]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.exec.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tmpfiles: fix compilation without acl support
[thirdparty/systemd.git] / man / systemd.exec.xml
CommitLineData
dd1eb43b
LP		 1<?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4
5<!--
6 This file is part of systemd.
7
8 Copyright 2010 Lennart Poettering
9
10 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
dd1eb43b
LP		 13 (at your option) any later version.
14
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 18 Lesser General Public License for more details.
dd1eb43b 19
5430f7f2 20 You should have received a copy of the GNU Lesser General Public License
dd1eb43b
LP		 21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22-->
23
24<refentry id="systemd.exec">
25 <refentryinfo>
26 <title>systemd.exec</title>
27 <productname>systemd</productname>
28
29 <authorgroup>
30 <author>
31 <contrib>Developer</contrib>
32 <firstname>Lennart</firstname>
33 <surname>Poettering</surname>
34 <email>lennart@poettering.net</email>
35 </author>
36 </authorgroup>
37 </refentryinfo>
38
39 <refmeta>
40 <refentrytitle>systemd.exec</refentrytitle>
41 <manvolnum>5</manvolnum>
42 </refmeta>
43
44 <refnamediv>
45 <refname>systemd.exec</refname>
34511ca7 46 <refpurpose>Execution environment configuration</refpurpose>
dd1eb43b
LP		 47 </refnamediv>
48
49 <refsynopsisdiv>
e670b166
ZJS		 50 <para><filename><replaceable>service</replaceable>.service</filename>,
51 <filename><replaceable>socket</replaceable>.socket</filename>,
52 <filename><replaceable>mount</replaceable>.mount</filename>,
53 <filename><replaceable>swap</replaceable>.swap</filename></para>
dd1eb43b
LP		 54 </refsynopsisdiv>
55
56 <refsect1>
57 <title>Description</title>
58
9a666408 59 <para>Unit configuration files for services, sockets,
43638332 60 mount points, and swap devices share a subset of
2292707d
LP		 61 configuration options which define the execution
62 environment of spawned processes.</para>
dd1eb43b
LP		 63
64 <para>This man page lists the configuration options
9a666408 65 shared by these four unit types. See
dd1eb43b
LP		 66 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
67 for the common options of all unit configuration
68 files, and
2292707d
LP		 69 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
70 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
d868475a 71 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
dd1eb43b
LP		 72 and
73 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
74 for more information on the specific unit
75 configuration files. The execution specific
76 configuration options are configured in the [Service],
16dad32e 77 [Socket], [Mount], or [Swap] sections, depending on the unit
dd1eb43b
LP		 78 type.</para>
79 </refsect1>
80
81 <refsect1>
82 <title>Options</title>
83
ccc9a4f9 84 <variablelist class='unit-directives'>
dd1eb43b
LP		 85
86 <varlistentry>
87 <term><varname>WorkingDirectory=</varname></term>
88
89 <listitem><para>Takes an absolute
90 directory path. Sets the working
e06c73cc 91 directory for executed processes. If
79640424 92 not set, defaults to the root directory
e06c73cc
LP		 93 when systemd is running as a system
94 instance and the respective user's
95 home directory if run as
96 user.</para></listitem>
dd1eb43b
LP		 97 </varlistentry>
98
99 <varlistentry>
100 <term><varname>RootDirectory=</varname></term>
101
102 <listitem><para>Takes an absolute
103 directory path. Sets the root
104 directory for executed processes, with
105 the
5aded369 106 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
79640424 107 system call. If this is used, it must
dd1eb43b
LP		 108 be ensured that the process and all
109 its auxiliary files are available in
110 the <function>chroot()</function>
111 jail.</para></listitem>
112 </varlistentry>
113
114 <varlistentry>
115 <term><varname>User=</varname></term>
116 <term><varname>Group=</varname></term>
117
118 <listitem><para>Sets the Unix user
16dad32e
AE		 119 or group that the processes are executed
120 as, respectively. Takes a single user or group
dd1eb43b 121 name or ID as argument. If no group is
16dad32e 122 set, the default group of the user is
dd1eb43b
LP		 123 chosen.</para></listitem>
124 </varlistentry>
125
126 <varlistentry>
127 <term><varname>SupplementaryGroups=</varname></term>
128
129 <listitem><para>Sets the supplementary
130 Unix groups the processes are executed
e9dd9f95 131 as. This takes a space-separated list
dd1eb43b
LP		 132 of group names or IDs. This option may
133 be specified more than once in which
134 case all listed groups are set as
74051b9b
LP		 135 supplementary groups. When the empty
136 string is assigned the list of
137 supplementary groups is reset, and all
138 assignments prior to this one will
139 have no effect. In any way, this
140 option does not override, but extends
141 the list of supplementary groups
142 configured in the system group
143 database for the
dd1eb43b
LP		 144 user.</para></listitem>
145 </varlistentry>
146
147 <varlistentry>
148 <term><varname>Nice=</varname></term>
149
150 <listitem><para>Sets the default nice
151 level (scheduling priority) for
152 executed processes. Takes an integer
153 between -20 (highest priority) and 19
154 (lowest priority). See
155 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
156 for details.</para></listitem>
157 </varlistentry>
158
159 <varlistentry>
dd6c17b1 160 <term><varname>OOMScoreAdjust=</varname></term>
dd1eb43b
LP		 161
162 <listitem><para>Sets the adjustment
163 level for the Out-Of-Memory killer for
164 executed processes. Takes an integer
dd6c17b1
LP		 165 between -1000 (to disable OOM killing
166 for this process) and 1000 (to make
dd1eb43b
LP		 167 killing of this process under memory
168 pressure very likely). See <ulink
6ed80a4e 169 url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
dd1eb43b
LP		 170 for details.</para></listitem>
171 </varlistentry>
172
173 <varlistentry>
174 <term><varname>IOSchedulingClass=</varname></term>
175
176 <listitem><para>Sets the IO scheduling
177 class for executed processes. Takes an
178 integer between 0 and 3 or one of the
179 strings <option>none</option>,
180 <option>realtime</option>,
181 <option>best-effort</option> or
182 <option>idle</option>. See
183 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
184 for details.</para></listitem>
185 </varlistentry>
186
187 <varlistentry>
188 <term><varname>IOSchedulingPriority=</varname></term>
189
190 <listitem><para>Sets the IO scheduling
191 priority for executed processes. Takes
192 an integer between 0 (highest
193 priority) and 7 (lowest priority). The
194 available priorities depend on the
195 selected IO scheduling class (see
196 above). See
197 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
198 for details.</para></listitem>
199 </varlistentry>
200
201 <varlistentry>
202 <term><varname>CPUSchedulingPolicy=</varname></term>
203
204 <listitem><para>Sets the CPU
205 scheduling policy for executed
206 processes. Takes one of
207 <option>other</option>,
208 <option>batch</option>,
209 <option>idle</option>,
210 <option>fifo</option> or
211 <option>rr</option>. See
212 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
213 for details.</para></listitem>
214 </varlistentry>
215
216 <varlistentry>
217 <term><varname>CPUSchedulingPriority=</varname></term>
218
219 <listitem><para>Sets the CPU
220 scheduling priority for executed
bb112710 221 processes. The available priority
dd1eb43b 222 range depends on the selected CPU
bb112710
HHPF		 223 scheduling policy (see above). For
224 real-time scheduling policies an
225 integer between 1 (lowest priority)
226 and 99 (highest priority) can be used.
227 See <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
228 for details.
229 </para></listitem>
dd1eb43b
LP		 230 </varlistentry>
231
232 <varlistentry>
233 <term><varname>CPUSchedulingResetOnFork=</varname></term>
234
235 <listitem><para>Takes a boolean
79640424 236 argument. If true, elevated CPU
dd1eb43b
LP		 237 scheduling priorities and policies
238 will be reset when the executed
239 processes fork, and can hence not leak
240 into child processes. See
241 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
242 for details. Defaults to false.</para></listitem>
243 </varlistentry>
244
245 <varlistentry>
246 <term><varname>CPUAffinity=</varname></term>
247
248 <listitem><para>Controls the CPU
249 affinity of the executed
96d4ce01 250 processes. Takes a space-separated
66f756d4 251 list of CPU indices. This option may
74051b9b 252 be specified more than once in which
536256fc 253 case the specified CPU affinity masks
74051b9b 254 are merged. If the empty string is
79640424 255 assigned, the mask is reset, all
74051b9b
LP		 256 assignments prior to this will have no
257 effect. See
dd1eb43b
LP		 258 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
259 for details.</para></listitem>
260 </varlistentry>
261
262 <varlistentry>
263 <term><varname>UMask=</varname></term>
264
265 <listitem><para>Controls the file mode
266 creation mask. Takes an access mode in
267 octal notation. See
268 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
269 for details. Defaults to
260d3708 270 0022.</para></listitem>
dd1eb43b
LP		 271 </varlistentry>
272
273 <varlistentry>
274 <term><varname>Environment=</varname></term>
275
276 <listitem><para>Sets environment
277 variables for executed
96d4ce01 278 processes. Takes a space-separated
dd1eb43b
LP		 279 list of variable assignments. This
280 option may be specified more than once
281 in which case all listed variables
282 will be set. If the same variable is
79640424 283 set twice, the later setting will
74051b9b
LP		 284 override the earlier setting. If the
285 empty string is assigned to this
79640424 286 option, the list of environment
74051b9b 287 variables is reset, all prior
0ae9c92a
FC		 288 assignments have no effect.
289 Variable expansion is not performed
97d0e5f8 290 inside the strings, however, specifier
79640424 291 expansion is possible. The $ character has
97d0e5f8 292 no special meaning.
0ae9c92a
FC		 293 If you need to assign a value containing spaces
294 to a variable, use double quotes (")
295 for the assignment.</para>
296
297 <para>Example:
c5b37953 298 <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
0ae9c92a 299 gives three variables <literal>VAR1</literal>,
c5b37953
ZJS		 300 <literal>VAR2</literal>, <literal>VAR3</literal>
301 with the values <literal>word1 word2</literal>,
302 <literal>word3</literal>, <literal>$word 5 6</literal>.
0ae9c92a
FC		 303 </para>
304
305 <para>
306 See
5aded369 307 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
0ae9c92a 308 for details about environment variables.</para></listitem>
dd1eb43b
LP		 309 </varlistentry>
310 <varlistentry>
311 <term><varname>EnvironmentFile=</varname></term>
312 <listitem><para>Similar to
313 <varname>Environment=</varname> but
314 reads the environment variables from a
315 text file. The text file should
e9dd9f95 316 contain new-line-separated variable
dd1eb43b
LP		 317 assignments. Empty lines and lines
318 starting with ; or # will be ignored,
565d91fd
MV		 319 which may be used for commenting. A line
320 ending with a backslash will be concatenated
321 with the following one, allowing multiline variable
322 definitions. The parser strips leading
323 and trailing whitespace from the values
7734f773 324 of assignments, unless you use
74051b9b
LP		 325 double quotes (").</para>
326
327 <para>The argument passed should be an
e9dd9f95 328 absolute filename or wildcard
74051b9b 329 expression, optionally prefixed with
05cc7267 330 <literal>-</literal>, which indicates
6b4991cf
JE		 331 that if the file does not exist, it
332 will not be read and no error or warning
05cc7267
ZJS		 333 message is logged. This option may be
334 specified more than once in which case
335 all specified files are read. If the
336 empty string is assigned to this
79640424 337 option, the list of file to read is
05cc7267
ZJS		 338 reset, all prior assignments have no
339 effect.</para>
74051b9b
LP		 340
341 <para>The files listed with this
f1779fd2 342 directive will be read shortly before
90582615 343 the process is executed (more
dca348bc 344 specifically, after all
90582615
LP		 345 processes from a previous unit state
346 terminated. This means you can
347 generate these files in one unit
348 state, and read it with this option in
349 the next). Settings from these files
350 override settings made with
f1779fd2
LP		 351 <varname>Environment=</varname>. If
352 the same variable is set twice from
79640424 353 these files, the files will be read in
f1779fd2
LP		 354 the order they are specified and the
355 later setting will override the
74051b9b 356 earlier setting.</para></listitem>
dd1eb43b
LP		 357 </varlistentry>
358
359 <varlistentry>
360 <term><varname>StandardInput=</varname></term>
361 <listitem><para>Controls where file
362 descriptor 0 (STDIN) of the executed
363 processes is connected to. Takes one
364 of <option>null</option>,
365 <option>tty</option>,
366 <option>tty-force</option>,
367 <option>tty-fail</option> or
79c1afc6
LP		 368 <option>socket</option>.</para>
369
370 <para>If <option>null</option> is
371 selected, standard input will be
372 connected to
dd1eb43b
LP		 373 <filename>/dev/null</filename>,
374 i.e. all read attempts by the process
79c1afc6
LP		 375 will result in immediate EOF.</para>
376
377 <para>If <option>tty</option> is
378 selected, standard input is connected
379 to a TTY (as configured by
dd1eb43b
LP		 380 <varname>TTYPath=</varname>, see
381 below) and the executed process
382 becomes the controlling process of the
383 terminal. If the terminal is already
79c1afc6
LP		 384 being controlled by another process,
385 the executed process waits until the
386 current controlling process releases
387 the terminal.</para>
388
389 <para><option>tty-force</option> is similar
390 to <option>tty</option>, but the
391 executed process is forcefully and
392 immediately made the controlling
dd1eb43b
LP		 393 process of the terminal, potentially
394 removing previous controlling
395 processes from the
79c1afc6
LP		 396 terminal.</para>
397
398 <para><option>tty-fail</option> is
dd1eb43b
LP		 399 similar to <option>tty</option> but if
400 the terminal already has a controlling
401 process start-up of the executed
79c1afc6
LP		 402 process fails.</para>
403
404 <para>The <option>socket</option>
405 option is only valid in
406 socket-activated services, and only
407 when the socket configuration file
408 (see
dd1eb43b
LP		 409 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
410 for details) specifies a single socket
79640424 411 only. If this option is set, standard
dd1eb43b
LP		 412 input will be connected to the socket
413 the service was activated from, which
414 is primarily useful for compatibility
415 with daemons designed for use with the
416 traditional
417 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
79c1afc6
LP		 418 daemon.</para>
419
420 <para>This setting defaults to
dd1eb43b
LP		 421 <option>null</option>.</para></listitem>
422 </varlistentry>
423 <varlistentry>
424 <term><varname>StandardOutput=</varname></term>
425 <listitem><para>Controls where file
426 descriptor 1 (STDOUT) of the executed
427 processes is connected to. Takes one
428 of <option>inherit</option>,
429 <option>null</option>,
430 <option>tty</option>,
79c1afc6 431 <option>journal</option>,
dd1eb43b 432 <option>syslog</option>,
28dbc1e8 433 <option>kmsg</option>,
79c1afc6 434 <option>journal+console</option>,
706343f4 435 <option>syslog+console</option>,
79c1afc6
LP		 436 <option>kmsg+console</option> or
437 <option>socket</option>.</para>
438
439 <para><option>inherit</option>
440 duplicates the file descriptor of
441 standard input for standard
442 output.</para>
443
444 <para><option>null</option> connects
445 standard output to
dd1eb43b
LP		 446 <filename>/dev/null</filename>,
447 i.e. everything written to it will be
79c1afc6
LP		 448 lost.</para>
449
450 <para><option>tty</option> connects
451 standard output to a tty (as
452 configured via
dd1eb43b
LP		 453 <varname>TTYPath=</varname>, see
454 below). If the TTY is used for output
79640424 455 only, the executed process will not
dd1eb43b
LP		 456 become the controlling process of the
457 terminal, and will not fail or wait
458 for other processes to release the
79c1afc6
LP		 459 terminal.</para>
460
461 <para><option>journal</option>
462 connects standard output with the
463 journal which is accessible via
464 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
465 Note that everything that is written
466 to syslog or kmsg (see below) is
467 implicitly stored in the journal as
468 well, the specific two options listed
469 below are hence supersets of this
470 one.</para>
471
472 <para><option>syslog</option> connects
473 standard output to the <citerefentry
474 project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
475 system syslog service, in addition to
476 the journal. Note that the journal
477 daemon is usually configured to
478 forward everything it receives to
479 syslog anyway, in which case this
480 option is no different from
481 <option>journal</option>.</para>
482
483 <para><option>kmsg</option> connects
484 standard output with the kernel log
485 buffer which is accessible via
486 <citerefentry
487 project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
488 in addition to the journal. The
489 journal daemon might be configured to
490 send all logs to kmsg anyway, in which
491 case this option is no different from
492 <option>journal</option>.</para>
493
494 <para><option>journal+console</option>,
495 <option>syslog+console</option> and
496 <option>kmsg+console</option> work in
497 a similar way as the three options
498 above but copy the output to the
499 system console as well.</para>
500
501 <para><option>socket</option> connects
502 standard output to a socket acquired
503 via socket activation. The semantics
504 are similar to the same option of
505 <varname>StandardInput=</varname>.</para>
506
507 <para>This setting defaults to the
508 value set with
de6c78f8
LP		 509 <option>DefaultStandardOutput=</option>
510 in
5f9cfd4c 511 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
de6c78f8 512 which defaults to
706343f4 513 <option>journal</option>.</para></listitem>
dd1eb43b
LP		 514 </varlistentry>
515 <varlistentry>
ad678a06 516 <term><varname>StandardError=</varname></term>
dd1eb43b 517 <listitem><para>Controls where file
b67f562c 518 descriptor 2 (STDERR) of the
6db27428
ZJS		 519 executed processes is connected to.
520 The available options are identical to
dd1eb43b 521 those of
ad678a06 522 <varname>StandardOutput=</varname>,
5471472d 523 with one exception: if set to
dd1eb43b
LP		 524 <option>inherit</option> the file
525 descriptor used for standard output is
526 duplicated for standard error. This
de6c78f8
LP		 527 setting defaults to the value set with
528 <option>DefaultStandardError=</option>
529 in
5f9cfd4c 530 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
de6c78f8 531 which defaults to
dd1eb43b
LP		 532 <option>inherit</option>.</para></listitem>
533 </varlistentry>
534 <varlistentry>
535 <term><varname>TTYPath=</varname></term>
536 <listitem><para>Sets the terminal
6db27428
ZJS		 537 device node to use if standard input, output,
538 or error are connected to a
dd1eb43b
LP		 539 TTY (see above). Defaults to
540 <filename>/dev/console</filename>.</para></listitem>
541 </varlistentry>
6ea832a2
LP		 542 <varlistentry>
543 <term><varname>TTYReset=</varname></term>
544 <listitem><para>Reset the terminal
545 device specified with
546 <varname>TTYPath=</varname> before and
547 after execution. Defaults to
548 <literal>no</literal>.</para></listitem>
549 </varlistentry>
550 <varlistentry>
551 <term><varname>TTYVHangup=</varname></term>
552 <listitem><para>Disconnect all clients
553 which have opened the terminal device
554 specified with
555 <varname>TTYPath=</varname>
556 before and after execution. Defaults
557 to
558 <literal>no</literal>.</para></listitem>
559 </varlistentry>
560 <varlistentry>
561 <term><varname>TTYVTDisallocate=</varname></term>
c5315881 562 <listitem><para>If the terminal
6ea832a2
LP		 563 device specified with
564 <varname>TTYPath=</varname> is a
79640424 565 virtual console terminal, try to
6ea832a2
LP		 566 deallocate the TTY before and after
567 execution. This ensures that the
568 screen and scrollback buffer is
569 cleared. Defaults to
570 <literal>no</literal>.</para></listitem>
571 </varlistentry>
dd1eb43b 572 <varlistentry>
48c4fad9 573 <term><varname>SyslogIdentifier=</varname></term>
dd1eb43b 574 <listitem><para>Sets the process name
2134b5ef
LP		 575 to prefix log lines sent to the
576 logging system or the kernel log
577 buffer with. If not set, defaults to
578 the process name of the executed
579 process. This option is only useful
580 when
dd1eb43b
LP		 581 <varname>StandardOutput=</varname> or
582 <varname>StandardError=</varname> are
2134b5ef
LP		 583 set to <option>syslog</option>,
584 <option>journal</option> or
585 <option>kmsg</option> (or to the same
586 settings in combination with
587 <option>+console</option>).</para></listitem>
dd1eb43b
LP		 588 </varlistentry>
589 <varlistentry>
590 <term><varname>SyslogFacility=</varname></term>
591 <listitem><para>Sets the syslog
592 facility to use when logging to
593 syslog. One of <option>kern</option>,
594 <option>user</option>,
595 <option>mail</option>,
596 <option>daemon</option>,
597 <option>auth</option>,
598 <option>syslog</option>,
599 <option>lpr</option>,
600 <option>news</option>,
601 <option>uucp</option>,
602 <option>cron</option>,
603 <option>authpriv</option>,
604 <option>ftp</option>,
605 <option>local0</option>,
606 <option>local1</option>,
607 <option>local2</option>,
608 <option>local3</option>,
609 <option>local4</option>,
610 <option>local5</option>,
611 <option>local6</option> or
612 <option>local7</option>. See
5aded369 613 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
dd1eb43b
LP		 614 for details. This option is only
615 useful when
616 <varname>StandardOutput=</varname> or
617 <varname>StandardError=</varname> are
618 set to <option>syslog</option>.
619 Defaults to
620 <option>daemon</option>.</para></listitem>
621 </varlistentry>
622 <varlistentry>
623 <term><varname>SyslogLevel=</varname></term>
624 <listitem><para>Default syslog level
625 to use when logging to syslog or the
626 kernel log buffer. One of
627 <option>emerg</option>,
628 <option>alert</option>,
629 <option>crit</option>,
630 <option>err</option>,
631 <option>warning</option>,
632 <option>notice</option>,
633 <option>info</option>,
634 <option>debug</option>. See
5aded369 635 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
dd1eb43b
LP		 636 for details. This option is only
637 useful when
638 <varname>StandardOutput=</varname> or
639 <varname>StandardError=</varname> are
640 set to <option>syslog</option> or
641 <option>kmsg</option>. Note that
642 individual lines output by the daemon
643 might be prefixed with a different log
644 level which can be used to override
645 the default log level specified
646 here. The interpretation of these
647 prefixes may be disabled with
74922904 648 <varname>SyslogLevelPrefix=</varname>,
dd1eb43b 649 see below. For details see
cb07866b 650 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
dd1eb43b
LP		 651
652 Defaults to
653 <option>info</option>.</para></listitem>
654 </varlistentry>
655
656 <varlistentry>
74922904 657 <term><varname>SyslogLevelPrefix=</varname></term>
dd1eb43b 658 <listitem><para>Takes a boolean
74922904 659 argument. If true and
dd1eb43b
LP		 660 <varname>StandardOutput=</varname> or
661 <varname>StandardError=</varname> are
df688b23
LP		 662 set to <option>syslog</option>,
663 <option>kmsg</option> or
664 <option>journal</option>, log lines
dd1eb43b
LP		 665 written by the executed process that
666 are prefixed with a log level will be
667 passed on to syslog with this log
668 level set but the prefix removed. If
74922904 669 set to false, the interpretation of
dd1eb43b
LP		 670 these prefixes is disabled and the
671 logged lines are passed on as-is. For
672 details about this prefixing see
cb07866b 673 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
74922904 674 Defaults to true.</para></listitem>
dd1eb43b
LP		 675 </varlistentry>
676
677 <varlistentry>
03fae018 678 <term><varname>TimerSlackNSec=</varname></term>
dd1eb43b
LP		 679 <listitem><para>Sets the timer slack
680 in nanoseconds for the executed
d88a251b
LP		 681 processes. The timer slack controls
682 the accuracy of wake-ups triggered by
03fae018 683 timers. See
dd1eb43b 684 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
03fae018
LP		 685 for more information. Note that in
686 contrast to most other time span
f8553ccb 687 definitions this parameter takes an
d88a251b
LP		 688 integer value in nano-seconds if no
689 unit is specified. The usual time
690 units are understood
691 too.</para></listitem>
dd1eb43b
LP		 692 </varlistentry>
693
694 <varlistentry>
695 <term><varname>LimitCPU=</varname></term>
696 <term><varname>LimitFSIZE=</varname></term>
697 <term><varname>LimitDATA=</varname></term>
698 <term><varname>LimitSTACK=</varname></term>
699 <term><varname>LimitCORE=</varname></term>
700 <term><varname>LimitRSS=</varname></term>
701 <term><varname>LimitNOFILE=</varname></term>
702 <term><varname>LimitAS=</varname></term>
703 <term><varname>LimitNPROC=</varname></term>
704 <term><varname>LimitMEMLOCK=</varname></term>
705 <term><varname>LimitLOCKS=</varname></term>
706 <term><varname>LimitSIGPENDING=</varname></term>
707 <term><varname>LimitMSGQUEUE=</varname></term>
708 <term><varname>LimitNICE=</varname></term>
709 <term><varname>LimitRTPRIO=</varname></term>
710 <term><varname>LimitRTTIME=</varname></term>
6067b34a
RC		 711 <listitem><para>These settings set both
712 soft and hard limits of various resources for
713 executed processes. See
dd1eb43b 714 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
3d57c6ab
LP		 715 for details. Use the string
716 <varname>infinity</varname> to
717 configure no limit on a specific
718 resource.</para></listitem>
b8825fff
RC		 719
720 <table>
721 <title>Limit directives and their equivalent with ulimit</title>
722
723 <tgroup cols='2'>
724 <colspec colname='directive' />
725 <colspec colname='equivalent' />
726 <thead>
727 <row>
728 <entry>Directive</entry>
729 <entry>ulimit equivalent</entry>
730 </row>
731 </thead>
732 <tbody>
733 <row>
734 <entry>LimitCPU</entry>
735 <entry>ulimit -t</entry>
736 </row>
737 <row>
738 <entry>LimitFSIZE</entry>
739 <entry>ulimit -f</entry>
740 </row>
741 <row>
742 <entry>LimitDATA</entry>
743 <entry>ulimit -d</entry>
744 </row>
745 <row>
746 <entry>LimitSTACK</entry>
747 <entry>ulimit -s</entry>
748 </row>
749 <row>
750 <entry>LimitCORE</entry>
751 <entry>ulimit -c</entry>
752 </row>
753 <row>
754 <entry>LimitRSS</entry>
755 <entry>ulimit -m</entry>
756 </row>
757 <row>
758 <entry>LimitNOFILE</entry>
759 <entry>ulimit -n</entry>
760 </row>
761 <row>
762 <entry>LimitAS</entry>
763 <entry>ulimit -v</entry>
764 </row>
765 <row>
766 <entry>LimitNPROC</entry>
767 <entry>ulimit -u</entry>
768 </row>
769 <row>
770 <entry>LimitMEMLOCK</entry>
771 <entry>ulimit -l</entry>
772 </row>
773 <row>
774 <entry>LimitLOCKS</entry>
775 <entry>ulimit -x</entry>
776 </row>
777 <row>
778 <entry>LimitSIGPENDING</entry>
779 <entry>ulimit -i</entry>
780 </row>
781 <row>
782 <entry>LimitMSGQUEUE</entry>
783 <entry>ulimit -q</entry>
784 </row>
785 <row>
786 <entry>LimitNICE</entry>
787 <entry>ulimit -e</entry>
788 </row>
789 <row>
790 <entry>LimitRTPRIO</entry>
791 <entry>ulimit -r</entry>
792 </row>
793 <row>
794 <entry>LimitRTTIME</entry>
795 <entry>No equivalent</entry>
796 </row>
797 </tbody>
798 </tgroup>
799 </table>
dd1eb43b
LP		 800 </varlistentry>
801
802 <varlistentry>
803 <term><varname>PAMName=</varname></term>
804 <listitem><para>Sets the PAM service
79640424 805 name to set up a session as. If set,
dd1eb43b
LP		 806 the executed process will be
807 registered as a PAM session under the
808 specified service name. This is only
809 useful in conjunction with the
810 <varname>User=</varname> setting. If
79640424 811 not set, no PAM session will be opened
dd1eb43b 812 for the executed processes. See
5aded369 813 <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
dd1eb43b
LP		 814 for details.</para></listitem>
815 </varlistentry>
816
dd1eb43b 817 <varlistentry>
260abb78
LP		 818 <term><varname>CapabilityBoundingSet=</varname></term>
819
820 <listitem><para>Controls which
821 capabilities to include in the
822 capability bounding set for the
823 executed process. See
5aded369 824 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
e9dd9f95
JSJ		 825 for details. Takes a whitespace-separated
826 list of capability names as read by
d91c34f2 827 <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
74d00578
ZJS		 828 e.g. <constant>CAP_SYS_ADMIN</constant>,
829 <constant>CAP_DAC_OVERRIDE</constant>,
830 <constant>CAP_SYS_PTRACE</constant>.
260abb78
LP		 831 Capabilities listed will be included
832 in the bounding set, all others are
833 removed. If the list of capabilities
79640424 834 is prefixed with <literal>~</literal>,
d91c34f2
LP		 835 all but the listed capabilities will
836 be included, the effect of the
837 assignment inverted. Note that this
838 option also affects the respective
839 capabilities in the effective,
840 permitted and inheritable capability
841 sets, on top of what
842 <varname>Capabilities=</varname>
79640424 843 does. If this option is not used, the
260abb78
LP		 844 capability bounding set is not
845 modified on process execution, hence
846 no limits on the capabilities of the
74051b9b
LP		 847 process are enforced. This option may
848 appear more than once in which case
d91c34f2
LP		 849 the bounding sets are merged. If the
850 empty string is assigned to this
79640424 851 option, the bounding set is reset to
d91c34f2
LP		 852 the empty capability set, and all
853 prior settings have no effect. If set
854 to <literal>~</literal> (without any
79640424 855 further argument), the bounding set is
d91c34f2
LP		 856 reset to the full set of available
857 capabilities, also undoing any
858 previous settings.</para></listitem>
dd1eb43b
LP		 859 </varlistentry>
860
861 <varlistentry>
862 <term><varname>SecureBits=</varname></term>
863 <listitem><para>Controls the secure
e060073a
ZJS		 864 bits set for the executed process.
865 Takes a space-separated combination of
866 options from the following list:
dd1eb43b
LP		 867 <option>keep-caps</option>,
868 <option>keep-caps-locked</option>,
869 <option>no-setuid-fixup</option>,
870 <option>no-setuid-fixup-locked</option>,
e060073a 871 <option>noroot</option>, and
74051b9b
LP		 872 <option>noroot-locked</option>. This
873 option may appear more than once in
e060073a
ZJS		 874 which case the secure bits are ORed.
875 If the empty string is assigned to
876 this option, the bits are reset to 0.
877 See <citerefentry
878 project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
879 for details.</para></listitem>
dd1eb43b
LP		 880 </varlistentry>
881
882 <varlistentry>
260abb78 883 <term><varname>Capabilities=</varname></term>
dd1eb43b 884 <listitem><para>Controls the
5aded369 885 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
260abb78
LP		 886 set for the executed process. Take a
887 capability string describing the
888 effective, permitted and inherited
889 capability sets as documented in
890 <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
891 Note that these capability sets are
417116f2 892 usually influenced (and filtered) by the capabilities
260abb78
LP		 893 attached to the executed file. Due to
894 that
895 <varname>CapabilityBoundingSet=</varname>
e060073a 896 is probably a much more useful
260abb78 897 setting.</para></listitem>
dd1eb43b
LP		 898 </varlistentry>
899
dd1eb43b
LP		 900 <varlistentry>
901 <term><varname>ReadWriteDirectories=</varname></term>
902 <term><varname>ReadOnlyDirectories=</varname></term>
903 <term><varname>InaccessibleDirectories=</varname></term>
904
d6797c92
LP		 905 <listitem><para>Sets up a new file
906 system namespace for executed
dd1eb43b
LP		 907 processes. These options may be used
908 to limit access a process might have
12f25b6e 909 to the main file system
dd1eb43b 910 hierarchy. Each setting takes a
96d4ce01 911 space-separated list of absolute
dd1eb43b
LP		 912 directory paths. Directories listed in
913 <varname>ReadWriteDirectories=</varname>
914 are accessible from within the
915 namespace with the same access rights
916 as from outside. Directories listed in
917 <varname>ReadOnlyDirectories=</varname>
918 are accessible for reading only,
919 writing will be refused even if the
920 usual file access controls would
921 permit this. Directories listed in
922 <varname>InaccessibleDirectories=</varname>
74051b9b
LP		 923 will be made inaccessible for
924 processes inside the namespace. Note
925 that restricting access with these
926 options does not extend to submounts
d6797c92
LP		 927 of a directory that are created later
928 on. These options may be specified
74051b9b
LP		 929 more than once in which case all
930 directories listed will have limited
931 access from within the namespace. If
932 the empty string is assigned to this
d6797c92
LP		 933 option, the specific list is reset,
934 and all prior assignments have no
ea92ae33
MW		 935 effect.</para>
936 <para>Paths in
937 <varname>ReadOnlyDirectories=</varname>
938 and
939 <varname>InaccessibleDirectories=</varname>
940 may be prefixed with
941 <literal>-</literal>, in which case
6b4991cf 942 they will be ignored when they do not
907afa06
LP		 943 exist. Note that using this
944 setting will disconnect propagation of
945 mounts from the service to the host
946 (propagation in the opposite direction
947 continues to work). This means that
948 this setting may not be used for
949 services which shall be able to
950 install mount points in the main mount
951 namespace.</para></listitem>
dd1eb43b
LP		 952 </varlistentry>
953
954 <varlistentry>
955 <term><varname>PrivateTmp=</varname></term>
956
957 <listitem><para>Takes a boolean
79640424 958 argument. If true, sets up a new file
ff01d048 959 system namespace for the executed
652d0dd7
ZJS		 960 processes and mounts private
961 <filename>/tmp</filename> and
613b411c 962 <filename>/var/tmp</filename>
e0e009c0 963 directories inside it that is not
613b411c 964 shared by processes outside of the
dd1eb43b
LP		 965 namespace. This is useful to secure
966 access to temporary files of the
967 process, but makes sharing between
968 processes via
652d0dd7
ZJS		 969 <filename>/tmp</filename> or
970 <filename>/var/tmp</filename>
b8bde116 971 impossible. If this is enabled, all
907afa06
LP		 972 temporary files created by a service
973 in these directories will be removed
974 after the service is stopped. Defaults
975 to false. It is possible to run two or
976 more units within the same private
977 <filename>/tmp</filename> and
613b411c
LP		 978 <filename>/var/tmp</filename>
979 namespace by using the
980 <varname>JoinsNamespaceOf=</varname>
981 directive, see
982 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
907afa06
LP		 983 for details. Note that using this
984 setting will disconnect propagation of
985 mounts from the service to the host
986 (propagation in the opposite direction
987 continues to work). This means that
988 this setting may not be used for
989 services which shall be able to install
990 mount points in the main mount
991 namespace.</para></listitem>
992 </varlistentry>
993
994 <varlistentry>
995 <term><varname>PrivateDevices=</varname></term>
996
997 <listitem><para>Takes a boolean
998 argument. If true, sets up a new /dev
999 namespace for the executed processes
1000 and only adds API pseudo devices such
1001 as <filename>/dev/null</filename>,
1002 <filename>/dev/zero</filename> or
1003 <filename>/dev/random</filename> (as
1004 well as the pseudo TTY subsystem) to
1005 it, but no physical devices such as
1006 <filename>/dev/sda</filename>. This is
1007 useful to securely turn off physical
1008 device access by the executed
1009 process. Defaults to false. Enabling
1010 this option will also remove
1011 <constant>CAP_MKNOD</constant> from
1012 the capability bounding set for the
1013 unit (see above), and set
1014 <varname>DevicePolicy=closed</varname>
1015 (see
1016 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1017 for details). Note that using this
1018 setting will disconnect propagation of
1019 mounts from the service to the host
1020 (propagation in the opposite direction
1021 continues to work). This means that
1022 this setting may not be used for
1023 services which shall be able to
1024 install mount points in the main mount
1025 namespace.</para></listitem>
ff01d048
LP		 1026 </varlistentry>
1027
1028 <varlistentry>
1029 <term><varname>PrivateNetwork=</varname></term>
1030
1031 <listitem><para>Takes a boolean
79640424 1032 argument. If true, sets up a new
ff01d048
LP		 1033 network namespace for the executed
1034 processes and configures only the
1035 loopback network device
1036 <literal>lo</literal> inside it. No
1037 other network devices will be
1038 available to the executed process.
1039 This is useful to securely turn off
1040 network access by the executed
907afa06
LP		 1041 process. Defaults to false. It is
1042 possible to run two or more units
1043 within the same private network
613b411c
LP		 1044 namespace by using the
1045 <varname>JoinsNamespaceOf=</varname>
1046 directive, see
1047 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
907afa06
LP		 1048 for details. Note that this option
1049 will disconnect all socket families
1050 from the host, this includes
1051 AF_NETLINK and AF_UNIX. The latter has
1052 the effect that AF_UNIX sockets in the
1053 abstract socket namespace will become
1054 unavailable to the processes (however,
1055 those located in the file system will
1056 continue to be
1057 accessible).</para></listitem>
7f112f50
LP		 1058 </varlistentry>
1059
417116f2 1060 <varlistentry>
1b8689f9 1061 <term><varname>ProtectSystem=</varname></term>
417116f2
LP		 1062
1063 <listitem><para>Takes a boolean
1b8689f9
LP		 1064 argument or
1065 <literal>full</literal>. If true,
1066 mounts the <filename>/usr</filename>
c51cbfdc
LP		 1067 and <filename>/boot</filename>
1068 directories read-only for processes
1b8689f9 1069 invoked by this unit. If set to
8d0e0ddd 1070 <literal>full</literal>, the
c51cbfdc
LP		 1071 <filename>/etc</filename> directory is
1072 mounted read-only, too. This setting
1073 ensures that any modification of the
1074 vendor supplied operating system (and
1b8689f9 1075 optionally its configuration) is
417116f2
LP		 1076 prohibited for the service. It is
1077 recommended to enable this setting for
1078 all long-running services, unless they
1079 are involved with system updates or
1080 need to modify the operating system in
8d0e0ddd 1081 other ways. Note however that
417116f2
LP		 1082 processes retaining the CAP_SYS_ADMIN
1083 capability can undo the effect of this
1084 setting. This setting is hence
1085 particularly useful for daemons which
1086 have this capability removed, for
1087 example with
1088 <varname>CapabilityBoundingSet=</varname>. Defaults
1089 to off.</para></listitem>
1090 </varlistentry>
1091
1092 <varlistentry>
1b8689f9 1093 <term><varname>ProtectHome=</varname></term>
417116f2
LP		 1094
1095 <listitem><para>Takes a boolean
1096 argument or
1097 <literal>read-only</literal>. If true,
1098 the directories
1099 <filename>/home</filename> and
1100 <filename>/run/user</filename> are
1101 made inaccessible and empty for
1102 processes invoked by this unit. If set
8d0e0ddd 1103 to <literal>read-only</literal>, the
8257df27 1104 two directories are made read-only
417116f2
LP		 1105 instead. It is recommended to enable
1106 this setting for all long-running
1107 services (in particular network-facing
1b8689f9 1108 ones), to ensure they cannot get access
417116f2
LP		 1109 to private user data, unless the
1110 services actually require access to
8d0e0ddd 1111 the user's private data. Note however
417116f2
LP		 1112 that processes retaining the
1113 CAP_SYS_ADMIN capability can undo the
1114 effect of this setting. This setting
1115 is hence particularly useful for
1116 daemons which have this capability
1117 removed, for example with
1118 <varname>CapabilityBoundingSet=</varname>. Defaults
1119 to off.</para></listitem>
1120 </varlistentry>
1121
dd1eb43b
LP		 1122 <varlistentry>
1123 <term><varname>MountFlags=</varname></term>
1124
1125 <listitem><para>Takes a mount
1126 propagation flag:
1127 <option>shared</option>,
1128 <option>slave</option> or
1129 <option>private</option>, which
c2c13f2d
LP		 1130 control whether mounts in the file
1131 system namespace set up for this
1132 unit's processes will receive or
1133 propagate mounts or unmounts. See
8050c221 1134 <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
c2c13f2d
LP		 1135 for details. Defaults to
1136 <option>shared</option>. Use
1137 <option>shared</option> to ensure that
1138 mounts and unmounts are propagated
1139 from the host to the container and
1140 vice versa. Use <option>slave</option>
1141 to run processes so that none of their
1142 mounts and unmounts will propagate to
1143 the host. Use <option>private</option>
1144 to also ensure that no mounts and
1145 unmounts from the host will propagate
1146 into the unit processes'
1147 namespace. Note that
1148 <option>slave</option> means that file
1149 systems mounted on the host might stay
06b643e7 1150 mounted continuously in the unit's
c2c13f2d
LP		 1151 namespace, and thus keep the device
1152 busy. Note that the file system
1153 namespace related options
1154 (<varname>PrivateTmp=</varname>,
1155 <varname>PrivateDevices=</varname>,
ef392da6
AB		 1156 <varname>ProtectSystem=</varname>,
1157 <varname>ProtectHome=</varname>,
c2c13f2d
LP		 1158 <varname>ReadOnlyDirectories=</varname>,
1159 <varname>InaccessibleDirectories=</varname>
1160 and
1161 <varname>ReadWriteDirectories=</varname>)
1162 require that mount and unmount
1163 propagation from the unit's file
1164 system namespace is disabled, and
1165 hence downgrade
1166 <option>shared</option> to
1167 <option>slave</option>.
1168 </para></listitem>
dd1eb43b
LP		 1169 </varlistentry>
1170
169c1bda
LP		 1171 <varlistentry>
1172 <term><varname>UtmpIdentifier=</varname></term>
1173
c5315881 1174 <listitem><para>Takes a four
169c1bda
LP		 1175 character identifier string for an
1176 utmp/wtmp entry for this service. This
1177 should only be set for services such
1178 as <command>getty</command>
1179 implementations where utmp/wtmp
1180 entries must be created and cleared
1181 before and after execution. If the
1182 configured string is longer than four
79640424 1183 characters, it is truncated and the
169c1bda
LP		 1184 terminal four characters are
1185 used. This setting interprets %I style
1186 string replacements. This setting is
1187 unset by default, i.e. no utmp/wtmp
1188 entries are created or cleaned up for
1189 this service.</para></listitem>
1190 </varlistentry>
1191
7b52a628
MS		 1192 <varlistentry>
1193 <term><varname>SELinuxContext=</varname></term>
1194
82adf6af
LP		 1195 <listitem><para>Set the SELinux
1196 security context of the executed
1197 process. If set, this will override
1198 the automated domain
1199 transition. However, the policy still
536256fc 1200 needs to authorize the transition. This
82adf6af
LP		 1201 directive is ignored if SELinux is
1202 disabled. If prefixed by
1203 <literal>-</literal>, all errors will
1204 be ignored. See
7b52a628
MS		 1205 <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1206 for details.</para></listitem>
1207 </varlistentry>
1208
eef65bf3
MS		 1209 <varlistentry>
1210 <term><varname>AppArmorProfile=</varname></term>
1211
dca348bc 1212 <listitem><para>Takes a profile name as argument.
eef65bf3
MS		 1213 The process executed by the unit will switch to
1214 this profile when started. Profiles must already
1215 be loaded in the kernel, or the unit will fail.
1216 This result in a non operation if AppArmor is not
1217 enabled. If prefixed by <literal>-</literal>, all errors
1218 will be ignored.
1219 </para></listitem>
1220 </varlistentry>
1221
2ca620c4
WC		 1222 <varlistentry>
1223 <term><varname>SmackProcessLabel=</varname></term>
1224
1225 <listitem><para>Takes a
1226 <option>SMACK64</option> security
1227 label as argument. The process
1228 executed by the unit will be started
1229 under this label and SMACK will decide
1230 whether the processes is allowed to
1231 run or not based on it. The process
1232 will continue to run under the label
1233 specified here unless the executable
1234 has its own
1235 <option>SMACK64EXEC</option> label, in
1236 which case the process will transition
1237 to run under that label. When not
1238 specified, the label that systemd is
1239 running under is used. This directive
1240 is ignored if SMACK is
1241 disabled.</para>
1242
1243 <para>The value may be prefixed by
1244 <literal>-</literal>, in which case
1245 all errors will be ignored. An empty
1246 value may be specified to unset
1247 previous assignments.</para>
1248 </listitem>
1249 </varlistentry>
1250
353e12c2
LP		 1251 <varlistentry>
1252 <term><varname>IgnoreSIGPIPE=</varname></term>
1253
1254 <listitem><para>Takes a boolean
05cc7267 1255 argument. If true, causes <constant>SIGPIPE</constant> to be
353e12c2 1256 ignored in the executed
e9dd9f95 1257 process. Defaults to true because
05cc7267 1258 <constant>SIGPIPE</constant> generally is useful only in
353e12c2
LP		 1259 shell pipelines.</para></listitem>
1260 </varlistentry>
1261
8351ceae
LP		 1262 <varlistentry>
1263 <term><varname>NoNewPrivileges=</varname></term>
1264
1265 <listitem><para>Takes a boolean
e9dd9f95 1266 argument. If true, ensures that the
8351ceae
LP		 1267 service process and all its children
1268 can never gain new privileges. This
1269 option is more powerful than the respective
1270 secure bits flags (see above), as it
1271 also prohibits UID changes of any
1272 kind. This is the simplest, most
1273 effective way to ensure that a process
1274 and its children can never elevate
1275 privileges again.</para></listitem>
1276 </varlistentry>
1277
1278 <varlistentry>
1279 <term><varname>SystemCallFilter=</varname></term>
1280
f513e420
LP		 1281 <listitem><para>Takes a
1282 space-separated list of system call
e9dd9f95 1283 names. If this setting is used, all
8351ceae 1284 system calls executed by the unit
17df7223 1285 processes except for the listed ones
8351ceae 1286 will result in immediate process
74d00578
ZJS		 1287 termination with the
1288 <constant>SIGSYS</constant> signal
8351ceae 1289 (whitelisting). If the first character
79640424 1290 of the list is <literal>~</literal>,
8351ceae
LP		 1291 the effect is inverted: only the
1292 listed system calls will result in
1293 immediate process termination
f513e420
LP		 1294 (blacklisting). If running in user
1295 mode and this option is used,
8351ceae 1296 <varname>NoNewPrivileges=yes</varname>
f513e420
LP		 1297 is implied. This feature makes use of the
1298 Secure Computing Mode 2 interfaces of
1299 the kernel ('seccomp filtering') and
1300 is useful for enforcing a minimal
8351ceae
LP		 1301 sandboxing environment. Note that the
1302 <function>execve</function>,
1303 <function>rt_sigreturn</function>,
1304 <function>sigreturn</function>,
1305 <function>exit_group</function>,
1306 <function>exit</function> system calls
6b4991cf 1307 are implicitly whitelisted and do not
74051b9b
LP		 1308 need to be listed explicitly. This
1309 option may be specified more than once
1310 in which case the filter masks are
1311 merged. If the empty string is
79640424 1312 assigned, the filter is reset, all
74051b9b 1313 prior assignments will have no
c0467cf3
RC		 1314 effect.</para>
1315
17df7223
LP		 1316 <para>If you specify both types of
1317 this option (i.e. whitelisting and
73e231ab 1318 blacklisting), the first encountered
17df7223
LP		 1319 will take precedence and will dictate
1320 the default action (termination or
1321 approval of a system call). Then the
1322 next occurrences of this option will
1323 add or delete the listed system calls
1324 from the set of the filtered system
1325 calls, depending of its type and the
66f756d4 1326 default action. (For example, if you have started
17df7223
LP		 1327 with a whitelisting of
1328 <function>read</function> and
73e231ab 1329 <function>write</function>, and right
17df7223
LP		 1330 after it add a blacklisting of
1331 <function>write</function>, then
1332 <function>write</function> will be
66f756d4 1333 removed from the set.)
c0467cf3 1334 </para></listitem>
8351ceae
LP		 1335 </varlistentry>
1336
17df7223
LP		 1337 <varlistentry>
1338 <term><varname>SystemCallErrorNumber=</varname></term>
1339
1340 <listitem><para>Takes an
1341 <literal>errno</literal> error number
1342 name to return when the system call
1343 filter configured with
1344 <varname>SystemCallFilter=</varname>
1345 is triggered, instead of terminating
1346 the process immediately. Takes an
1347 error name such as
ac45f971
LP		 1348 <constant>EPERM</constant>,
1349 <constant>EACCES</constant> or
1350 <constant>EUCLEAN</constant>. When this
17df7223 1351 setting is not used, or when the empty
73e231ab 1352 string is assigned, the process will be
17df7223
LP		 1353 terminated immediately when the filter
1354 is triggered.</para></listitem>
1355 </varlistentry>
1356
57183d11
LP		 1357 <varlistentry>
1358 <term><varname>SystemCallArchitectures=</varname></term>
1359
1360 <listitem><para>Takes a space
1361 separated list of architecture
1362 identifiers to include in the system
1363 call filter. The known architecture
1364 identifiers are
ac45f971
LP		 1365 <constant>x86</constant>,
1366 <constant>x86-64</constant>,
1367 <constant>x32</constant>,
f513e420
LP		 1368 <constant>arm</constant> as well as
1369 the special identifier
1370 <constant>native</constant>. Only
1371 system calls of the specified
1372 architectures will be permitted to
1373 processes of this unit. This is an
1374 effective way to disable compatibility
1375 with non-native architectures for
1376 processes, for example to prohibit
1377 execution of 32-bit x86 binaries on
1378 64-bit x86-64 systems. The special
ac45f971 1379 <constant>native</constant> identifier
57183d11
LP		 1380 implicitly maps to the native
1381 architecture of the system (or more
1382 strictly: to the architecture the
f513e420
LP		 1383 system manager is compiled for). If
1384 running in user mode and this option
1385 is used,
1386 <varname>NoNewPrivileges=yes</varname>
1387 is implied. Note that setting this
1388 option to a non-empty list implies
1389 that <constant>native</constant> is
1390 included too. By default, this option
1391 is set to the empty list, i.e. no
1392 architecture system call filtering is
e9642be2 1393 applied.</para></listitem>
57183d11
LP		 1394 </varlistentry>
1395
4298d0b5
LP		 1396 <varlistentry>
1397 <term><varname>RestrictAddressFamilies=</varname></term>
1398
1399 <listitem><para>Restricts the set of
1400 socket address families accessible to
1401 the processes of this unit. Takes a
1402 space-separated list of address family
1403 names to whitelist, such as
1404 <constant>AF_UNIX</constant>,
1405 <constant>AF_INET</constant> or
1406 <constant>AF_INET6</constant>. When
1407 prefixed with <constant>~</constant>
1408 the listed address families will be
1409 applied as blacklist, otherwise as
1410 whitelist. Note that this restricts
1411 access to the
1412 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1413 system call only. Sockets passed into
1414 the process by other means (for
1415 example, by using socket activation
1416 with socket units, see
1417 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1418 are unaffected. Also, sockets created
1419 with <function>socketpair()</function>
1420 (which creates connected AF_UNIX
1421 sockets only) are unaffected. Note
1422 that this option has no effect on
70a44afe 1423 32-bit x86 and is ignored (but works
f513e420
LP		 1424 correctly on x86-64). If running in user
1425 mode and this option is used,
1426 <varname>NoNewPrivileges=yes</varname>
b8bde116 1427 is implied. By default, no
4298d0b5
LP		 1428 restriction applies, all address
1429 families are accessible to
1430 processes. If assigned the empty
b8bde116 1431 string, any previous list changes are
4298d0b5
LP		 1432 undone.</para>
1433
1434 <para>Use this option to limit
1435 exposure of processes to remote
1436 systems, in particular via exotic
1437 network protocols. Note that in most
b8bde116 1438 cases, the local
4298d0b5
LP		 1439 <constant>AF_UNIX</constant> address
1440 family should be included in the
1441 configured whitelist as it is
1442 frequently used for local
1443 communication, including for
1444 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1445 logging.</para></listitem>
1446 </varlistentry>
1447
ac45f971
LP		 1448 <varlistentry>
1449 <term><varname>Personality=</varname></term>
1450
1451 <listitem><para>Controls which
1452 kernel architecture
1453 <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1454 shall report, when invoked by unit
1455 processes. Takes one of
1456 <constant>x86</constant> and
1457 <constant>x86-64</constant>. This is
70a44afe 1458 useful when running 32-bit services on
b8bde116 1459 a 64-bit host system. If not specified,
ac45f971
LP		 1460 the personality is left unmodified and
1461 thus reflects the personality of the
1462 host system's
1463 kernel.</para></listitem>
1464 </varlistentry>
4298d0b5 1465
e66cf1a3
LP		 1466 <varlistentry>
1467 <term><varname>RuntimeDirectory=</varname></term>
1468 <term><varname>RuntimeDirectoryMode=</varname></term>
1469
1470 <listitem><para>Takes a list of
b8bde116 1471 directory names. If set, one or more
e66cf1a3
LP		 1472 directories by the specified names
1473 will be created below
1474 <filename>/run</filename> (for system
1475 services) or below
1476 <varname>$XDG_RUNTIME_DIR</varname>
1477 (for user services) when the unit is
b8bde116 1478 started, and removed when the unit is
e66cf1a3
LP		 1479 stopped. The directories will have the
1480 access mode specified in
1481 <varname>RuntimeDirectoryMode=</varname>,
1482 and will be owned by the user and
1483 group specified in
1484 <varname>User=</varname> and
1485 <varname>Group=</varname>. Use this to
1486 manage one or more runtime directories
1487 of the unit and bind their lifetime to
1488 the daemon runtime. The specified
1489 directory names must be relative, and
1490 may not include a
1491 <literal>/</literal>, i.e. must refer
1492 to simple directories to create or
1493 remove. This is particularly useful
f1721625 1494 for unprivileged daemons that cannot
e66cf1a3
LP		 1495 create runtime directories in
1496 <filename>/run</filename> due to lack
1497 of privileges, and to make sure the
1498 runtime directory is cleaned up
1499 automatically after use. For runtime
1500 directories that require more complex
1501 or different configuration or lifetime
1502 guarantees, please consider using
1503 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
1504 </varlistentry>
1505
dd1eb43b
LP		 1506 </variablelist>
1507 </refsect1>
1508
43638332
ZJS		 1509 <refsect1>
1510 <title>Environment variables in spawned processes</title>
1511
1512 <para>Processes started by the system are executed in
1513 a clean environment in which select variables
1514 listed below are set. System processes started by systemd
1515 do not inherit variables from PID 1, but processes
1516 started by user systemd instances inherit all
1517 environment variables from the user systemd instance.
1518 </para>
1519
1520 <variablelist class='environment-variables'>
1521 <varlistentry>
1522 <term><varname>$PATH</varname></term>
1523
1524 <listitem><para>Colon-separated list
536256fc 1525 of directories to use when launching
43638332
ZJS		 1526 executables. Systemd uses a fixed
1527 value of
1528 <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>.
1529 </para></listitem>
1530 </varlistentry>
1531
1532 <varlistentry>
1533 <term><varname>$LANG</varname></term>
1534
1535 <listitem><para>Locale. Can be set in
1536 <citerefentry><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1537 or on the kernel command line (see
1538 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1539 and
1540 <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>).
1541 </para></listitem>
1542 </varlistentry>
1543
1544 <varlistentry>
1545 <term><varname>$USER</varname></term>
59fccd82 1546 <term><varname>$LOGNAME</varname></term>
43638332 1547 <term><varname>$HOME</varname></term>
59fccd82 1548 <term><varname>$SHELL</varname></term>
43638332 1549
59fccd82
ZJS		 1550 <listitem><para>User name (twice), home
1551 directory, and the login shell.
72f4d966 1552 The variables are set for the units that
43638332
ZJS		 1553 have <varname>User=</varname> set,
1554 which includes user
1555 <command>systemd</command> instances.
1556 See
1557 <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
1558 </para></listitem>
1559 </varlistentry>
1560
1561 <varlistentry>
1562 <term><varname>$XDG_RUNTIME_DIR</varname></term>
1563
1564 <listitem><para>The directory for volatile
1565 state. Set for the user <command>systemd</command>
1566 instance, and also in user sessions.
1567 See
1568 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1569 </para></listitem>
1570 </varlistentry>
1571
1572 <varlistentry>
1573 <term><varname>$XDG_SESSION_ID</varname></term>
1574 <term><varname>$XDG_SEAT</varname></term>
1575 <term><varname>$XDG_VTNR</varname></term>
1576
1577 <listitem><para>The identifier of the
72f4d966 1578 session, the seat name, and
43638332
ZJS		 1579 virtual terminal of the session. Set
1580 by
1581 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
1582 for login sessions.
1583 <varname>$XDG_SEAT</varname> and
72f4d966
JE		 1584 <varname>$XDG_VTNR</varname> will
1585 only be set when attached to a seat and a
43638332
ZJS		 1586 tty.</para></listitem>
1587 </varlistentry>
1588
b67f562c
LP		 1589 <varlistentry>
1590 <term><varname>$MAINPID</varname></term>
1591
1592 <listitem><para>The PID of the units
1593 main process if it is known. This is
1594 only set for control processes as
1595 invoked by
1596 <varname>ExecReload=</varname> and
1597 similar. </para></listitem>
1598 </varlistentry>
1599
43638332
ZJS		 1600 <varlistentry>
1601 <term><varname>$MANAGERPID</varname></term>
1602
1603 <listitem><para>The PID of the user
1604 <command>systemd</command> instance,
1605 set for processes spawned by it.
1606 </para></listitem>
1607 </varlistentry>
1608
1609 <varlistentry>
1610 <term><varname>$LISTEN_FDS</varname></term>
1611 <term><varname>$LISTEN_PID</varname></term>
1612
1613 <listitem><para>Information about file
1614 descriptors passed to a service for
1615 socket activation. See
1616 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1617 </para></listitem>
1618 </varlistentry>
59fccd82
ZJS		 1619
1620 <varlistentry>
1621 <term><varname>$TERM</varname></term>
1622
1623 <listitem><para>Terminal type, set
1624 only for units connected to a terminal
1625 (<varname>StandardInput=tty</varname>,
1626 <varname>StandardOutput=tty</varname>,
1627 or
1628 <varname>StandardError=tty</varname>).
1629 See
5aded369 1630 <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
59fccd82
ZJS		 1631 </para></listitem>
1632 </varlistentry>
43638332
ZJS		 1633 </variablelist>
1634
1635 <para>Additional variables may be configured by the
1636 following means: for processes spawned in specific
1637 units, use the <varname>Environment=</varname> and
1638 <varname>EnvironmentFile=</varname> options above; to
1639 specify variables globally, use
1640 <varname>DefaultEnvironment=</varname> (see
1641 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1642 or the kernel option
1643 <varname>systemd.setenv=</varname> (see
1644 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Additional
1645 variables may also be set through PAM,
5aded369 1646 cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
43638332
ZJS		 1647 </refsect1>
1648
dd1eb43b
LP		 1649 <refsect1>
1650 <title>See Also</title>
1651 <para>
f3e219a2 1652 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
67826132 1653 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
169c4f65 1654 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
dd1eb43b
LP		 1655 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1656 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1657 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2292707d 1658 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
4819ff03 1659 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
9cc2c8b7 1660 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
3fde5f30 1661 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
43638332 1662 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
e66cf1a3 1663 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
5aded369 1664 <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>
dd1eb43b
LP		 1665 </para>
1666 </refsect1>
1667
1668</refentry>
Unnamed repository; edit this file 'description' to name the repository.