source path, destination path and option string, where the latter two are optional. If only a source path is
specified the source and destination is taken to be the same. The option string may be either
<literal>rbind</literal> or <literal>norbind</literal> for configuring a recursive or non-recursive bind
- mount. If the destination path is omitted, the option string must be omitted too.</para>
+ mount. If the destination path is omitted, the option string must be omitted too.
+ Each bind mount definition may be prefixed with <literal>-</literal>, in which case it will be ignored
+ when its source path does not exist.</para>
<para><varname>BindPaths=</varname> creates regular writable bind mounts (unless the source file system mount
is already marked read-only), while <varname>BindReadOnlyPaths=</varname> creates read-only bind mounts. These
processes. In this modes multiple units running processes under the same user ID may share key material. Unless
<option>inherit</option> is selected the unique invocation ID for the unit (see below) is added as a protected
key by the name <literal>invocation_id</literal> to the newly created session keyring. Defaults to
- <option>private</option> for the system service manager and to <option>inherit</option> for the user service
- manager.</para></listitem>
+ <option>private</option> for services of the system service manager and to <option>inherit</option> for
+ non-service units and for services of the user service manager.</para></listitem>
</varlistentry>
<varlistentry>
<varlistentry>
<term><varname>ProtectHome=</varname></term>
- <listitem><para>Takes a boolean argument or <literal>read-only</literal>. If true, the directories
- <filename>/home</filename>, <filename>/root</filename> and <filename>/run/user</filename> are made inaccessible
- and empty for processes invoked by this unit. If set to <literal>read-only</literal>, the three directories are
- made read-only instead. It is recommended to enable this setting for all long-running services (in particular
- network-facing ones), to ensure they cannot get access to private user data, unless the services actually
- require access to the user's private data. This setting is implied if <varname>DynamicUser=</varname> is
- set. For this setting the same restrictions regarding mount propagation and privileges apply as for
- <varname>ReadOnlyPaths=</varname> and related calls, see below.</para></listitem>
+ <listitem><para>Takes a boolean argument or the special values <literal>read-only</literal> or
+ <literal>tmpfs</literal>. If true, the directories <filename>/home</filename>, <filename>/root</filename> and
+ <filename>/run/user</filename> are made inaccessible and empty for processes invoked by this unit. If set to
+ <literal>read-only</literal>, the three directories are made read-only instead. If set to <literal>tmpfs</literal>,
+ temporary file systems are mounted on the three directories in read-only mode. The value <literal>tmpfs</literal>
+ is useful to hide home directories not relevant to the processes invoked by the unit, while necessary directories
+ are still visible by combining with <varname>BindPaths=</varname> or <varname>BindReadOnlyPaths=</varname>.</para>
+
+ <para>Setting this to <literal>yes</literal> is mostly equivalent to set the three directories in
+ <varname>InaccessiblePaths=</varname>. Similary, <literal>read-only</literal> is mostly equivalent to
+ <varname>ReadOnlyPaths=</varname>, and <literal>tmpfs</literal> is mostly equivalent to
+ <varname>TemporaryFileSystem=</varname>.</para>
+
+ <para> It is recommended to enable this setting for all long-running services (in particular network-facing ones),
+ to ensure they cannot get access to private user data, unless the services actually require access to the user's
+ private data. This setting is implied if <varname>DynamicUser=</varname> is set. For this setting the same
+ restrictions regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and related
+ calls, see below.</para></listitem>
</varlistentry>
<varlistentry>
reading only, writing will be refused even if the usual file access controls would permit this. Nest
<varname>ReadWritePaths=</varname> inside of <varname>ReadOnlyPaths=</varname> in order to provide writable
subdirectories within read-only directories. Use <varname>ReadWritePaths=</varname> in order to whitelist
- specific paths for write access if <varname>ProtectSystem=strict</varname> is used. Paths listed in
- <varname>InaccessiblePaths=</varname> will be made inaccessible for processes inside the namespace (along with
- everything below them in the file system hierarchy).</para>
+ specific paths for write access if <varname>ProtectSystem=strict</varname> is used.</para>
+
+ <para>Paths listed in <varname>InaccessiblePaths=</varname> will be made inaccessible for processes inside
+ the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
+ desired, because it is not possible to nest <varname>ReadWritePaths=</varname>, <varname>ReadOnlyPaths=</varname>,
+ <varname>BindPaths=</varname>, or <varname>BindReadOnlyPaths=</varname> inside it. For a more flexible option,
+ see <varname>TemporaryFileSystem=</varname>.</para>
<para>Note that restricting access with these options does not extend to submounts of a directory that are
created later on. Non-directory paths may be specified as well. These options may be specified more than once,
<varname>SystemCallFilter=~@mount</varname>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>TemporaryFileSystem=</varname></term>
+
+ <listitem><para>Takes a space-separated list of mount points for temporary file systems (tmpfs). If set, a new file
+ system namespace is set up for executed processes, and a temporary file system is mounted on each mount point.
+ This option may be specified more than once, in which case temporary file systems are mounted on all listed mount
+ points. If the empty string is assigned to this option, the list is reset, and all prior assignments have no effect.
+ Each mount point may optionally be suffixed with a colon (<literal>:</literal>) and mount options such as
+ <literal>size=10%</literal> or <literal>ro</literal>. By default, each temporary file system is mounted
+ with <literal>nodev,strictatime,mode=0755</literal>. These can be disabled by explicitly specifying the corresponding
+ mount options, e.g., <literal>dev</literal> or <literal>nostrictatime</literal>.</para>
+
+ <para>This is useful to hide files or directories not relevant to the processes invoked by the unit, while necessary
+ files or directories can be still accessed by combining with <varname>BindPaths=</varname> or
+ <varname>BindReadOnlyPaths=</varname>. See the example below.</para>
+
+ <para>Example: if a unit has the following,
+ <programlisting>TemporaryFileSystem=/var:ro
+BindReadOnlyPaths=/var/lib/systemd</programlisting>
+ then the invoked processes by the unit cannot see any files or directories under <filename>/var</filename> except for
+ <filename>/var/lib/systemd</filename> or its contents.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>PrivateTmp=</varname></term>