X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fsystemd.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=3618b52808e86c4ae2dc974a5db92054aa09647b;hp=4818f3423c456dca96857588785f9c6c5d5018ab;hb=6b222c4b0227f9914446ac54754aea867f742be4;hpb=c92391f52fb335b529519ffffd91bbd3a83c8c64
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 4818f3423c4..3618b52808e 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -66,9 +66,9 @@
will also gain an automatic After= dependency on
systemd-tmpfiles-setup.service8.
- Units whose standard output or error output is connected to ,
- or (or their combinations with console output, see below)
- automatically acquire dependencies of type After= on
+ Units whose standard output or error output is connected to or
+ (or their combinations with console output, see below) automatically acquire
+ dependencies of type After= on
systemd-journald.socket.Units using LogNamespace= will automatically gain ordering and
@@ -145,6 +145,57 @@
+
+ RootHash=
+
+ Takes a data integrity (dm-verity) root hash specified in hexadecimal, or the path to a file
+ containing a root hash in ASCII hexadecimal format. This option enables data integrity checks using dm-verity,
+ if the used image contains the appropriate integrity data (see above) or if RootVerity= is used.
+ The specified hash must match the root hash of integrity data, and is usually at least 256 bits (and hence 64
+ formatted hexadecimal characters) long (in case of SHA256 for example). If this option is not specified, but
+ the image file carries the user.verity.roothash extended file attribute (see xattr7), then the root
+ hash is read from it, also as formatted hexadecimal characters. If the extended file attribute is not found (or
+ is not supported by the underlying file system), but a file with the .roothash suffix is
+ found next to the image file, bearing otherwise the same name (except if the image has the
+ .raw suffix, in which case the root hash file must not have it in its name), the root hash
+ is read from it and automatically used, also as formatted hexadecimal characters.
+
+
+
+
+
+ RootHashSignature=
+
+ Takes a PKCS7 formatted binary signature of the RootHash= option as a path
+ to a DER encoded signature file or as an ASCII base64 string encoding of the DER encoded signature, prefixed
+ by base64:. The dm-verity volume will only be opened if the signature of the root hash
+ signature is valid and created by a public key present in the kernel keyring. If this option is not specified,
+ but a file with the .roothash.p7s suffix is found next to the image file, bearing otherwise
+ the same name (except if the image has the .raw suffix, in which case the signature file
+ must not have it in its name), the signature is read from it and automatically used.
+
+
+
+
+
+ RootVerity=
+
+ Takes the path to a data integrity (dm-verity) file. This option enables data integrity checks
+ using dm-verity, if RootImage= is used and a root-hash is passed and if the used image itself
+ does not contains the integrity data. The integrity data must be matched by the root hash. If this option is not
+ specified, but a file with the .verity suffix is found next to the image file, bearing otherwise
+ the same name (except if the image has the .raw suffix, in which case the verity data file must
+ not have it in its name), the verity data is read from it and automatically used.
+
+ This option is supported only for disk images that contain a single file system, without an
+ enveloping partition table. Images that contain a GPT partition table should instead include both
+ root file system and matching Verity data in the same image, implementing the Discoverable Partition Specification.
+
+
+
+
MountAPIVFS=
@@ -281,7 +332,7 @@
files or directories. Moreover ProtectSystem=strict and
ProtectHome=read-only are implied, thus prohibiting the service to write to
arbitrary file system locations. In order to allow the service to write to certain directories, they
- have to be whitelisted using ReadWritePaths=, but care must be taken so that
+ have to be allow-listed using ReadWritePaths=, but care must be taken so that
UID/GID recycling doesn't create security issues involving files created by the service. Use
RuntimeDirectory= (see below) in order to assign a writable runtime directory to a
service, owned by the dynamic user/group and removed automatically when the unit is terminated. Use
@@ -460,10 +511,11 @@ CapabilityBoundingSet=~CAP_B CAP_C
AppArmorProfile=
- Takes a profile name as argument. The process executed by the unit will switch to this profile
- when started. Profiles must already be loaded in the kernel, or the unit will fail. This result in a non
- operation if AppArmor is not enabled. If prefixed by -, all errors will be ignored. This
- does not affect commands prefixed with +.
+ Takes a profile name as argument. The process executed by the unit will switch to
+ this profile when started. Profiles must already be loaded in the kernel, or the unit will fail. If
+ prefixed by -, all errors will be ignored. This setting has no effect if AppArmor
+ is not enabled. This setting not affect commands prefixed with +.
+
@@ -681,9 +733,9 @@ CapabilityBoundingSet=~CAP_B CAP_C
kernel default of private-anonymousshared-anonymouself-headersprivate-huge). See
- core5 for the
- meaning of the mapping types. When specified multiple times, all specified masks are ORed. When not
- set, or if the empty value is assigned, the inherited value is not changed.
+ core5
+ for the meaning of the mapping types. When specified multiple times, all specified masks are
+ ORed. When not set, or if the empty value is assigned, the inherited value is not changed.
Add DAX pages to the dump filter
@@ -829,7 +881,7 @@ CapabilityBoundingSet=~CAP_B CAP_C
in NUMAMask=. For more details on each policy please see,
set_mempolicy2. For overall
overview of NUMA support in Linux see,
- numa7
+ numa7.
@@ -1016,14 +1068,16 @@ CapabilityBoundingSet=~CAP_B CAP_C
RootDirectory= or RootImage= these paths always reside on the host and
are mounted from there into the unit's file system namespace.
- If DynamicUser= is used in conjunction with StateDirectory=,
- CacheDirectory= and LogsDirectory= is slightly altered: the directories
- are created below /var/lib/private, /var/cache/private and
+ If DynamicUser= is used in conjunction with
+ StateDirectory=, the logic for CacheDirectory= and
+ LogsDirectory= is slightly altered: the directories are created below
+ /var/lib/private, /var/cache/private and
/var/log/private, respectively, which are host directories made inaccessible to
- unprivileged users, which ensures that access to these directories cannot be gained through dynamic user ID
- recycling. Symbolic links are created to hide this difference in behaviour. Both from perspective of the host
- and from inside the unit, the relevant directories hence always appear directly below
- /var/lib, /var/cache and /var/log.
+ unprivileged users, which ensures that access to these directories cannot be gained through dynamic
+ user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
+ perspective of the host and from inside the unit, the relevant directories hence always appear
+ directly below /var/lib, /var/cache and
+ /var/log.Use RuntimeDirectory= to manage one or more runtime directories for the unit and bind
their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
@@ -1098,8 +1152,8 @@ StateDirectory=aaa/bbb ccc
clean â¦, see
systemctl1 for
details. Takes the usual time values and defaults to infinity, i.e. by default
- no time-out is applied. If a time-out is configured the clean operation will be aborted forcibly when
- the time-out is reached, potentially leaving resources on disk.
+ no timeout is applied. If a timeout is configured the clean operation will be aborted forcibly when
+ the timeout is reached, potentially leaving resources on disk.
@@ -1113,12 +1167,13 @@ StateDirectory=aaa/bbb ccc
contain symlinks, they are resolved relative to the root directory set with
RootDirectory=/RootImage=.
- Paths listed in ReadWritePaths= are accessible from within the namespace with the same
- access modes as from outside of it. Paths listed in ReadOnlyPaths= are accessible for
- reading only, writing will be refused even if the usual file access controls would permit this. Nest
- ReadWritePaths= inside of ReadOnlyPaths= in order to provide writable
- subdirectories within read-only directories. Use ReadWritePaths= in order to whitelist
- specific paths for write access if ProtectSystem=strict is used.
+ Paths listed in ReadWritePaths= are accessible from within the namespace
+ with the same access modes as from outside of it. Paths listed in ReadOnlyPaths=
+ are accessible for reading only, writing will be refused even if the usual file access controls would
+ permit this. Nest ReadWritePaths= inside of ReadOnlyPaths= in
+ order to provide writable subdirectories within read-only directories. Use
+ ReadWritePaths= in order to allow-list specific paths for write access if
+ ProtectSystem=strict is used.Paths listed in InaccessiblePaths= will be made inaccessible for processes inside
the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
@@ -1186,8 +1241,8 @@ BindReadOnlyPaths=/var/lib/systemd
PrivateTmp=Takes a boolean argument. If true, sets up a new file system namespace for the executed
- processes and mounts private /tmp and /var/tmp directories inside it
- that is not shared by processes outside of the namespace. This is useful to secure access to temporary files of
+ processes and mounts private /tmp/ and /var/tmp/ directories inside it
+ that are not shared by processes outside of the namespace. This is useful to secure access to temporary files of
the process, but makes sharing between processes via /tmp or /var/tmp
impossible. If this is enabled, all temporary files created by a service in these directories will be removed
after the service is stopped. Defaults to false. It is possible to run two or more units within the same
@@ -1347,7 +1402,7 @@ BindReadOnlyPaths=/var/lib/systemd
this option removes CAP_SYS_TIME and CAP_WAKE_ALARM from the
capability bounding set for this unit, installs a system call filter to block calls that can set the
clock, and DeviceAllow=char-rtc r is implied. This ensures /dev/rtc0,
- /dev/rtc1, etc are made read only to the service. See
+ /dev/rtc1, etc. are made read-only to the service. See
systemd.resource-control5
for the details about DeviceAllow=.
@@ -1432,29 +1487,31 @@ BindReadOnlyPaths=/var/lib/systemd
RestrictAddressFamilies=
- Restricts the set of socket address families accessible to the processes of this unit. Takes a
- space-separated list of address family names to whitelist, such as AF_UNIX,
- AF_INET or AF_INET6. When prefixed with ~ the
- listed address families will be applied as blacklist, otherwise as whitelist. Note that this restricts access
- to the socket2 system call
- only. Sockets passed into the process by other means (for example, by using socket activation with socket
- units, see systemd.socket5)
- are unaffected. Also, sockets created with socketpair() (which creates connected AF_UNIX
- sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x, mips, mips-le,
- ppc, ppc-le, pcc64, ppc64-le and is ignored (but works correctly on other ABIs, including x86-64). Note that on
- systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off alternative ABIs for
- services, so that they cannot be used to circumvent the restrictions of this option. Specifically, it is
- recommended to combine this option with SystemCallArchitectures=native or similar. If
- running in user mode, or in system mode, but without the CAP_SYS_ADMIN capability
- (e.g. setting User=nobody), NoNewPrivileges=yes is implied. By default,
- no restrictions apply, all address families are accessible to processes. If assigned the empty string, any
- previous address family restriction changes are undone. This setting does not affect commands prefixed with
- +.
+ Restricts the set of socket address families accessible to the processes of this
+ unit. Takes a space-separated list of address family names to allow-list, such as
+ AF_UNIX, AF_INET or AF_INET6. When
+ prefixed with ~ the listed address families will be applied as deny list,
+ otherwise as allow list. Note that this restricts access to the socket2
+ system call only. Sockets passed into the process by other means (for example, by using socket
+ activation with socket units, see
+ systemd.socket5)
+ are unaffected. Also, sockets created with socketpair() (which creates connected
+ AF_UNIX sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x,
+ mips, mips-le, ppc, ppc-le, ppc64, ppc64-le and is ignored (but works correctly on other ABIs,
+ including x86-64). Note that on systems supporting multiple ABIs (such as x86/x86-64) it is
+ recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the
+ restrictions of this option. Specifically, it is recommended to combine this option with
+ SystemCallArchitectures=native or similar. If running in user mode, or in system
+ mode, but without the CAP_SYS_ADMIN capability (e.g. setting
+ User=nobody), NoNewPrivileges=yes is implied. By default, no
+ restrictions apply, all address families are accessible to processes. If assigned the empty string,
+ any previous address family restriction changes are undone. This setting does not affect commands
+ prefixed with +.Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive
network protocols, such as AF_PACKET. Note that in most cases, the local
- AF_UNIX address family should be included in the configured whitelist as it is frequently
+ AF_UNIX address family should be included in the configured allow list as it is frequently
used for local communication, including for
syslog2
logging.
@@ -1472,9 +1529,9 @@ BindReadOnlyPaths=/var/lib/systemd
any combination of: cgroup, ipc, net,
mnt, pid, user and uts. Any
namespace type listed is made accessible to the unit's processes, access to namespace types not listed is
- prohibited (whitelisting). By prepending the list with a single tilde character (~) the
+ prohibited (allow-listing). By prepending the list with a single tilde character (~) the
effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are
- permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied,
+ permitted (deny-listing). If the empty string is assigned, the default namespace restrictions are applied,
which is equivalent to false. This option may appear more than once, in which case the namespace types are
merged by OR, or by AND if the lines are prefixed with
~ (see examples below). Internally, this setting limits access to the
@@ -1642,7 +1699,7 @@ RestrictNamespaces=~cgroup net
mount propagation is used, but â as mentioned â as is applied
first, propagation from the unit's processes to the host is still turned off.
- It is not recommended to to use mount propagation for units, as this means
+ It is not recommended to use mount propagation for units, as this means
temporary mounts (such as removable media) of the host will stay mounted and thus indefinitely busy in forked
off processes, as unmount propagation events won't be received by the file system namespace of the unit.
@@ -1664,15 +1721,15 @@ RestrictNamespaces=~cgroup net
Takes a space-separated list of system call names. If this setting is used, all
system calls executed by the unit processes except for the listed ones will result in immediate
- process termination with the SIGSYS signal (whitelisting). (See
+ process termination with the SIGSYS signal (allow-listing). (See
SystemCallErrorNumber= below for changing the default action). If the first
character of the list is ~, the effect is inverted: only the listed system calls
- will result in immediate process termination (blacklisting). Blacklisted system calls and system call
+ will result in immediate process termination (deny-listing). Deny-listed system calls and system call
groups may optionally be suffixed with a colon (:) and errno
error number (between 0 and 4095) or errno name such as EPERM,
EACCES or EUCLEAN (see errno3 for a
- full list). This value will be returned when a blacklisted system call is triggered, instead of
+ full list). This value will be returned when a deny-listed system call is triggered, instead of
terminating the processes immediately. This value takes precedence over the one given in
SystemCallErrorNumber=, see below. If running in user mode, or in system mode,
but without the CAP_SYS_ADMIN capability (e.g. setting
@@ -1681,7 +1738,7 @@ RestrictNamespaces=~cgroup net
for enforcing a minimal sandboxing environment. Note that the execve,
exit, exit_group, getrlimit,
rt_sigreturn, sigreturn system calls and the system calls
- for querying time and sleeping are implicitly whitelisted and do not need to be listed
+ for querying time and sleeping are implicitly allow-listed and do not need to be listed
explicitly. This option may be specified more than once, in which case the filter masks are
merged. If the empty string is assigned, the filter is reset, all prior assignments will have no
effect. This does not affect commands prefixed with +.
@@ -1699,12 +1756,13 @@ RestrictNamespaces=~cgroup net
might be necessary to temporarily disable system call filters in order to simplify debugging of such
failures.
- If you specify both types of this option (i.e. whitelisting and blacklisting), the first encountered
- will take precedence and will dictate the default action (termination or approval of a system call). Then the
- next occurrences of this option will add or delete the listed system calls from the set of the filtered system
- calls, depending of its type and the default action. (For example, if you have started with a whitelisting of
- read and write, and right after it add a blacklisting of
- write, then write will be removed from the set.)
+ If you specify both types of this option (i.e. allow-listing and deny-listing), the first
+ encountered will take precedence and will dictate the default action (termination or approval of a
+ system call). Then the next occurrences of this option will add or delete the listed system calls
+ from the set of the filtered system calls, depending of its type and the default action. (For
+ example, if you have started with an allow list rule for read and
+ write, and right after it add a deny list rule for write,
+ then write will be removed from the set.)As the number of possible system calls is large, predefined sets of system calls are provided. A set
starts with @ character, followed by name of the set.
@@ -1748,7 +1806,7 @@ RestrictNamespaces=~cgroup net
@file-system
- File system operations: opening, creating files and directories for read and write, renaming and removing them, reading file properties, or creating hard and symbolic links.
+ File system operations: opening, creating files and directories for read and write, renaming and removing them, reading file properties, or creating hard and symbolic links@io-event
@@ -1764,7 +1822,7 @@ RestrictNamespaces=~cgroup net
@memlock
- Locking of memory into RAM (mlock2, mlockall2 and related calls)
+ Locking of memory in RAM (mlock2, mlockall2 and related calls)@module
@@ -1788,7 +1846,7 @@ RestrictNamespaces=~cgroup net
@process
- Process control, execution, namespaceing operations (clone2, kill2, namespaces7, â¦
+ Process control, execution, namespaceing operations (clone2, kill2, namespaces7, â¦)@raw-io
@@ -1816,11 +1874,11 @@ RestrictNamespaces=~cgroup net
@sync
- Synchronizing files and memory to disk: (fsync2, msync2, and related calls)
+ Synchronizing files and memory to disk (fsync2, msync2, and related calls)@system-service
- A reasonable set of system calls used by common system services, excluding any special purpose calls. This is the recommended starting point for whitelisting system calls for system services, as it contains what is typically needed by system services, but excludes overly specific interfaces. For example, the following APIs are excluded: @clock, @mount, @swap, @reboot.
+ A reasonable set of system calls used by common system services, excluding any special purpose calls. This is the recommended starting point for allow-listing system calls for system services, as it contains what is typically needed by system services, but excludes overly specific interfaces. For example, the following APIs are excluded: @clock, @mount, @swap, @reboot.@timer
@@ -1836,9 +1894,10 @@ RestrictNamespaces=~cgroup net
systemd-analyze syscall-filter to list the actual list of system calls in each
filter.
- Generally, whitelisting system calls (rather than blacklisting) is the safer mode of operation. It is
- recommended to enforce system call whitelists for all long-running system services. Specifically, the
- following lines are a relatively safe basic choice for the majority of system services:
+ Generally, allow-listing system calls (rather than deny-listing) is the safer mode of
+ operation. It is recommended to enforce system call allow lists for all long-running system
+ services. Specifically, the following lines are a relatively safe basic choice for the majority of
+ system services:[Service]
SystemCallFilter=@system-service
@@ -1849,9 +1908,9 @@ SystemCallErrorNumber=EPERM
call may be used to execute operations similar to what can be done with the older
kill() system call, hence blocking the latter without the former only provides
weak protection. Since new system calls are added regularly to the kernel as development progresses,
- keeping system call blacklists comprehensive requires constant work. It is thus recommended to use
- whitelisting instead, which offers the benefit that new system calls are by default implicitly
- blocked until the whitelist is updated.
+ keeping system call deny lists comprehensive requires constant work. It is thus recommended to use
+ allow-listing instead, which offers the benefit that new system calls are by default implicitly
+ blocked until the allow list is updated.
Also note that a number of system calls are required to be accessible for the dynamic linker to
work. The dynamic linker is required for running most regular programs (specifically: all dynamic ELF
@@ -1893,7 +1952,7 @@ SystemCallErrorNumber=EPERM
manager is compiled for). If running in user mode, or in system mode, but without the
CAP_SYS_ADMIN capability (e.g. setting User=nobody),
NoNewPrivileges=yes is implied. By default, this option is set to the empty list, i.e. no
- system call architecture filtering is applied.
+ filtering is applied.
If this setting is used, processes of this unit will only be permitted to call native system calls, and
system calls of the specified architectures. For the purposes of this option, the x32 architecture is treated
@@ -2104,13 +2163,7 @@ SystemCallErrorNumber=EPERM
systemd.socket5 for more
details about named file descriptors and their ordering.
- This setting defaults to .
-
- Note that services which specify and use
- StandardInput= or StandardOutput= with
- //, should specify
- , to make sure that the tty initialization is
- finished before they start.
+ This setting defaults to .
@@ -2157,8 +2210,9 @@ SystemCallErrorNumber=EPERM
AF_UNIX socket in the file system, as in that case only a
single stream connection is created for both input and output.
- is similar to above, but it opens the file in append mode.
+ is similar to
+ above, but it opens the file in append mode.
+ connects standard output to a socket acquired via socket activation. The
semantics are similar to the same option of StandardInput=, see above.
@@ -2495,7 +2549,7 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
UnsetEnvironment= are removed again from the compiled environment variable list, immediately
before it is passed to the executed process.
- The following select environment variables are set or propagated by the service manager for each invoked
+ The following environment variables are set or propagated by the service manager for each invoked
process:
@@ -2566,7 +2620,7 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
$LOGS_DIRECTORY$CONFIGURATION_DIRECTORY
- Contains and absolute paths to the directories defined with
+ Absolute paths to the directories defined with
RuntimeDirectory=, StateDirectory=,
CacheDirectory=, LogsDirectory=, and
ConfigurationDirectory= when those settings are used.
@@ -2628,6 +2682,13 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
+
+ $LOG_NAMESPACE
+
+ If the LogNamespace= service setting is used, contains name of the
+ selected logging namespace.
+
+
$JOURNAL_STREAM
@@ -3165,7 +3226,7 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
242EXIT_NUMA_POLICY
- Failed to set up unit's NUMA memory policy. See NUMAPolicy= and NUMAMask=above.
+ Failed to set up unit's NUMA memory policy. See NUMAPolicy= and NUMAMask= above.