diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md
index 5684911fd3..3b81d8f737 100644
--- a/docs/ARCHITECTURE.md
+++ b/docs/ARCHITECTURE.md
@@ -2,6 +2,7 @@
title: systemd Repository Architecture
category: Contributing
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Code Map
diff --git a/docs/AUTOMATIC_BOOT_ASSESSMENT.md b/docs/AUTOMATIC_BOOT_ASSESSMENT.md
index f6d63afcdf..daba9502ec 100644
--- a/docs/AUTOMATIC_BOOT_ASSESSMENT.md
+++ b/docs/AUTOMATIC_BOOT_ASSESSMENT.md
@@ -2,6 +2,7 @@
title: Automatic Boot Assessment
category: Booting
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Automatic Boot Assessment
diff --git a/docs/BLOCK_DEVICE_LOCKING.md b/docs/BLOCK_DEVICE_LOCKING.md
index 82df155f1e..428e4e3fbf 100644
--- a/docs/BLOCK_DEVICE_LOCKING.md
+++ b/docs/BLOCK_DEVICE_LOCKING.md
@@ -2,6 +2,7 @@
title: Locking Block Device Access
category: Interfaces
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Locking Block Device Access
diff --git a/docs/BOOT_LOADER_INTERFACE.md b/docs/BOOT_LOADER_INTERFACE.md
index e9155117b9..0e0eab7a28 100644
--- a/docs/BOOT_LOADER_INTERFACE.md
+++ b/docs/BOOT_LOADER_INTERFACE.md
@@ -2,6 +2,7 @@
title: Boot Loader Interface
category: Booting
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# The Boot Loader Interface
diff --git a/docs/BOOT_LOADER_SPECIFICATION.md b/docs/BOOT_LOADER_SPECIFICATION.md
index 7b5b19700a..54fa5f04fd 100644
--- a/docs/BOOT_LOADER_SPECIFICATION.md
+++ b/docs/BOOT_LOADER_SPECIFICATION.md
@@ -2,6 +2,7 @@
title: Boot Loader Specification
category: Booting
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# The Boot Loader Specification
diff --git a/docs/CGROUP_DELEGATION.md b/docs/CGROUP_DELEGATION.md
index 292e3a8ed2..aeb2be97b3 100644
--- a/docs/CGROUP_DELEGATION.md
+++ b/docs/CGROUP_DELEGATION.md
@@ -2,6 +2,7 @@
title: Control Group APIs and Delegation
category: Interfaces
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Control Group APIs and Delegation
diff --git a/docs/CODE_OF_CONDUCT.md b/docs/CODE_OF_CONDUCT.md
index b906bf5acb..8e5455d302 100644
--- a/docs/CODE_OF_CONDUCT.md
+++ b/docs/CODE_OF_CONDUCT.md
@@ -2,6 +2,7 @@
title: systemd Community Conduct Guidelines
category: Contributing
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# The systemd Community Conduct Guidelines
diff --git a/docs/CODE_QUALITY.md b/docs/CODE_QUALITY.md
index 0933a0e495..4b76a1055e 100644
--- a/docs/CODE_QUALITY.md
+++ b/docs/CODE_QUALITY.md
@@ -2,6 +2,7 @@
title: Code Quality Tools
category: Contributing
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Code Quality Tools
diff --git a/docs/CODING_STYLE.md b/docs/CODING_STYLE.md
index 54150e1ee7..b3c197250a 100644
--- a/docs/CODING_STYLE.md
+++ b/docs/CODING_STYLE.md
@@ -2,6 +2,7 @@
title: Coding Style
category: Contributing
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Coding Style
diff --git a/docs/CONTAINER_INTERFACE.md b/docs/CONTAINER_INTERFACE.md
index ff458bd770..54b94e2342 100644
--- a/docs/CONTAINER_INTERFACE.md
+++ b/docs/CONTAINER_INTERFACE.md
@@ -2,6 +2,7 @@
title: Container Interface
category: Interfaces
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# The Container Interface
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index cab0074ca5..219b2ffded 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -2,6 +2,7 @@
title: Contributing
category: Contributing
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Contributing
diff --git a/docs/CONVERTING_TO_HOMED.md b/docs/CONVERTING_TO_HOMED.md
index 78b6c61631..1c77a46b7e 100644
--- a/docs/CONVERTING_TO_HOMED.md
+++ b/docs/CONVERTING_TO_HOMED.md
@@ -2,6 +2,7 @@
title: Converting Existing Users to systemd-homed
category: Users, Groups and Home Directories
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Converting Existing Users to systemd-homed managed Users
diff --git a/docs/COREDUMP_PACKAGE_METADATA.md b/docs/COREDUMP_PACKAGE_METADATA.md
index f27f835064..9936703c76 100644
--- a/docs/COREDUMP_PACKAGE_METADATA.md
+++ b/docs/COREDUMP_PACKAGE_METADATA.md
@@ -2,6 +2,7 @@
title: Package Metadata for Core Files
category: Interfaces
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Package Metadata for Core Files
diff --git a/docs/DESKTOP_ENVIRONMENTS.md b/docs/DESKTOP_ENVIRONMENTS.md
index 9ae1aefb20..b5195da26c 100644
--- a/docs/DESKTOP_ENVIRONMENTS.md
+++ b/docs/DESKTOP_ENVIRONMENTS.md
@@ -2,6 +2,7 @@
title: Desktop Environment Integration
category: Concepts
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Desktop Environments
diff --git a/docs/DISCOVERABLE_PARTITIONS.md b/docs/DISCOVERABLE_PARTITIONS.md
index bd4cb24602..a09ee62737 100644
--- a/docs/DISCOVERABLE_PARTITIONS.md
+++ b/docs/DISCOVERABLE_PARTITIONS.md
@@ -2,6 +2,7 @@
title: Discoverable Partitions Specification
category: Concepts
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# The Discoverable Partitions Specification
diff --git a/docs/DISTRO_PORTING.md b/docs/DISTRO_PORTING.md
index 2e4782f401..62d3f07572 100644
--- a/docs/DISTRO_PORTING.md
+++ b/docs/DISTRO_PORTING.md
@@ -2,6 +2,7 @@
title: Porting systemd To New Distributions
category: Concepts
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Porting systemd To New Distributions
diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md
index d2ab3baf68..7425b18f42 100644
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@@ -2,6 +2,7 @@
title: Known Environment Variables
category: Interfaces
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Known Environment Variables
diff --git a/docs/GROUP_RECORD.md b/docs/GROUP_RECORD.md
index 26809c483a..44666930db 100644
--- a/docs/GROUP_RECORD.md
+++ b/docs/GROUP_RECORD.md
@@ -2,6 +2,7 @@
title: JSON Group Records
category: Users, Groups and Home Directories
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# JSON Group Records
diff --git a/docs/GVARIANT-SERIALIZATION.md b/docs/GVARIANT-SERIALIZATION.md
index 54e3705ba2..c999fdd58a 100644
--- a/docs/GVARIANT-SERIALIZATION.md
+++ b/docs/GVARIANT-SERIALIZATION.md
@@ -2,6 +2,7 @@
title: GVariant D-Bus Message Serialization
category: Interfaces
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# GVariant D-Bus Message Serialization
diff --git a/docs/HACKING.md b/docs/HACKING.md
index 3131597c22..7ca30486a6 100644
--- a/docs/HACKING.md
+++ b/docs/HACKING.md
@@ -2,6 +2,7 @@
title: Hacking on systemd
category: Contributing
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Hacking on systemd
diff --git a/docs/HOME_DIRECTORY.md b/docs/HOME_DIRECTORY.md
index a3eabb7e63..142da3a874 100644
--- a/docs/HOME_DIRECTORY.md
+++ b/docs/HOME_DIRECTORY.md
@@ -2,6 +2,7 @@
title: Home Directories
category: Users, Groups and Home Directories
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Home Directories
diff --git a/docs/INITRD_INTERFACE.md b/docs/INITRD_INTERFACE.md
index e59bbcce15..2d1d0ac607 100644
--- a/docs/INITRD_INTERFACE.md
+++ b/docs/INITRD_INTERFACE.md
@@ -2,6 +2,7 @@
title: Initrd Interface
category: Interfaces
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
diff --git a/docs/JOURNAL_FILE_FORMAT.md b/docs/JOURNAL_FILE_FORMAT.md
index 0d340b876b..2bfc7a10ca 100644
--- a/docs/JOURNAL_FILE_FORMAT.md
+++ b/docs/JOURNAL_FILE_FORMAT.md
@@ -2,6 +2,7 @@
title: Journal File Format
category: Interfaces
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Journal File Format
diff --git a/docs/JOURNAL_NATIVE_PROTOCOL.md b/docs/JOURNAL_NATIVE_PROTOCOL.md
index fced45942b..657eca25a0 100644
--- a/docs/JOURNAL_NATIVE_PROTOCOL.md
+++ b/docs/JOURNAL_NATIVE_PROTOCOL.md
@@ -2,6 +2,7 @@
title: Native Journal Protocol
category: Interfaces
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Native Journal Protocol
diff --git a/docs/PASSWORD_AGENTS.md b/docs/PASSWORD_AGENTS.md
index 75b10da53f..7d810fbbd9 100644
--- a/docs/PASSWORD_AGENTS.md
+++ b/docs/PASSWORD_AGENTS.md
@@ -2,6 +2,7 @@
title: Password Agents
category: Interfaces
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Password Agents
diff --git a/docs/PORTABILITY_AND_STABILITY.md b/docs/PORTABILITY_AND_STABILITY.md
index 5d52608678..674fe89b94 100644
--- a/docs/PORTABILITY_AND_STABILITY.md
+++ b/docs/PORTABILITY_AND_STABILITY.md
@@ -2,6 +2,7 @@
title: Interface Portability and Stability
category: Interfaces
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Interface Portability and Stability Promise
diff --git a/docs/PORTABLE_SERVICES.md b/docs/PORTABLE_SERVICES.md
index 3de15f501b..6091174ea0 100644
--- a/docs/PORTABLE_SERVICES.md
+++ b/docs/PORTABLE_SERVICES.md
@@ -2,6 +2,7 @@
title: Portable Services Introduction
category: Concepts
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Portable Services Introduction
diff --git a/docs/PREDICTABLE_INTERFACE_NAMES.md b/docs/PREDICTABLE_INTERFACE_NAMES.md
index 07529e7a70..ddd7d29643 100644
--- a/docs/PREDICTABLE_INTERFACE_NAMES.md
+++ b/docs/PREDICTABLE_INTERFACE_NAMES.md
@@ -2,6 +2,7 @@
title: Predictable Network Interface Names
category: Concepts
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Predictable Network Interface Names
diff --git a/docs/RANDOM_SEEDS.md b/docs/RANDOM_SEEDS.md
index da3fe40baa..3473214054 100644
--- a/docs/RANDOM_SEEDS.md
+++ b/docs/RANDOM_SEEDS.md
@@ -2,6 +2,7 @@
title: Random Seeds
category: Concepts
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Random Seeds
diff --git a/docs/RELEASE.md b/docs/RELEASE.md
index cafe766e03..112c521622 100644
--- a/docs/RELEASE.md
+++ b/docs/RELEASE.md
@@ -2,6 +2,7 @@
title: Steps to a Successful Release
category: Contributing
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Steps to a Successful Release
diff --git a/docs/RESOLVED-VPNS.md b/docs/RESOLVED-VPNS.md
index 1010bed4b2..89a5cdfacf 100644
--- a/docs/RESOLVED-VPNS.md
+++ b/docs/RESOLVED-VPNS.md
@@ -2,6 +2,7 @@
title: systemd-resolved and VPNs
category: Networking
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# `systemd-resolved.service` and VPNs
diff --git a/docs/ROOT_STORAGE_DAEMONS.md b/docs/ROOT_STORAGE_DAEMONS.md
index 08af00926c..6ab158cd2b 100644
--- a/docs/ROOT_STORAGE_DAEMONS.md
+++ b/docs/ROOT_STORAGE_DAEMONS.md
@@ -2,6 +2,7 @@
title: Storage Daemons for the Root File System
category: Interfaces
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# systemd and Storage Daemons for the Root File System
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index bd2915bab6..a44b90de89 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -2,6 +2,7 @@
title: Reporting of Security Vulnerabilities
category: Contributing
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Reporting of Security Vulnerabilities
diff --git a/docs/TEMPORARY_DIRECTORIES.md b/docs/TEMPORARY_DIRECTORIES.md
index c0f945c885..c703651791 100644
--- a/docs/TEMPORARY_DIRECTORIES.md
+++ b/docs/TEMPORARY_DIRECTORIES.md
@@ -2,6 +2,7 @@
title: Using /tmp/ and /var/tmp/ Safely
category: Interfaces
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Using `/tmp/` and `/var/tmp/` Safely
diff --git a/docs/TESTING_WITH_SANITIZERS.md b/docs/TESTING_WITH_SANITIZERS.md
index 2622682bd9..4f965c9617 100644
--- a/docs/TESTING_WITH_SANITIZERS.md
+++ b/docs/TESTING_WITH_SANITIZERS.md
@@ -2,6 +2,7 @@
title: Testing systemd Using Sanitizers
category: Contributing
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Testing systemd Using Sanitizers
diff --git a/docs/TRANSIENT-SETTINGS.md b/docs/TRANSIENT-SETTINGS.md
index 77dff10bee..d67f7f95e2 100644
--- a/docs/TRANSIENT-SETTINGS.md
+++ b/docs/TRANSIENT-SETTINGS.md
@@ -2,6 +2,7 @@
title: What Settings Are Currently Available For Transient Units?
category: Interfaces
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# What Settings Are Currently Available For Transient Units?
diff --git a/docs/TRANSLATORS.md b/docs/TRANSLATORS.md
index fa74e19fee..135f35793b 100644
--- a/docs/TRANSLATORS.md
+++ b/docs/TRANSLATORS.md
@@ -2,6 +2,7 @@
title: Notes for Translators
category: Contributing
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Notes for Translators
diff --git a/docs/UIDS-GIDS.md b/docs/UIDS-GIDS.md
index 5342ccd166..ea7ec63965 100644
--- a/docs/UIDS-GIDS.md
+++ b/docs/UIDS-GIDS.md
@@ -2,6 +2,7 @@
title: Users, Groups, UIDs and GIDs on systemd Systems
category: Users, Groups and Home Directories
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# Users, Groups, UIDs and GIDs on systemd Systems
diff --git a/docs/USERDB_AND_DESKTOPS.md b/docs/USERDB_AND_DESKTOPS.md
index babaaaf3c7..e6097eab1e 100644
--- a/docs/USERDB_AND_DESKTOPS.md
+++ b/docs/USERDB_AND_DESKTOPS.md
@@ -2,6 +2,7 @@
title: systemd-homed and JSON User/Group Record Support in Desktop Environments
category: Users, Groups and Home Directories
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# `systemd-homed` and JSON User/Group Record Support in Desktop Environments
diff --git a/docs/USER_GROUP_API.md b/docs/USER_GROUP_API.md
index bcb0b5d257..cefe6d3dce 100644
--- a/docs/USER_GROUP_API.md
+++ b/docs/USER_GROUP_API.md
@@ -2,6 +2,7 @@
title: User/Group Record Lookup API via Varlink
category: Users, Groups and Home Directories
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# User/Group Record Lookup API via Varlink
diff --git a/docs/USER_NAMES.md b/docs/USER_NAMES.md
index daafdf2dce..1757c5b783 100644
--- a/docs/USER_NAMES.md
+++ b/docs/USER_NAMES.md
@@ -2,6 +2,7 @@
title: User/Group Name Syntax
category: Users, Groups and Home Directories
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# User/Group Name Syntax
diff --git a/docs/USER_RECORD.md b/docs/USER_RECORD.md
index 73dfc5bec4..6b607dfd45 100644
--- a/docs/USER_RECORD.md
+++ b/docs/USER_RECORD.md
@@ -2,6 +2,7 @@
title: JSON User Records
category: Users, Groups and Home Directories
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
# JSON User Records
diff --git a/docs/index.md b/docs/index.md
index c5d7f84991..ff26bd3398 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,5 +1,6 @@
---
layout: default
+SPDX-License-Identifier: LGPL-2.1-or-later
---
systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system.
diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
index 4ab3d5b56b..f763a19149 100644
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@@ -29,19 +29,21 @@
Description
- systemd-cryptenroll is a tool for enrolling hardware security tokens and devices into a
- LUKS2 encrypted volume, which may then be used to unlock the volume during boot. Specifically, it supports
- tokens and credentials of the following kind to be enrolled:
+ systemd-cryptenroll is a tool for enrolling hardware security tokens and devices
+ into a LUKS2 encrypted volume, which may then be used to unlock the volume during boot. Specifically, it
+ supports tokens and credentials of the following kind to be enrolled:
- PKCS#11 security tokens and smartcards that may carry an RSA key pair (e.g. various YubiKeys)
+ PKCS#11 security tokens and smartcards that may carry an RSA key pair (e.g. various
+ YubiKeys)
- FIDO2 security tokens that implement the hmac-secret extension (most FIDO2 keys, including YubiKeys)
+ FIDO2 security tokens that implement the hmac-secret extension (most
+ FIDO2 keys, including YubiKeys)TPM2 security devicesRecovery keys. These are similar to regular passphrases, however are randomly generated
- on the computer and thus generally have higher entropy than user chosen passphrases. Their character
+ on the computer and thus generally have higher entropy than user-chosen passphrases. Their character
set has been designed to ensure they are easy to type in, while having high entropy. They may also be
scanned off screen using QR codes. Recovery keys may be used for unlocking LUKS2 volumes wherever
passphrases are accepted. They are intended to be used in combination with an enrolled hardware
@@ -75,9 +77,10 @@
- Enroll a recovery key. Recovery keys are most identical to passphrases, but are
- computer generated instead of human chosen, and thus have a guaranteed high entropy. The key uses a
- character set that is easy to type in, and may be scanned off screen via a QR code.
+ Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
+ computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
+ key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
+
diff --git a/man/systemd-sysv-generator.xml b/man/systemd-sysv-generator.xml
index 14ab932fed..e9f318b549 100644
--- a/man/systemd-sysv-generator.xml
+++ b/man/systemd-sysv-generator.xml
@@ -31,7 +31,7 @@
that creates wrapper .service units for
SysV init
scripts in /etc/init.d/* at boot and when
- configuration of the system manager is reloaded. This will allow
+ configuration of the system manager is reloaded. This allows
systemd1
to support them similarly to native units.
@@ -46,6 +46,10 @@
systemd.special7
for more details.
+ Note that compatibility is quite comprehensive but not 100%, for more details see Incompatibilities with
+ SysV.
+
SysV runlevels have corresponding systemd targets
(runlevelX.target).
The wrapper unit that is generated will be wanted by those targets
diff --git a/man/systemd.automount.xml b/man/systemd.automount.xml
index a6bc81e216..37fd743552 100644
--- a/man/systemd.automount.xml
+++ b/man/systemd.automount.xml
@@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
+systemd.automountsystemd
@@ -124,7 +124,11 @@
Options
- Automount files must include an [Automount] section, which
+ Automount unit files may include [Unit] and [Install] sections, which are described in
+ systemd.unit5.
+
+
+ Automount unit files must include an [Automount] section, which
carries information about the file system automount points it
supervises. The options specific to the [Automount] section of
automount units are the following:
@@ -157,6 +161,8 @@
default.
+
+
diff --git a/man/systemd.device.xml b/man/systemd.device.xml
index 596d334d5d..a4128207e4 100644
--- a/man/systemd.device.xml
+++ b/man/systemd.device.xml
@@ -147,7 +147,14 @@
+
+
+ Options
+
+ Device unit files may include [Unit] and [Install] sections, which are described in
+ systemd.unit5. No
+ options specific to this file type are supported.
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index eadfc02421..ddcd0f1c25 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1512,33 +1512,40 @@ BindReadOnlyPaths=/var/lib/systemd
PrivateDevices=
- Takes a boolean argument. If true, sets up a new /dev/ mount for the
- executed processes and only adds API pseudo devices such as /dev/null,
- /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
- but no physical devices such as /dev/sda, system memory /dev/mem,
- system ports /dev/port and others. This is useful to securely turn off physical device
- access by the executed process. Defaults to false. Enabling this option will install a system call filter to
- block low-level I/O system calls that are grouped in the @raw-io set, will also remove
- CAP_MKNOD and CAP_SYS_RAWIO from the capability bounding set for the
- unit (see above), and set DevicePolicy=closed (see
+ Takes a boolean argument. If true, sets up a new /dev/ mount for
+ the executed processes and only adds API pseudo devices such as /dev/null,
+ /dev/zero or /dev/random (as well as the pseudo TTY
+ subsystem) to it, but no physical devices such as /dev/sda, system memory
+ /dev/mem, system ports /dev/port and others. This is useful
+ to turn off physical device access by the executed process. Defaults to false.
+
+ Enabling this option will install a system call filter to block low-level I/O system calls that
+ are grouped in the @raw-io set, remove CAP_MKNOD and
+ CAP_SYS_RAWIO from the capability bounding set for the unit, and set
+ DevicePolicy=closed (see
systemd.resource-control5
- for details). Note that using this setting will disconnect propagation of mounts from the service to the host
- (propagation in the opposite direction continues to work). This means that this setting may not be used for
- services which shall be able to install mount points in the main mount namespace. The new
- /dev/ will be mounted read-only and 'noexec'. The latter may break old programs which try
- to set up executable memory by using
+ for details). Note that using this setting will disconnect propagation of mounts from the service to
+ the host (propagation in the opposite direction continues to work). This means that this setting may
+ not be used for services which shall be able to install mount points in the main mount namespace. The
+ new /dev/ will be mounted read-only and 'noexec'. The latter may break old
+ programs which try to set up executable memory by using
mmap2 of
- /dev/zero instead of using MAP_ANON. For this setting the same
- restrictions regarding mount propagation and privileges apply as for ReadOnlyPaths= and
- related calls, see above. If turned on and if running in user mode, or in system mode, but without the
- CAP_SYS_ADMIN capability (e.g. setting User=),
- NoNewPrivileges=yes is implied.
+ /dev/zero instead of using MAP_ANON. For this setting the
+ same restrictions regarding mount propagation and privileges apply as for
+ ReadOnlyPaths= and related calls, see above. If turned on and if running in user
+ mode, or in system mode, but without the CAP_SYS_ADMIN capability (e.g. setting
+ User=), NoNewPrivileges=yes is implied.
- Note that the implementation of this setting might be impossible (for example if mount namespaces are not
- available), and the unit should be written in a way that does not solely rely on this setting for
- security.
+ Note that the implementation of this setting might be impossible (for example if mount
+ namespaces are not available), and the unit should be written in a way that does not solely rely on
+ this setting for security.
-
+
+
+ When access to some but not all devices must be possible, the DeviceAllow=
+ setting might be used instead. See
+ systemd.resource-control5.
+
diff --git a/man/systemd.mount.xml b/man/systemd.mount.xml
index 8b71c96ab5..6b0efb68df 100644
--- a/man/systemd.mount.xml
+++ b/man/systemd.mount.xml
@@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
+systemd.mountsystemd
@@ -442,7 +442,11 @@
Options
- Mount files must include a [Mount] section, which carries
+ Mount unit files may include [Unit] and [Install] sections, which are described in
+ systemd.unit5.
+
+
+ Mount unit files must include a [Mount] section, which carries
information about the file system mount points it supervises. A
number of options that may be used in this section are shared with
other unit types. These options are documented in
@@ -567,11 +571,7 @@
- Check
- systemd.exec5
- and
- systemd.kill5
- for more settings.
+
diff --git a/man/systemd.path.xml b/man/systemd.path.xml
index bca1514b33..44afba08c9 100644
--- a/man/systemd.path.xml
+++ b/man/systemd.path.xml
@@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
+systemd.pathsystemd
@@ -103,9 +103,12 @@
Options
- Path files must include a [Path] section, which carries
- information about the path(s) it monitors. The options specific to
- the [Path] section of path units are the following:
+ Path unit files may include [Unit] and [Install] sections, which are described in
+ systemd.unit5.
+
+
+ Path unit files must include a [Path] section, which carries information about the path or paths it
+ monitors. The options specific to the [Path] section of path units are the following:
@@ -184,6 +187,8 @@
to .
+
+
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index ea728dff33..b21f8575a0 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -928,6 +928,11 @@ RestrictNetworkInterfaces=~eth1
url="https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/devices.html">Device Whitelist Controller.
In the unified cgroup hierarchy this functionality is implemented using eBPF filtering.
+ When access to all physical devices should be disallowed,
+ PrivateDevices= may be used instead. See
+ systemd.exec5.
+
+
The device node specifier is either a path to a device node in the file system, starting with
/dev/, or a string starting with either char- or
block- followed by a device group name, as listed in
diff --git a/man/systemd.scope.xml b/man/systemd.scope.xml
index 7d7b32df46..6d991b915f 100644
--- a/man/systemd.scope.xml
+++ b/man/systemd.scope.xml
@@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
+systemd.scopesystemd
@@ -89,6 +89,10 @@
Options
+ Socket files may include a [Unit] section, which is described in
+ systemd.unit5.
+
+
Scope files may include a [Scope]
section, which carries information about the scope and the
units it contains. A number of options that may be used in
@@ -109,6 +113,8 @@
infinity (the default) to configure no runtime limit.
+
+
diff --git a/man/systemd.service.xml b/man/systemd.service.xml
index 884260a215..4891f27eba 100644
--- a/man/systemd.service.xml
+++ b/man/systemd.service.xml
@@ -50,15 +50,11 @@
which configure resource control settings for the processes of the
service.
- If a service is requested under a certain name but no unit
- configuration file is found, systemd looks for a SysV init script
- by the same name (with the .service suffix
- removed) and dynamically creates a service unit from that script.
- This is useful for compatibility with SysV. Note that this
- compatibility is quite comprehensive but not 100%. For details
- about the incompatibilities, see the Incompatibilities
- with SysV document.
+ If SysV init compat is enabled, systemd automatically creates service units that wrap SysV init
+ scripts (the service name is the same as the name of the script, with a .service
+ suffix added); see
+ systemd-sysv-generator8.
+ The systemd-run1
command allows creating .service and .scope units dynamically
@@ -138,7 +134,11 @@
Options
- Service files must include a [Service]
+ Service unit files may include [Unit] and [Install] sections, which are described in
+ systemd.unit5.
+
+
+ Service unit files must include a [Service]
section, which carries information about the service and the
process it supervises. A number of options that may be used in
this section are shared with other unit types. These options are
@@ -1111,8 +1111,9 @@
- Check
- systemd.exec5 and
+ Check
+ systemd.unit5,
+ systemd.exec5, and
systemd.kill5 for more
settings.
diff --git a/man/systemd.slice.xml b/man/systemd.slice.xml
index 0d3616f8b1..ed066d2a82 100644
--- a/man/systemd.slice.xml
+++ b/man/systemd.slice.xml
@@ -98,6 +98,14 @@
+
+ Options
+
+ Slice unit files may include [Unit] and [Install] sections, which are described in
+ systemd.unit5.
+ No options specific to this file type are supported.
+
+
See Also
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index 1600656fdb..f977f11541 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
+systemd.socketsystemd
@@ -159,7 +159,11 @@
Options
- Socket files must include a [Socket] section, which carries
+ Socket unit files may include [Unit] and [Install] sections, which are described in
+ systemd.unit5.
+
+
+ Socket unit files must include a [Socket] section, which carries
information about the socket or FIFO it supervises. A number of
options that may be used in this section are shared with other
unit types. These options are documented in
@@ -839,12 +843,7 @@
- Check
- systemd.exec5
- and
- systemd.kill5
- for more settings.
-
+
diff --git a/man/systemd.swap.xml b/man/systemd.swap.xml
index 2a867f92e9..8287382eb6 100644
--- a/man/systemd.swap.xml
+++ b/man/systemd.swap.xml
@@ -3,9 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
-
+systemd.swapsystemd
@@ -169,6 +167,10 @@
Options
+ Swap unit files may include [Unit] and [Install] sections, which are described in
+ systemd.unit5.
+
+
Swap unit files must include a [Swap] section, which carries
information about the swap device it supervises. A number of
options that may be used in this section are shared with other
@@ -235,11 +237,7 @@
- Check
- systemd.exec5
- and
- systemd.kill5
- for more settings.
+
diff --git a/man/systemd.target.xml b/man/systemd.target.xml
index bd618d8e93..604b14e438 100644
--- a/man/systemd.target.xml
+++ b/man/systemd.target.xml
@@ -84,6 +84,14 @@
+
+ Options
+
+ Target unit files may include [Unit] and [Install] sections, which are described in
+ systemd.unit5.
+ No options specific to this file type are supported.
+
+
Example
diff --git a/man/systemd.timer.xml b/man/systemd.timer.xml
index 84c5bb564c..49bcb18be5 100644
--- a/man/systemd.timer.xml
+++ b/man/systemd.timer.xml
@@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
+systemd.timersystemd
@@ -94,7 +94,11 @@
Options
- Timer files must include a [Timer] section, which carries
+ Timer unit files may include [Unit] and [Install] sections, which are described in
+ systemd.unit5.
+
+
+ Timer unit files must include a [Timer] section, which carries
information about the timer it defines. The options specific to
the [Timer] section of timer units are the following:
@@ -178,7 +182,6 @@
precise time configured with these settings, as they are
subject to the AccuracySec= setting
below.
-
@@ -357,6 +360,8 @@
.
+
+