Adding upstream version 4.23.0.upstream/4.23.0

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 75 insertions, 37 deletions

diff --git a/upstream/fedora-rawhide/man5/systemd.exec.5 b/upstream/fedora-rawhide/man5/systemd.exec.5
index 3e30d6d5..c08fb7a7 100644
--- a/upstream/fedora-rawhide/man5/systemd.exec.5
+++ b/upstream/fedora-rawhide/man5/systemd.exec.5
@@ -1,5 +1,5 @@
 '\" t
-.TH "SYSTEMD\&.EXEC" "5" "" "systemd 255" "systemd.exec"
+.TH "SYSTEMD\&.EXEC" "5" "" "systemd 256~rc3" "systemd.exec"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -171,10 +171,10 @@ is relative to the root of the system running the service manager\&. Note that s
 \fIRootDirectory=\fR
 .RS 4
 Takes a directory path relative to the host\*(Aqs root directory (i\&.e\&. the root of the system running the service manager)\&. Sets the root directory for executed processes, with the
+\fBpivot_root\fR(2)
+or
 \fBchroot\fR(2)
-system call\&. If this is used, it must be ensured that the process binary and all its auxiliary files are available in the
-\fBchroot()\fR
-jail\&. Note that setting this parameter might result in additional dependencies to be added to the unit (see above)\&.
+system call\&. If this is used, it must be ensured that the process binary and all its auxiliary files are available in the new root\&. Note that setting this parameter might result in additional dependencies to be added to the unit (see above)\&.
 .sp
 The
 \fIMountAPIVFS=\fR
@@ -211,6 +211,12 @@ BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdo
 .RE
 .\}
 
+In place of the directory path a
+"\&.v/"
+versioned directory may be specified, see
+\fBsystemd.v\fR(7)
+for details\&.
+.sp
 This option is only available for system services, or for services running in per\-user instances of the service manager in which case
 \fIPrivateUsers=\fR
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
@@ -268,6 +274,12 @@ file will be made available for the service (read\-only) as
 /run/host/os\-release\&. It will be updated automatically on soft reboot (see:
 \fBsystemd-soft-reboot.service\fR(8)), in case the service is configured to survive it\&.
 .sp
+In place of the image path a
+"\&.v/"
+versioned directory may be specified, see
+\fBsystemd.v\fR(7)
+for details\&.
+.sp
 This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
 .sp
 Added in version 233\&.
@@ -549,6 +561,10 @@ creates regular writable bind mounts (unless the source file system mount is alr
 \fIBindReadOnlyPaths=\fR
 creates read\-only bind mounts\&. These settings may be used more than once, each usage appends to the unit\*(Aqs list of bind mounts\&. If the empty string is assigned to either of these two options the entire list of bind mounts defined prior to this is reset\&. Note that in this case both read\-only and regular bind mounts are reset, regardless which of the two settings is used\&.
 .sp
+Using this option implies that a mount namespace is allocated for the unit, i\&.e\&. it implies the effect of
+\fIPrivateMounts=\fR
+(see below)\&.
+.sp
 This option is particularly useful when
 \fIRootDirectory=\fR/\fIRootImage=\fR
 is used\&. In this case the source path refers to a path on the host file system, while the destination path refers to a path below the root directory of the unit\&.
@@ -696,6 +712,12 @@ or
 below, as it may change the setting of
 \fIDevicePolicy=\fR\&.
 .sp
+In place of the image path a
+"\&.v/"
+versioned directory may be specified, see
+\fBsystemd.v\fR(7)
+for details\&.
+.sp
 This option is only available for system services and is not supported for services running in per\-user instances of the service manager\&.
 .sp
 Added in version 248\&.
@@ -733,6 +755,12 @@ or the host\&. See:
 .sp
 Note that usage from user units requires overlayfs support in unprivileged user namespaces, which was first introduced in kernel v5\&.11\&.
 .sp
+In place of the directory path a
+"\&.v/"
+versioned directory may be specified, see
+\fBsystemd.v\fR(7)
+for details\&.
+.sp
 This option is only available for system services, or for services running in per\-user instances of the service manager in which case
 \fIPrivateUsers=\fR
 is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the
@@ -837,17 +865,22 @@ Sets the supplementary Unix groups the processes are executed as\&. This takes a
 .PP
 \fISetLoginEnvironment=\fR
 .RS 4
-Takes a boolean parameter that controls whether to set
+Takes a boolean parameter that controls whether to set the
 \fI$HOME\fR,
 \fI$LOGNAME\fR, and
 \fI$SHELL\fR
-environment variables\&. If unset, this is controlled by whether
-\fIUser=\fR
-is set\&. If true, they will always be set for system services, i\&.e\&. even when the default user
+environment variables\&. If not set, this defaults to true if
+\fIUser=\fR,
+\fIDynamicUser=\fR
+or
+\fIPAMName=\fR
+are set, false otherwise\&. If set to true, the variables will always be set for system services, i\&.e\&. even when the default user
 "root"
-is used\&. If false, the mentioned variables are not set by systemd, no matter whether
-\fIUser=\fR
-is used or not\&. This option normally has no effect on user services, since these variables are typically inherited from user manager\*(Aqs own environment anyway\&.
+is used\&. If set to false, the mentioned variables are not set by the service manager, no matter whether
+\fIUser=\fR,
+\fIDynamicUser=\fR, or
+\fIPAMName=\fR
+are used or not\&. This option normally has no effect on services of the per\-user service manager, since in that case these variables are typically inherited from user manager\*(Aqs own environment anyway\&.
 .sp
 Added in version 255\&.
 .RE
@@ -1410,11 +1443,11 @@ Added in version 209\&.
 .PP
 \fIIgnoreSIGPIPE=\fR
 .RS 4
-Takes a boolean argument\&. If true, causes
+Takes a boolean argument\&. If true,
 \fBSIGPIPE\fR
-to be ignored in the executed process\&. Defaults to true because
+is ignored in the executed process\&. Defaults to true since
 \fBSIGPIPE\fR
-generally is useful only in shell pipelines\&.
+is generally only useful in shell pipelines\&.
 .RE
 .SH "SCHEDULING"
 .PP
@@ -1532,6 +1565,12 @@ Also note that some sandboxing functionality is generally not available in user
 \fIProtectSystem=\fR) are not available, as the underlying kernel functionality is only accessible to privileged processes\&. However, most namespacing settings, that will not work on their own in user services, will work when used in conjunction with
 \fIPrivateUsers=\fR\fBtrue\fR\&.
 .PP
+Note that the various options that turn directories read\-only (such as
+\fIProtectSystem=\fR,
+\fIReadOnlyPaths=\fR, \&...) do not affect the ability for programs to connect to and communicate with
+\fBAF_UNIX\fR
+sockets in these directories\&. These options cannot be used to lock down access to IPC services hence\&.
+.PP
 \fIProtectSystem=\fR
 .RS 4
 Takes a boolean argument or the special values
@@ -1556,7 +1595,10 @@ and
 \fIProtectKernelTunables=\fR,
 \fIProtectControlGroups=\fR)\&. This setting ensures that any modification of the vendor\-supplied operating system (and optionally its configuration, and local mounts) is prohibited for the service\&. It is recommended to enable this setting for all long\-running services, unless they are involved with system updates or need to modify the operating system in other ways\&. If this option is used,
 \fIReadWritePaths=\fR
-may be used to exclude specific directories from being made read\-only\&. This setting is implied if
+may be used to exclude specific directories from being made read\-only\&. Similar,
+\fIStateDirectory=\fR,
+\fILogsDirectory=\fR, \&... and related directory settings (see below) also exclude the specific directories from the effect of
+\fIProtectSystem=\fR\&. This setting is implied if
 \fIDynamicUser=\fR
 is set\&. This setting cannot ensure protection in all cases\&. In general it has the same limitations as
 \fIReadOnlyPaths=\fR, see below\&. Defaults to off\&.
@@ -2790,14 +2832,15 @@ and
 directories\&.
 .sp
 Other file system namespace unit settings \(em
-\fIPrivateMounts=\fR,
 \fIPrivateTmp=\fR,
 \fIPrivateDevices=\fR,
 \fIProtectSystem=\fR,
 \fIProtectHome=\fR,
 \fIReadOnlyPaths=\fR,
 \fIInaccessiblePaths=\fR,
-\fIReadWritePaths=\fR, \&... \(em also enable file system namespacing in a fashion equivalent to this option\&. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are used\&.
+\fIReadWritePaths=\fR,
+\fIBindPaths=\fR,
+\fIBindReadOnlyPaths=\fR, \&... \(em also enable file system namespacing in a fashion equivalent to this option\&. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are used\&.
 .sp
 This option is only available for system services, or for services running in per\-user instances of the service manager in which case
 \fIPrivateUsers=\fR
@@ -3481,7 +3524,7 @@ The
 option may be used to connect a specific file system object to standard output\&. The semantics are similar to the same option of
 \fIStandardInput=\fR, see above\&. If
 \fIpath\fR
-refers to a regular file on the filesystem, it is opened (created if it doesn\*(Aqt exist yet) for writing at the beginning of the file, but without truncating it\&. If standard input and output are directed to the same file path, it is opened only once \(em for reading as well as writing \(em and duplicated\&. This is particularly useful when the specified path refers to an
+refers to a regular file on the filesystem, it is opened (created if it doesn\*(Aqt exist yet using privileges of the user executing the systemd process) for writing at the beginning of the file, but without truncating it\&. If standard input and output are directed to the same file path, it is opened only once \(em for reading as well as writing \(em and duplicated\&. This is particularly useful when the specified path refers to an
 \fBAF_UNIX\fR
 socket in the file system, as in that case only a single stream connection is created for both input and output\&.
 .sp
@@ -3543,7 +3586,7 @@ on
 systemd\-journald\&.socket
 (also see the "Implicit Dependencies" section above)\&. Also note that in this case stdout (or stderr, see below) will be an
 \fBAF_UNIX\fR
-stream socket, and not a pipe or FIFO that can be re\-opened\&. This means when executing shell scripts the construct
+stream socket, and not a pipe or FIFO that can be reopened\&. This means when executing shell scripts the construct
 \fBecho "hello" > /dev/stderr\fR
 for writing text to stderr will not work\&. To mitigate this use the construct
 \fBecho "hello" >&2\fR
@@ -3678,6 +3721,8 @@ separated by whitespace\&. See
 for details on the journal field concept\&. Even though the underlying journal implementation permits binary field values, this setting accepts only valid UTF\-8 values\&. To include space characters in a journal field value, enclose the assignment in double quotes (")\&.
 The usual specifiers are expanded in all assignments (see below)\&. Note that this setting is not only useful for attaching additional metadata to log records of a unit, but given that all fields and values are indexed may also be used to implement cross\-unit log record matching\&. Assign an empty string to reset the list\&.
 .sp
+Note that this functionality is currently only available in system services, not in per\-user services\&.
+.sp
 Added in version 236\&.
 .RE
 .PP
@@ -3727,7 +3772,7 @@ would add a pattern matching
 "~foobar"
 to the allow list\&.
 .sp
-Log messages are tested against denied patterns (if any), then against allowed patterns (if any)\&. If a log message matches any of the denied patterns, it will be discarded, whatever the allowed patterns\&. Then, remaining log messages are tested against allowed patterns\&. Messages matching against none of the allowed pattern are discarded\&. If no allowed patterns are defined, then all messages are processed directly after going through denied filters\&.
+Log messages are tested against denied patterns (if any), then against allowed patterns (if any)\&. If a log message matches any of the denied patterns, it is discarded immediately without considering allowed patterns\&. Remaining log messages are tested against allowed patterns\&. Messages matching against none of the allowed pattern are discarded\&. If no allowed patterns are defined, then all messages are processed directly after going through denied filters\&.
 .sp
 Filtering is based on the unit for which
 \fILogFilterPatterns=\fR
@@ -3735,6 +3780,8 @@ is defined, meaning log messages coming from
 \fBsystemd\fR(1)
 about the unit are not taken into account\&. Filtered log messages won\*(Aqt be forwarded to traditional syslog daemons, the kernel log buffer (kmsg), the systemd console, or sent as wall messages to all logged\-in users\&.
 .sp
+Note that this functionality is currently only available in system services, not in per\-user services\&.
+.sp
 Added in version 253\&.
 .RE
 .PP
@@ -3934,6 +3981,8 @@ are searched as well\&.
 .sp
 If the file system path is omitted it is chosen identical to the credential name, i\&.e\&. this is a terse way to declare credentials to inherit from the service manager into a service\&. This option may be used multiple times, each time defining an additional credential to pass to the unit\&.
 .sp
+Note that if the path is not specified or a valid credential identifier is given, i\&.e\&. in the above two cases, a missing credential is not considered fatal\&.
+.sp
 If an absolute path referring to a directory is specified, every file in that directory (recursively) will be loaded as a separate credential\&. The ID for each credential will be the provided ID suffixed with
 "_$FILENAME"
 (e\&.g\&.,
@@ -3973,6 +4022,11 @@ for the details about
 or
 \fIDeviceAllow=\fR\&.
 .sp
+Note that encrypted credentials targeted for services of the per\-user service manager must be encrypted with
+\fBsystemd\-creds encrypt \-\-user\fR, and those for the system service manager without the
+\fB\-\-user\fR
+switch\&. Encrypted credentials are always targeted to a specific user or the system as a whole, and it is ensured that per\-user service managers cannot decrypt secrets intended for the system or for other users\&.
+.sp
 The credential files/IPC sockets must be accessible to the service manager, but don\*(Aqt have to be directly accessible to the unit\*(Aqs processes: the credential data is read and copied into separate, read\-only copies for the unit that are accessible to appropriately privileged processes\&. This is particularly useful in combination with
 \fIDynamicUser=\fR
 as this way privileged data can be made available to processes running under a dynamic UID (i\&.e\&. not a previously known one) without having to open up access to all users\&.
@@ -5547,23 +5601,7 @@ MONITOR_UNIT=mysuccess\&.service
 .\}
 .SH "SEE ALSO"
 .PP
-\fBsystemd\fR(1),
-\fBsystemctl\fR(1),
-\fBsystemd-analyze\fR(1),
-\fBjournalctl\fR(1),
-\fBsystemd-system.conf\fR(5),
-\fBsystemd.unit\fR(5),
-\fBsystemd.service\fR(5),
-\fBsystemd.socket\fR(5),
-\fBsystemd.swap\fR(5),
-\fBsystemd.mount\fR(5),
-\fBsystemd.kill\fR(5),
-\fBsystemd.resource-control\fR(5),
-\fBsystemd.time\fR(7),
-\fBsystemd.directives\fR(7),
-\fBtmpfiles.d\fR(5),
-\fBexec\fR(3),
-\fBfork\fR(2)
+\fBsystemd\fR(1), \fBsystemctl\fR(1), \fBsystemd-analyze\fR(1), \fBjournalctl\fR(1), \fBsystemd-system.conf\fR(5), \fBsystemd.unit\fR(5), \fBsystemd.service\fR(5), \fBsystemd.socket\fR(5), \fBsystemd.swap\fR(5), \fBsystemd.mount\fR(5), \fBsystemd.kill\fR(5), \fBsystemd.resource-control\fR(5), \fBsystemd.time\fR(7), \fBsystemd.directives\fR(7), \fBtmpfiles.d\fR(5), \fBexec\fR(3), \fBfork\fR(2)
 .SH "NOTES"
 .IP " 1." 4
 Discoverable Partitions Specification