summaryrefslogtreecommitdiff
path: root/man
AgeCommit message (Collapse)Author
2016-09-28man: remove duplicate "the" for systemctl --plain (#4230)Alfie John
2016-09-28Merge pull request #4185 from endocode/djalal-sandbox-first-protection-v1Evgeny Vereshchagin
core:sandbox: Add new ProtectKernelTunables=, ProtectControlGroups=, ProtectSystem=strict and fixes
2016-09-26core: Fix USB functionfs activation and clarify its documentation (#4188)Paweł Szewczyk
There was no certainty about how the path in service file should look like for usb functionfs activation. Because of this it was treated differently in different places, which made this feature unusable. This patch fixes the path to be the *mount directory* of functionfs, not ep0 file path and clarifies in the documentation that ListenUSBFunction should be the location of functionfs mount point, not ep0 file itself.
2016-09-26machinectl: prefer user@ to --uid=user for shell (#4006)Zbigniew Jędrzejewski-Szmek
It seems to me that the explicit positional argument should have higher priority than "an option".
2016-09-26treewide: fix typos (#4217)Torstein Husebø
2016-09-25core: Use @raw-io syscall group to filter I/O syscalls when PrivateDevices= ↵Djalal Harouni
is set Instead of having a local syscall list, use the @raw-io group which contains the same set of syscalls to filter.
2016-09-25core:sandbox: add more /proc/* entries to ProtectKernelTunables=Djalal Harouni
Make ALSA entries, latency interface, mtrr, apm/acpi, suspend interface, filesystems configuration and IRQ tuning readonly. Most of these interfaces now days should be in /sys but they are still available through /proc, so just protect them. This patch does not touch /proc/net/...
2016-09-25doc: explicitly document that /dev/mem and /dev/port are blocked by ↵Djalal Harouni
PrivateDevices=true
2016-09-25doc: documentation fixes for ReadWritePaths= and ProtectKernelTunables=Djalal Harouni
Documentation fixes for ReadWritePaths= and ProtectKernelTunables= as reported by Evgeny Vereshchagin.
2016-09-25man: shorten the exit status table a bitLennart Poettering
Let's merge a couple of columns, to make the table a bit shorter. This effectively just drops whitespace, not contents, but makes the currently humungous table much much more compact.
2016-09-25man: the exit code/signal is stored in $EXIT_CODE, not $EXIT_STATUSLennart Poettering
2016-09-25man: rework documentation for ReadOnlyPaths= and related settingsLennart Poettering
This reworks the documentation for ReadOnlyPaths=, ReadWritePaths=, InaccessiblePaths=. It no longer claims that we'd follow symlinks relative to the host file system. (Which wasn't true actually, as we didn't follow symlinks at all in the most recent releases, and we know do follow them, but relative to RootDirectory=). This also replaces all references to the fact that all fs namespacing options can be undone with enough privileges and disable propagation by a single one in the documentation of ReadOnlyPaths= and friends, and then directs the read to this in all other places. Moreover a hint is added to the documentation of SystemCallFilter=, suggesting usage of ~@mount in case any of the fs namespacing related options are used.
2016-09-25man: in user-facing documentaiton don't reference C function namesLennart Poettering
Let's drop the reference to the cap_from_name() function in the documentation for the capabilities setting, as it is hardly helpful. Our readers are not necessarily C hackers knowing the semantics of cap_from_name(). Moreover, the strings we accept are just the plain capability names as listed in capabilities(7) hence there's really no point in confusing the user with anything else.
2016-09-25core: imply ProtectHome=read-only and ProtectSystem=strict if DynamicUser=1Lennart Poettering
Let's make sure that services that use DynamicUser=1 cannot leave files in the file system should the system accidentally have a world-writable directory somewhere. This effectively ensures that directories need to be whitelisted rather than blacklisted for access when DynamicUser=1 is set.
2016-09-25core: introduce ProtectSystem=strictLennart Poettering
Let's tighten our sandbox a bit more: with this change ProtectSystem= gains a new setting "strict". If set, the entire directory tree of the system is mounted read-only, but the API file systems /proc, /dev, /sys are excluded (they may be managed with PrivateDevices= and ProtectKernelTunables=). Also, /home and /root are excluded as those are left for ProtectHome= to manage. In this mode, all "real" file systems (i.e. non-API file systems) are mounted read-only, and specific directories may only be excluded via ReadWriteDirectories=, thus implementing an effective whitelist instead of blacklist of writable directories. While we are at, also add /efi to the list of paths always affected by ProtectSystem=. This is a follow-up for b52a109ad38cd37b660ccd5394ff5c171a5e5355 which added /efi as alternative for /boot. Our namespacing logic should respect that too.
2016-09-25core: add two new service settings ProtectKernelTunables= and ↵Lennart Poettering
ProtectControlGroups= If enabled, these will block write access to /sys, /proc/sys and /proc/sys/fs/cgroup.
2016-09-24Merge pull request #4182 from jkoelker/routetableZbigniew Jędrzejewski-Szmek
2016-09-24kernel-install: allow plugins to terminate the procedure (#4174)Zbigniew Jędrzejewski-Szmek
Replaces #4103.
2016-09-19networkd: Allow specifying RouteTable for RAsJason Kölker
2016-09-19networkd: Allow specifying RouteTable for DHCPJason Kölker
2016-09-17Merge pull request #4123 from keszybz/network-file-dropinsMartin Pitt
Network file dropins
2016-09-16man: mention that netdev,network files support dropinsZbigniew Jędrzejewski-Szmek
Also update the description of drop-ins in systemd.unit(5) to say that .d directories, not .conf files, are in /etc/system/system, /run/systemd/system, etc.
2016-09-16man: Update example for downloading a Fedora image (#4166)Stefan Schweter
2016-09-15man: update url to openpgpkey rfc (#4156)Stefan
2016-09-15Update systemctl.xml (#4151)kristbaum
2016-09-14networkd: add support to configure virtual CAN device (#4139)Susant Sahani
1. add support for kind vcan 2. fixup indention netlink-types.c, networkd-netdev.c
2016-09-13man: "disabled on" does not sound rightZbigniew Jędrzejewski-Szmek
2016-09-09man: drop kdbus descriptions from sd_b_negotiate_fds(3)Zbigniew Jędrzejewski-Szmek
2016-09-08man: add missing <constant> tag (#4109)Lucas Werkmeister
2016-08-31machinectl: split OS field in two; print ip addresses (#4058)Seraphime Kirkovski
This splits the OS field in two : one for the distribution name and one for the the version id. Dashes are written for missing fields. This also prints ip addresses of known machines. The `--max-addresses` option specifies how much ip addresses we want to see. The default is 1. When more than one address is written for a machine, a `,` follows it. If there are more ips than `--max-addresses`, `...` follows the last address.
2016-08-31networkd: add options to bridge (#4051)Tobias Jungel
This patch allows to configure AgeingTimeSec, Priority and DefaultPVID for bridge interfaces.
2016-08-31core: introduce MemorySwapMax= (#3659)Lennart Poettering
Similar to MemoryMax=, MemorySwapMax= limits swap usage. This controls controls "memory.swap.max" attribute in unified cgroup.
2016-08-31link : add support to configure LRO and GRO Offload featuresSusant Sahani
The patch supports to configure GenericReceiveOffload LargeReceiveOffload
2016-08-30link : add support to configure Offload features (#4017)Susant Sahani
This patch supports these features to be on or off Generic Segmentation Offload TCP Segmentation Offload UDP Segmentation Offload fixes #432
2016-08-30Merge pull request #4053 from brulon/force-unmountLennart Poettering
add ForceUnmount= setting for mount units
2016-08-30core: introduce MemorySwapMax=WaLyong Cho
Similar to MemoryMax=, MemorySwapMax= limits swap usage. This controls controls "memory.swap.max" attribute in unified cgroup.
2016-08-29man: systemd-journal-remote: do not use ulink tags for example addressesYu Watanabe
Applying ulink tags to example addresses adds meaningless references in NOTES section of the man page.
2016-08-29man: systemd.mount: DefaultTimeoutStart -> DefaultTimeoutStartSecYu Watanabe
2016-08-27mount: add new ForceUnmount= setting for mount units, mapping to umount(8)'s ↵Barron Rulon
"-f" switch
2016-08-26mount: add new LazyUnmount= setting for mount units, mapping to umount(8)'s ↵brulon
"-l" switch (#3827)
2016-08-22man: document the new --wait switch of systemd-runLennart Poettering
Also, make major improvements to the an page in general.
2016-08-22core: add Ref()/Unref() bus calls for unitsLennart Poettering
This adds two (privileged) bus calls Ref() and Unref() to the Unit interface. The two calls may be used by clients to pin a unit into memory, so that various runtime properties aren't flushed out by the automatic GC. This is necessary to permit clients to race-freely acquire runtime results (such as process exit status/code or accumulated CPU time) on successful service termination. Ref() and Unref() are fully recursive, hence act like the usual reference counting concept in C. Taking a reference is a privileged operation, as this allows pinning units into memory which consumes resources. Transient units may also gain a reference at the time of creation, via the new AddRef property (that is only defined for transient units at the time of creation).
2016-08-22man: document sd_bus_track objectsLennart Poettering
And while ware at it, also drop some references to kdbus, and stop claiming sd-bus wasn't stable yet. Also order man page references in the main sd-bus man page alphabetically.
2016-08-22man: don't claim arguments where const that actually are notLennart Poettering
2016-08-19Merge pull request #3909 from poettering/mount-toolEvgeny Vereshchagin
add a new tool for creating transient mount and automount units
2016-08-19Merge pull request #3987 from keszybz/console-color-setupLennart Poettering
Rework console color setup
2016-08-19Merge pull request #3955 from keszybz/fix-preset-allLennart Poettering
Fix preset-all
2016-08-19Merge pull request #3961 from keszybz/pr/3924Lennart Poettering
Add documentation to #3924
2016-08-19man: document that "systemctl switch-root" tries hard to pass state across ↵Lennart Poettering
(#3995) As suggested: https://github.com/systemd/systemd/pull/3958#issuecomment-240410958 Let's document that we try hard to pass system state from the initrd to the host, and even compare the systemd binary paths.
2016-08-19terminal-util: use getenv_bool for $SYSTEMD_COLORSZbigniew Jędrzejewski-Szmek
This changes the semantics a bit: before, SYSTEMD_COLORS= would be treated as "yes", same as SYSTEMD_COLORS=xxx and SYSTEMD_COLORS=1, and only SYSTEMD_COLORS=0 would be treated as "no". Now, only valid booleans are treated as "yes". This actually matches how $SYSTEMD_COLORS was announced in NEWS.