/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.xml

  • Committer: Teddy Hogeborn
  • Date: 2017-08-20 14:14:14 UTC
  • Revision ID: teddy@recompile.se-20170820141414-m034xuebg7ccaeui
Add some more restrictions to the systemd service file.

* mandos.service ([Service]/ProtectKernelTunables): New; set to "yes".
  ([Service]/ProtectControlGroups): - '' -

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "plugin-runner">
5
 
<!ENTITY TIMESTAMP "2008-09-30">
 
5
<!ENTITY TIMESTAMP "2017-02-23">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
19
19
        <firstname>Björn</firstname>
20
20
        <surname>Påhlsson</surname>
21
21
        <address>
22
 
          <email>belorn@fukt.bsnet.se</email>
 
22
          <email>belorn@recompile.se</email>
23
23
        </address>
24
24
      </author>
25
25
      <author>
26
26
        <firstname>Teddy</firstname>
27
27
        <surname>Hogeborn</surname>
28
28
        <address>
29
 
          <email>teddy@fukt.bsnet.se</email>
 
29
          <email>teddy@recompile.se</email>
30
30
        </address>
31
31
      </author>
32
32
    </authorgroup>
33
33
    <copyright>
34
34
      <year>2008</year>
 
35
      <year>2009</year>
 
36
      <year>2010</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
 
40
      <year>2014</year>
 
41
      <year>2015</year>
 
42
      <year>2016</year>
 
43
      <year>2017</year>
35
44
      <holder>Teddy Hogeborn</holder>
36
45
      <holder>Björn Påhlsson</holder>
37
46
    </copyright>
112
121
      <arg><option>--plugin-dir=<replaceable
113
122
      >DIRECTORY</replaceable></option></arg>
114
123
      <sbr/>
 
124
      <arg><option>--plugin-helper-dir=<replaceable
 
125
      >DIRECTORY</replaceable></option></arg>
 
126
      <sbr/>
115
127
      <arg><option>--config-file=<replaceable
116
128
      >FILE</replaceable></option></arg>
117
129
      <sbr/>
259
271
            Disable the plugin named
260
272
            <replaceable>PLUGIN</replaceable>.  The plugin will not be
261
273
            started.
262
 
          </para>       
 
274
          </para>
263
275
        </listitem>
264
276
      </varlistentry>
265
277
      
318
330
      </varlistentry>
319
331
      
320
332
      <varlistentry>
 
333
        <term><option>--plugin-helper-dir
 
334
        <replaceable>DIRECTORY</replaceable></option></term>
 
335
        <listitem>
 
336
          <para>
 
337
            Specify a different plugin helper directory.  The default
 
338
            is <filename>/lib/mandos/plugin-helpers</filename>, which
 
339
            will exist in the initial <acronym>RAM</acronym> disk
 
340
            environment.  (This will simply be passed to all plugins
 
341
            via the <envar>MANDOSPLUGINHELPERDIR</envar> environment
 
342
            variable.  See <xref linkend="writing_plugins"/>)
 
343
          </para>
 
344
        </listitem>
 
345
      </varlistentry>
 
346
      
 
347
      <varlistentry>
321
348
        <term><option>--config-file
322
349
        <replaceable>FILE</replaceable></option></term>
323
350
        <listitem>
424
451
      <para>
425
452
        The plugin will run in the initial RAM disk environment, so
426
453
        care must be taken not to depend on any files or running
427
 
        services not available there.
 
454
        services not available there.  Any helper executables required
 
455
        by the plugin (which are not in the <envar>PATH</envar>) can
 
456
        be placed in the plugin helper directory, the name of which
 
457
        will be made available to the plugin via the
 
458
        <envar>MANDOSPLUGINHELPERDIR</envar> environment variable.
428
459
      </para>
429
460
      <para>
430
461
        The plugin must exit cleanly and free all allocated resources
473
504
      only passes on its environment to all the plugins.  The
474
505
      environment passed to plugins can be modified using the
475
506
      <option>--global-env</option> and <option>--env-for</option>
476
 
      options.
 
507
      options.  Also, the <option>--plugin-helper-dir</option> option
 
508
      will affect the environment variable
 
509
      <envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.
477
510
    </para>
478
511
  </refsect1>
479
512
  
512
545
            </para>
513
546
          </listitem>
514
547
        </varlistentry>
 
548
        <varlistentry>
 
549
          <term><filename class="directory"
 
550
          >/lib/mandos/plugins.d</filename></term>
 
551
          <listitem>
 
552
            <para>
 
553
              The default plugin directory; can be changed by the
 
554
              <option>--plugin-dir</option> option.
 
555
            </para>
 
556
          </listitem>
 
557
        </varlistentry>
 
558
        <varlistentry>
 
559
          <term><filename class="directory"
 
560
          >/lib/mandos/plugin-helpers</filename></term>
 
561
          <listitem>
 
562
            <para>
 
563
              The default plugin helper directory; can be changed by
 
564
              the <option>--plugin-helper-dir</option> option.
 
565
            </para>
 
566
          </listitem>
 
567
        </varlistentry>
515
568
      </variablelist>
516
569
    </para>
517
570
  </refsect1>
522
575
      The <option>--config-file</option> option is ignored when
523
576
      specified from within a configuration file.
524
577
    </para>
 
578
    <xi:include href="bugs.xml"/>
525
579
  </refsect1>
526
580
  
527
581
  <refsect1 id="examples">
570
624
    </informalexample>
571
625
    <informalexample>
572
626
      <para>
573
 
        Run plugins from a different directory, read a different
574
 
        configuration file, and add two options to the
 
627
        Read a different configuration file, run plugins from a
 
628
        different directory, specify an alternate plugin helper
 
629
        directory and add two options to the
575
630
        <citerefentry><refentrytitle >mandos-client</refentrytitle>
576
631
        <manvolnum>8mandos</manvolnum></citerefentry> plugin:
577
632
      </para>
578
633
      <para>
579
634
 
580
635
<!-- do not wrap this line -->
581
 
<userinput>&COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=/etc/keys/mandos/pubkey.txt,--seckey=/etc/keys/mandos/seckey.txt</userinput>
 
636
<userinput>cd /etc/keys/mandos; &COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>
582
637
 
583
638
      </para>
584
639
    </informalexample>
616
671
  <refsect1 id="see_also">
617
672
    <title>SEE ALSO</title>
618
673
    <para>
 
674
      <citerefentry><refentrytitle>intro</refentrytitle>
 
675
      <manvolnum>8mandos</manvolnum></citerefentry>,
619
676
      <citerefentry><refentrytitle>cryptsetup</refentrytitle>
620
677
      <manvolnum>8</manvolnum></citerefentry>,
621
678
      <citerefentry><refentrytitle>crypttab</refentrytitle>