summaryrefslogtreecommitdiffstats
path: root/man
diff options
context:
space:
mode:
Diffstat (limited to 'man')
-rw-r--r--man/org.freedesktop.systemd1.xml41
-rw-r--r--man/systemd.exec.xml24
2 files changed, 57 insertions, 8 deletions
diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
index 7ade8c3e8b..05afb93f9b 100644
--- a/man/org.freedesktop.systemd1.xml
+++ b/man/org.freedesktop.systemd1.xml
@@ -3263,6 +3263,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+ readonly s PrivatePIDs = '...';
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectHome = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectSystem = '...';
@@ -4584,6 +4586,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<variablelist class="dbus-property" generated="True" extra-ref="PrivateIPC"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="PrivatePIDs"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="ProtectHome"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectSystem"/>
@@ -4870,6 +4874,11 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Unlike boolean <varname>ProtectControlGroups</varname>, <varname>ProtectControlGroupsEx</varname>
is a string type.</para>
+
+ <para><varname>PrivatePIDs</varname> implements the destination parameter of the
+ unit file setting <varname>PrivatePIDs=</varname> listed in
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ Note <varname>PrivatePIDs</varname> is a string type to allow adding more values in the future.</para>
</refsect2>
</refsect1>
@@ -5439,6 +5448,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+ readonly s PrivatePIDs = '...';
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectHome = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectSystem = '...';
@@ -6744,6 +6755,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<variablelist class="dbus-property" generated="True" extra-ref="PrivateIPC"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="PrivatePIDs"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="ProtectHome"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectSystem"/>
@@ -7442,6 +7455,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+ readonly s PrivatePIDs = '...';
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectHome = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectSystem = '...';
@@ -8585,6 +8600,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<variablelist class="dbus-property" generated="True" extra-ref="PrivateIPC"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="PrivatePIDs"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="ProtectHome"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectSystem"/>
@@ -9412,6 +9429,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b PrivateIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+ readonly s PrivatePIDs = '...';
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectHome = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectSystem = '...';
@@ -10527,6 +10546,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<variablelist class="dbus-property" generated="True" extra-ref="PrivateIPC"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="PrivatePIDs"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="ProtectHome"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectSystem"/>
@@ -12281,8 +12302,9 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>ExtraFileDescriptorNames</varname>,
<varname>ManagedOOMMemoryPressureDurationUSec</varname>,
<varname>BindLogSockets</varname>,
- <varname>ProtectControlGroupsEx</varname>, and
- <varname>PrivateUsersEx</varname> were added in version 257.</para>
+ <varname>ProtectControlGroupsEx</varname>,
+ <varname>PrivateUsersEx</varname>, and
+ <varname>PrivatePIDs</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Socket Unit Objects</title>
@@ -12323,8 +12345,9 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>ImportCredentialEx</varname>,
<varname>BindLogSockets</varname>,
<varname>PrivateUsersEx</varname>,
- <varname>ManagedOOMMemoryPressureDurationUSec</varname>, and
- <varname>ProtectControlGroupsEx</varname> were added in version 257.</para>
+ <varname>ManagedOOMMemoryPressureDurationUSec</varname>,
+ <varname>ProtectControlGroupsEx</varname>, and
+ <varname>PrivatePIDs</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Mount Unit Objects</title>
@@ -12362,8 +12385,9 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>ImportCredentialEx</varname>,
<varname>BindLogSockets</varname>,
<varname>PrivateUsersEx</varname>,
- <varname>ManagedOOMMemoryPressureDurationUSec</varname>, and
- <varname>ProtectControlGroupsEx</varname> were added in version 257.</para>
+ <varname>ManagedOOMMemoryPressureDurationUSec</varname>,
+ <varname>ProtectControlGroupsEx</varname>, and
+ <varname>PrivatePIDs</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Swap Unit Objects</title>
@@ -12401,8 +12425,9 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>ImportCredentialEx</varname>,
<varname>BindLogSockets</varname>,
<varname>PrivateUsersEx</varname>,
- <varname>ManagedOOMMemoryPressureDurationUSec</varname>, and
- <varname>ProtectControlGroupsEx</varname> were added in version 257.</para>
+ <varname>ManagedOOMMemoryPressureDurationUSec</varname>,
+ <varname>ProtectControlGroupsEx</varname>, and
+ <varname>PrivatePIDs</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Slice Unit Objects</title>
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 30a926c9a0..b50f70ff42 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1977,6 +1977,30 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
</varlistentry>
<varlistentry>
+ <term><varname>PrivatePIDs=</varname></term>
+
+ <listitem><para>Takes a boolean argument. Defaults to false. If enabled, sets up a new PID namespace
+ for the executed processes. Each executed process is now PID 1 - the init process - in the new namespace.
+ <filename>/proc/</filename> is mounted such that only processes in the PID namespace are visible.
+ If <varname>PrivatePIDs=</varname> is set, <varname>MountAPIVFS=yes</varname> is implied.</para>
+
+ <para><varname>PrivatePIDs=</varname> is only supported for service units. This setting is not supported
+ with <varname>Type=forking</varname> since the kernel will kill all processes in the PID namespace if
+ the init process terminates.</para>
+
+ <para>This setting will be ignored if the kernel does not support PID namespaces.</para>
+
+ <para>Note unprivileged user services (i.e. a service run by the per-user instance of the service manager)
+ will fail with <varname>PrivatePIDs=yes</varname> if <filename>/proc/</filename> is masked
+ (i.e. <filename>/proc/kmsg</filename> is over-mounted with <constant>tmpfs</constant> like
+ <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> does).
+ This is due to a kernel restriction not allowing unprivileged user namespaces to mount a less restrictive
+ instance of <filename>/proc/</filename>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v257"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>PrivateUsers=</varname></term>
<listitem><para>Takes a boolean argument or one of <literal>self</literal> or
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 02:47:29 +0100