with quotesZbigniew Jędrzejewski-Szmek
2013-06-20manager: add DefaultEnvironment optionUmut Tezduyar
This complements existing functionality of setting variables through 'systemctl set-environment', the kernel command line, and through normal environment variables for systemd in session mode.
2013-05-18Standardize on 'file system' and 'namespace' in man pages.David Strauss
This change is based on existing usage in systemd and online. 'File-system' may make sense in adjectival form, but man pages seem to prefer 'file system' even in those situations.
2013-05-03man: add various filenames to the indexZbigniew Jędrzejewski-Szmek
Everything which is an absolute filename marked with <filename></filename> lands in the index, unless noindex= attribute is present. Should make it easier for people to find stuff when they are looking at a file on disk. Various formatting errors in manpages are fixed, kernel-install(1) is restored to formatting sanity.
2013-04-08man: be clearer that it's not OK to manipulate systemd's own cgroup hirearchyLennart Poettering
2013-03-22exec: Assigning the empty string to CapabilityBoundSet= should drop all capsLennart Poettering
Previously, it would set all caps, but it should drop them all, anything else makes little sense. Also, document that this works as it does, and what to do in order to assign all caps to the bounding set. https://bugzilla.redhat.com/show_bug.cgi?id=914705
2013-03-15core: reuse the same /tmp, /var/tmp and inaccessible dirMichal Sekletar
All Execs within the service, will get mounted the same /tmp and /var/tmp directories, if service is configured with PrivateTmp=yes. Temporary directories are cleaned up by service itself in addition to systemd-tmpfiles. Directory which is mounted as inaccessible is created at runtime in /run/systemd.
2013-02-13man: use <replaceable> in various placesZbigniew Jędrzejewski-Szmek
2013-02-13man: rename systemd.conf to systemd-system.confZbigniew Jędrzejewski-Szmek
Alias as systemd-user.conf is also provided. This should help users running systemd in session mode. https://bugzilla.redhat.com/show_bug.cgi?id=690868
2013-01-26man: extend systemd.directives(7) to all manual pagesZbigniew Jędrzejewski-Szmek
New sections are added: PAM options, crypttab options, commandline options, miscellaneous. The last category will be used for all untagged <varname> elements. Commandline options sections is meant to be a developer tool: when adding an option it is sometimes useful to be able to check if similarly named options exist elsewhere.
2013-01-26man: mention that PrivateTmp means /var/tmp tooZbigniew Jędrzejewski-Szmek
2013-01-24man: systemd.exec - explicit Environment assignmentFrederic Crozat
Hi all, while working on another bug, I discovered the "strange" way systemd is parsing Environment= in .service and thought it was worth documenting (because I don't expect people to find this syntax by themselves unless they read the parsing code ;) Be more verbose about using space in Environment field and not using value of other variables Fixes https://bugzilla.redhat.com/show_bug.cgi?id=840260 [zj: expand and reformat the example a bit]
2013-01-18util: continuation support for load_env_fileMichal Vyskocil
Variable definitions can be written on more than one line - if each ends with a backslash, then is concatenated with a previous one. Only backslash and unix end of line (\n) are treated as a continuation. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=58083 [zj: squashed two patches together; cleaned up grammar; removed comment about ignoring trailing backslash -- it is not ignored.] Document continuation support in systemd.exec
2013-01-17units: for all unit settings that take lists, allow the empty string for ↵Lennart Poettering
resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787
2013-01-15man: add links to directive index to see-alsosZbigniew Jędrzejewski-Szmek
systemd.directives(5) is renamed to systemd.directives(7). Section 7 is "Miscellaneous".