From c10b460b5a29ceb1073079a18a92c939c9855c67 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Wed, 21 Feb 2018 09:10:27 +0900 Subject: [PATCH] man: add documents for TemporaryFileSystem= --- man/systemd.exec.xml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 730a7d0d064..169a4496325 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -932,6 +932,29 @@ CapabilityBoundingSet=~CAP_B CAP_C SystemCallFilter=~@mount. + + TemporaryFileSystem= + + Takes a space-separated list of mount points for temporary file systems (tmpfs). If set, a new file + system namespace is set up for executed processes, and a temporary file system is mounted on each mount point. + This option may be specified more than once, in which case temporary file systems are mounted on all listed mount + points. If the empty string is assigned to this option, the list is reset, and all prior assignments have no effect. + Each mount point may optionally be suffixed with a colon (:) and mount options such as + size=10% or ro. By default, each temporary file system is mounted + with nodev,strictatime,mode=0755. These can be disabled by explicitly specifying the corresponding + mount options, e.g., dev or nostrictatime. + + This is useful to hide files or directories not relevant to the processes invoked by the unit, while necessary + files or directories can be still accessed by combining with BindPaths= or + BindReadOnlyPaths=. See the example below. + + Example: if a unit has the following, + TemporaryFileSystem=/var:ro +BindReadOnlyPaths=/var/lib/systemd + then the invoked processes by the unit cannot see any files or directories under /var except for + /var/lib/systemd or its contents. + + PrivateTmp= -- 2.47.3