diff --git a/man/system-only.xml b/man/system-only.xml
new file mode 100644
index 0000000000..94aa08bd6d
--- /dev/null
+++ b/man/system-only.xml
@@ -0,0 +1,16 @@
+
+
+
+
+
+
+
+This option is only available for system services and is not supported for services
+running in per-user instances of the service manager.
+
+These options are only available for system services and are not supported for services
+running in per-user instances of the service manager.
+
+
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 0ef2d88ea1..35df21f710 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -6,7 +6,7 @@
SPDX-License-Identifier: LGPL-2.1+
-->
-
+
systemd.exec
systemd
@@ -112,7 +112,9 @@
dependencies to be added to the unit (see above).
The MountAPIVFS= and PrivateUsers= settings are particularly useful
- in conjunction with RootDirectory=. For details, see below.
+ in conjunction with RootDirectory=. For details, see below.
+
+
@@ -126,14 +128,17 @@
url="https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable Partitions
Specification.
- When DevicePolicy= is set to closed or strict,
- or set to auto and DeviceAllow= is set, then this setting adds
- /dev/loop-control with rw mode, block-loop and
- block-blkext with rwm mode to DeviceAllow=. See
+ When DevicePolicy= is set to closed or
+ strict, or set to auto and DeviceAllow= is
+ set, then this setting adds /dev/loop-control with rw mode,
+ block-loop and block-blkext with rwm mode
+ to DeviceAllow=. See
systemd.resource-control5
for the details about DevicePolicy= or DeviceAllow=. Also, see
- PrivateDevices= below, as it may change the setting of DevicePolicy=.
-
+ PrivateDevices= below, as it may change the setting of
+ DevicePolicy=.
+
+
@@ -147,7 +152,9 @@
will be a 1:1 copy of the host's, and include these three mounts. Note that the /dev file
system of the host is bind mounted if this option is used without PrivateDevices=. To run
the service with a private, minimal version of /dev/, combine this option with
- PrivateDevices=.
+ PrivateDevices=.
+
+
@@ -174,7 +181,9 @@
This option is particularly useful when RootDirectory=/RootImage=
is used. In this case the source path refers to a path on the host file system, while the destination path
- refers to a path below the root directory of the unit.
+ refers to a path below the root directory of the unit.
+
+
@@ -183,6 +192,8 @@
Credentials
+
+
@@ -306,6 +317,8 @@
Capabilities
+
+
@@ -402,6 +415,9 @@ CapabilityBoundingSet=~CAP_B CAP_C
Mandatory Access Control
+
+
+
@@ -815,7 +831,9 @@ CapabilityBoundingSet=~CAP_B CAP_C
ones), to ensure they cannot get access to private user data, unless the services actually require access to
the user's private data. This setting is implied if DynamicUser= is set. This setting cannot
ensure protection in all cases. In general it has the same limitations as ReadOnlyPaths=,
- see below.
+ see below.
+
+
@@ -1009,7 +1027,9 @@ StateDirectory=aaa/bbb ccc
Note that the effect of these settings may be undone by privileged processes. In order to set up an
effective sandboxed environment for a unit it is thus recommended to combine these settings with either
CapabilityBoundingSet=~CAP_SYS_ADMIN or
- SystemCallFilter=~@mount.
+ SystemCallFilter=~@mount.
+
+
@@ -1032,7 +1052,9 @@ StateDirectory=aaa/bbb ccc
TemporaryFileSystem=/var:ro
BindReadOnlyPaths=/var/lib/systemd
then the invoked processes by the unit cannot see any files or directories under /var except for
- /var/lib/systemd or its contents.
+ /var/lib/systemd or its contents.
+
+
@@ -1057,7 +1079,9 @@ BindReadOnlyPaths=/var/lib/systemd
Note that the implementation of this setting might be impossible (for example if mount namespaces are not
available), and the unit should be written in a way that does not solely rely on this setting for
- security.
+ security.
+
+
@@ -1087,7 +1111,9 @@ BindReadOnlyPaths=/var/lib/systemd
Note that the implementation of this setting might be impossible (for example if mount namespaces are not
available), and the unit should be written in a way that does not solely rely on this setting for
- security.
+ security.
+
+
@@ -1114,7 +1140,9 @@ BindReadOnlyPaths=/var/lib/systemd
When this option is used on a socket unit any sockets bound on behalf of this unit will be
bound within a private network namespace. This may be combined with
JoinsNamespaceOf= to listen on sockets inside of network namespaces of other
- services.
+ services.
+
+
@@ -1131,7 +1159,9 @@ BindReadOnlyPaths=/var/lib/systemd
units is reused.
When this option is used on a socket unit any sockets bound on behalf of this unit will be
- bound within the specified network namespace.
+ bound within the specified network namespace.
+
+
@@ -1157,7 +1187,9 @@ BindReadOnlyPaths=/var/lib/systemd
Note that the implementation of this setting might be impossible (for example if user namespaces are not
available), and the unit should be written in a way that does not solely rely on this setting for
- security.
+ security.
+
+
@@ -1172,7 +1204,9 @@ BindReadOnlyPaths=/var/lib/systemd
Note that when this option is enabled for a service hostname changes no longer propagate from
the system into the service, it is hence not suitable for services that need to take notice of system
- hostname changes dynamically.
+ hostname changes dynamically.
+
+
@@ -1193,7 +1227,9 @@ BindReadOnlyPaths=/var/lib/systemd
option does not prevent indirect changes to kernel tunables effected by IPC calls to other processes. However,
InaccessiblePaths= may be used to make relevant IPC file system objects inaccessible. If
ProtectKernelTunables= is set, MountAPIVFS=yes is
- implied.
+ implied.
+
+
@@ -1212,7 +1248,9 @@ BindReadOnlyPaths=/var/lib/systemd
kernel.modules_disabled mechanism and
/proc/sys/kernel/modules_disabled documentation. If turned on and if running in user
mode, or in system mode, but without the CAP_SYS_ADMIN capability (e.g. setting
- User=), NoNewPrivileges=yes is implied.
+ User=), NoNewPrivileges=yes is implied.
+
+
@@ -1225,7 +1263,9 @@ BindReadOnlyPaths=/var/lib/systemd
it is hence recommended to turn this on for most services. For this setting the same restrictions regarding
mount propagation and privileges apply as for ReadOnlyPaths= and related calls, see
above. Defaults to off. If ProtectControlGroups= is set, MountAPIVFS=yes
- is implied.
+ is implied.
+
+
@@ -1364,7 +1404,9 @@ RestrictNamespaces=~cgroup net
DynamicUser= are used. It has no effect on IPC objects owned by the root user. Specifically,
this removes System V semaphores, as well as System V and POSIX shared memory segments and message queues. If
multiple units use the same user or group the IPC objects are removed when the last of these units is
- stopped. This setting is implied if DynamicUser= is set.
+ stopped. This setting is implied if DynamicUser= is set.
+
+
@@ -1397,7 +1439,9 @@ RestrictNamespaces=~cgroup net
ProtectHome=, ReadOnlyPaths=, InaccessiblePaths=,
ReadWritePaths=, … — also enable file system namespacing in a fashion equivalent to this
option. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are
- used.
+ used.
+
+
@@ -1426,7 +1470,8 @@ RestrictNamespaces=~cgroup net
Usually, it is best to leave this setting unmodified, and use higher level file system namespacing
options instead, in particular PrivateMounts=, see above.
-
+
+