units/systemd-oomd.service.in

   1 #  SPDX-License-Identifier: LGPL-2.1-or-later
   2 #
   3 #  This file is part of systemd.
   4 #
   5 #  systemd is free software; you can redistribute it and/or modify it
   6 #  under the terms of the GNU Lesser General Public License as published by
   7 #  the Free Software Foundation; either version 2.1 of the License, or
   8 #  (at your option) any later version.
   9
  10 [Unit]
  11 Description=Userspace Out-Of-Memory (OOM) Killer
  12 Documentation=man:systemd-oomd.service(8)
  13 DefaultDependencies=no
  14 Before=multi-user.target shutdown.target
  15 Conflicts=shutdown.target
  16
  17 [Service]
  18 AmbientCapabilities=CAP_KILL CAP_DAC_OVERRIDE
  19 BusName=org.freedesktop.oom1
  20 CapabilityBoundingSet=CAP_KILL CAP_DAC_OVERRIDE
  21 ExecStart=@rootlibexecdir@/systemd-oomd
  22 IPAddressDeny=any
  23 LockPersonality=yes
  24 MemoryDenyWriteExecute=yes
  25 # Reserve some minimum amount of memory so that systemd-oomd can continue to
  26 # run in resource starved scenarios.
  27 MemoryMin=64M
  28 MemoryLow=64M
  29 NoNewPrivileges=yes
  30 OOMScoreAdjust=-900
  31 PrivateDevices=yes
  32 PrivateTmp=yes
  33 ProtectClock=yes
  34 ProtectHome=yes
  35 ProtectHostname=yes
  36 ProtectKernelLogs=yes
  37 ProtectKernelModules=yes
  38 ProtectKernelTunables=yes
  39 ProtectSystem=strict
  40 Restart=on-failure
  41 RestrictAddressFamilies=AF_UNIX
  42 RestrictNamespaces=yes
  43 RestrictRealtime=yes
  44 RestrictSUIDSGID=yes
  45 SystemCallArchitectures=native
  46 SystemCallErrorNumber=EPERM
  47 SystemCallFilter=@system-service
  48 Type=notify
  49 User=systemd-oom
  50 @SERVICE_WATCHDOG@
  51
  52 [Install]
  53 WantedBy=multi-user.target
  54 Alias=dbus-org.freedesktop.oom1.service