]>
Commit | Line | Data |
---|---|---|
dd1eb43b | 1 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
12b42c76 | 2 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
dd1eb43b LP |
3 | |
4 | <!-- | |
5 | This file is part of systemd. | |
6 | ||
7 | Copyright 2010 Lennart Poettering | |
8 | ||
9 | systemd is free software; you can redistribute it and/or modify it | |
5430f7f2 LP |
10 | under the terms of the GNU Lesser General Public License as published by |
11 | the Free Software Foundation; either version 2.1 of the License, or | |
dd1eb43b LP |
12 | (at your option) any later version. |
13 | ||
14 | systemd is distributed in the hope that it will be useful, but | |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
5430f7f2 | 17 | Lesser General Public License for more details. |
dd1eb43b | 18 | |
5430f7f2 | 19 | You should have received a copy of the GNU Lesser General Public License |
dd1eb43b LP |
20 | along with systemd; If not, see <http://www.gnu.org/licenses/>. |
21 | --> | |
22 | ||
23 | <refentry id="systemd.exec"> | |
798d3a52 ZJS |
24 | <refentryinfo> |
25 | <title>systemd.exec</title> | |
26 | <productname>systemd</productname> | |
27 | ||
28 | <authorgroup> | |
29 | <author> | |
30 | <contrib>Developer</contrib> | |
31 | <firstname>Lennart</firstname> | |
32 | <surname>Poettering</surname> | |
33 | <email>lennart@poettering.net</email> | |
34 | </author> | |
35 | </authorgroup> | |
36 | </refentryinfo> | |
37 | ||
38 | <refmeta> | |
39 | <refentrytitle>systemd.exec</refentrytitle> | |
40 | <manvolnum>5</manvolnum> | |
41 | </refmeta> | |
42 | ||
43 | <refnamediv> | |
44 | <refname>systemd.exec</refname> | |
45 | <refpurpose>Execution environment configuration</refpurpose> | |
46 | </refnamediv> | |
47 | ||
48 | <refsynopsisdiv> | |
49 | <para><filename><replaceable>service</replaceable>.service</filename>, | |
50 | <filename><replaceable>socket</replaceable>.socket</filename>, | |
51 | <filename><replaceable>mount</replaceable>.mount</filename>, | |
52 | <filename><replaceable>swap</replaceable>.swap</filename></para> | |
53 | </refsynopsisdiv> | |
54 | ||
55 | <refsect1> | |
56 | <title>Description</title> | |
57 | ||
58 | <para>Unit configuration files for services, sockets, mount | |
59 | points, and swap devices share a subset of configuration options | |
60 | which define the execution environment of spawned | |
61 | processes.</para> | |
62 | ||
63 | <para>This man page lists the configuration options shared by | |
64 | these four unit types. See | |
65 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
66 | for the common options of all unit configuration files, and | |
67 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
68 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
69 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
70 | and | |
71 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
72 | for more information on the specific unit configuration files. The | |
73 | execution specific configuration options are configured in the | |
74 | [Service], [Socket], [Mount], or [Swap] sections, depending on the | |
75 | unit type.</para> | |
76 | </refsect1> | |
77 | ||
78 | <refsect1> | |
79 | <title>Options</title> | |
80 | ||
81 | <variablelist class='unit-directives'> | |
82 | ||
83 | <varlistentry> | |
84 | <term><varname>WorkingDirectory=</varname></term> | |
85 | ||
86 | <listitem><para>Takes an absolute directory path. Sets the | |
87 | working directory for executed processes. If not set, defaults | |
88 | to the root directory when systemd is running as a system | |
89 | instance and the respective user's home directory if run as | |
90 | user.</para></listitem> | |
91 | </varlistentry> | |
92 | ||
93 | <varlistentry> | |
94 | <term><varname>RootDirectory=</varname></term> | |
95 | ||
96 | <listitem><para>Takes an absolute directory path. Sets the | |
97 | root directory for executed processes, with the | |
98 | <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
99 | system call. If this is used, it must be ensured that the | |
100 | process and all its auxiliary files are available in the | |
101 | <function>chroot()</function> jail.</para></listitem> | |
102 | </varlistentry> | |
103 | ||
104 | <varlistentry> | |
105 | <term><varname>User=</varname></term> | |
106 | <term><varname>Group=</varname></term> | |
107 | ||
108 | <listitem><para>Sets the Unix user or group that the processes | |
109 | are executed as, respectively. Takes a single user or group | |
110 | name or ID as argument. If no group is set, the default group | |
111 | of the user is chosen.</para></listitem> | |
112 | </varlistentry> | |
113 | ||
114 | <varlistentry> | |
115 | <term><varname>SupplementaryGroups=</varname></term> | |
116 | ||
117 | <listitem><para>Sets the supplementary Unix groups the | |
118 | processes are executed as. This takes a space-separated list | |
119 | of group names or IDs. This option may be specified more than | |
120 | once in which case all listed groups are set as supplementary | |
121 | groups. When the empty string is assigned the list of | |
122 | supplementary groups is reset, and all assignments prior to | |
123 | this one will have no effect. In any way, this option does not | |
124 | override, but extends the list of supplementary groups | |
125 | configured in the system group database for the | |
126 | user.</para></listitem> | |
127 | </varlistentry> | |
128 | ||
129 | <varlistentry> | |
130 | <term><varname>Nice=</varname></term> | |
131 | ||
132 | <listitem><para>Sets the default nice level (scheduling | |
133 | priority) for executed processes. Takes an integer between -20 | |
134 | (highest priority) and 19 (lowest priority). See | |
135 | <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
136 | for details.</para></listitem> | |
137 | </varlistentry> | |
138 | ||
139 | <varlistentry> | |
140 | <term><varname>OOMScoreAdjust=</varname></term> | |
141 | ||
142 | <listitem><para>Sets the adjustment level for the | |
143 | Out-Of-Memory killer for executed processes. Takes an integer | |
144 | between -1000 (to disable OOM killing for this process) and | |
145 | 1000 (to make killing of this process under memory pressure | |
146 | very likely). See <ulink | |
147 | url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink> | |
148 | for details.</para></listitem> | |
149 | </varlistentry> | |
150 | ||
151 | <varlistentry> | |
152 | <term><varname>IOSchedulingClass=</varname></term> | |
153 | ||
154 | <listitem><para>Sets the IO scheduling class for executed | |
155 | processes. Takes an integer between 0 and 3 or one of the | |
156 | strings <option>none</option>, <option>realtime</option>, | |
157 | <option>best-effort</option> or <option>idle</option>. See | |
158 | <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
159 | for details.</para></listitem> | |
160 | </varlistentry> | |
161 | ||
162 | <varlistentry> | |
163 | <term><varname>IOSchedulingPriority=</varname></term> | |
164 | ||
165 | <listitem><para>Sets the IO scheduling priority for executed | |
166 | processes. Takes an integer between 0 (highest priority) and 7 | |
167 | (lowest priority). The available priorities depend on the | |
168 | selected IO scheduling class (see above). See | |
169 | <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
170 | for details.</para></listitem> | |
171 | </varlistentry> | |
172 | ||
173 | <varlistentry> | |
174 | <term><varname>CPUSchedulingPolicy=</varname></term> | |
175 | ||
176 | <listitem><para>Sets the CPU scheduling policy for executed | |
177 | processes. Takes one of | |
178 | <option>other</option>, | |
179 | <option>batch</option>, | |
180 | <option>idle</option>, | |
181 | <option>fifo</option> or | |
182 | <option>rr</option>. See | |
183 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
184 | for details.</para></listitem> | |
185 | </varlistentry> | |
186 | ||
187 | <varlistentry> | |
188 | <term><varname>CPUSchedulingPriority=</varname></term> | |
189 | ||
190 | <listitem><para>Sets the CPU scheduling priority for executed | |
191 | processes. The available priority range depends on the | |
192 | selected CPU scheduling policy (see above). For real-time | |
193 | scheduling policies an integer between 1 (lowest priority) and | |
194 | 99 (highest priority) can be used. See | |
195 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
196 | for details. </para></listitem> | |
197 | </varlistentry> | |
198 | ||
199 | <varlistentry> | |
200 | <term><varname>CPUSchedulingResetOnFork=</varname></term> | |
201 | ||
202 | <listitem><para>Takes a boolean argument. If true, elevated | |
203 | CPU scheduling priorities and policies will be reset when the | |
204 | executed processes fork, and can hence not leak into child | |
205 | processes. See | |
206 | <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
207 | for details. Defaults to false.</para></listitem> | |
208 | </varlistentry> | |
209 | ||
210 | <varlistentry> | |
211 | <term><varname>CPUAffinity=</varname></term> | |
212 | ||
213 | <listitem><para>Controls the CPU affinity of the executed | |
214 | processes. Takes a space-separated list of CPU indices. This | |
215 | option may be specified more than once in which case the | |
216 | specified CPU affinity masks are merged. If the empty string | |
217 | is assigned, the mask is reset, all assignments prior to this | |
218 | will have no effect. See | |
219 | <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
220 | for details.</para></listitem> | |
221 | </varlistentry> | |
222 | ||
223 | <varlistentry> | |
224 | <term><varname>UMask=</varname></term> | |
225 | ||
226 | <listitem><para>Controls the file mode creation mask. Takes an | |
227 | access mode in octal notation. See | |
228 | <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
229 | for details. Defaults to 0022.</para></listitem> | |
230 | </varlistentry> | |
231 | ||
232 | <varlistentry> | |
233 | <term><varname>Environment=</varname></term> | |
234 | ||
235 | <listitem><para>Sets environment variables for executed | |
236 | processes. Takes a space-separated list of variable | |
237 | assignments. This option may be specified more than once in | |
238 | which case all listed variables will be set. If the same | |
239 | variable is set twice, the later setting will override the | |
240 | earlier setting. If the empty string is assigned to this | |
241 | option, the list of environment variables is reset, all prior | |
242 | assignments have no effect. Variable expansion is not | |
243 | performed inside the strings, however, specifier expansion is | |
244 | possible. The $ character has no special meaning. If you need | |
245 | to assign a value containing spaces to a variable, use double | |
246 | quotes (") for the assignment.</para> | |
247 | ||
248 | <para>Example: | |
249 | <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting> | |
250 | gives three variables <literal>VAR1</literal>, | |
251 | <literal>VAR2</literal>, <literal>VAR3</literal> | |
252 | with the values <literal>word1 word2</literal>, | |
253 | <literal>word3</literal>, <literal>$word 5 6</literal>. | |
254 | </para> | |
255 | ||
256 | <para> | |
257 | See | |
258 | <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
259 | for details about environment variables.</para></listitem> | |
260 | </varlistentry> | |
261 | <varlistentry> | |
262 | <term><varname>EnvironmentFile=</varname></term> | |
263 | <listitem><para>Similar to <varname>Environment=</varname> but | |
264 | reads the environment variables from a text file. The text | |
265 | file should contain new-line-separated variable assignments. | |
8f0d2981 RM |
266 | Empty lines, lines without an <literal>=</literal> separator, |
267 | or lines starting with ; or # will be ignored, | |
798d3a52 ZJS |
268 | which may be used for commenting. A line ending with a |
269 | backslash will be concatenated with the following one, | |
270 | allowing multiline variable definitions. The parser strips | |
271 | leading and trailing whitespace from the values of | |
272 | assignments, unless you use double quotes (").</para> | |
273 | ||
274 | <para>The argument passed should be an absolute filename or | |
275 | wildcard expression, optionally prefixed with | |
276 | <literal>-</literal>, which indicates that if the file does | |
277 | not exist, it will not be read and no error or warning message | |
278 | is logged. This option may be specified more than once in | |
279 | which case all specified files are read. If the empty string | |
280 | is assigned to this option, the list of file to read is reset, | |
281 | all prior assignments have no effect.</para> | |
282 | ||
283 | <para>The files listed with this directive will be read | |
284 | shortly before the process is executed (more specifically, | |
285 | after all processes from a previous unit state terminated. | |
286 | This means you can generate these files in one unit state, and | |
f407824d DH |
287 | read it with this option in the next).</para> |
288 | ||
289 | <para>Settings from these | |
798d3a52 ZJS |
290 | files override settings made with |
291 | <varname>Environment=</varname>. If the same variable is set | |
292 | twice from these files, the files will be read in the order | |
293 | they are specified and the later setting will override the | |
294 | earlier setting.</para></listitem> | |
295 | </varlistentry> | |
296 | ||
297 | <varlistentry> | |
298 | <term><varname>StandardInput=</varname></term> | |
299 | <listitem><para>Controls where file descriptor 0 (STDIN) of | |
300 | the executed processes is connected to. Takes one of | |
301 | <option>null</option>, | |
302 | <option>tty</option>, | |
303 | <option>tty-force</option>, | |
304 | <option>tty-fail</option> or | |
305 | <option>socket</option>.</para> | |
306 | ||
307 | <para>If <option>null</option> is selected, standard input | |
308 | will be connected to <filename>/dev/null</filename>, i.e. all | |
309 | read attempts by the process will result in immediate | |
310 | EOF.</para> | |
311 | ||
312 | <para>If <option>tty</option> is selected, standard input is | |
313 | connected to a TTY (as configured by | |
314 | <varname>TTYPath=</varname>, see below) and the executed | |
315 | process becomes the controlling process of the terminal. If | |
316 | the terminal is already being controlled by another process, | |
317 | the executed process waits until the current controlling | |
318 | process releases the terminal.</para> | |
319 | ||
320 | <para><option>tty-force</option> is similar to | |
321 | <option>tty</option>, but the executed process is forcefully | |
322 | and immediately made the controlling process of the terminal, | |
323 | potentially removing previous controlling processes from the | |
324 | terminal.</para> | |
325 | ||
326 | <para><option>tty-fail</option> is similar to | |
327 | <option>tty</option> but if the terminal already has a | |
328 | controlling process start-up of the executed process | |
329 | fails.</para> | |
330 | ||
331 | <para>The <option>socket</option> option is only valid in | |
332 | socket-activated services, and only when the socket | |
333 | configuration file (see | |
334 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
335 | for details) specifies a single socket only. If this option is | |
336 | set, standard input will be connected to the socket the | |
337 | service was activated from, which is primarily useful for | |
338 | compatibility with daemons designed for use with the | |
339 | traditional | |
b5c7d097 | 340 | <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
798d3a52 ZJS |
341 | daemon.</para> |
342 | ||
343 | <para>This setting defaults to | |
344 | <option>null</option>.</para></listitem> | |
345 | </varlistentry> | |
346 | <varlistentry> | |
347 | <term><varname>StandardOutput=</varname></term> | |
348 | <listitem><para>Controls where file descriptor 1 (STDOUT) of | |
349 | the executed processes is connected to. Takes one of | |
350 | <option>inherit</option>, | |
351 | <option>null</option>, | |
352 | <option>tty</option>, | |
353 | <option>journal</option>, | |
354 | <option>syslog</option>, | |
355 | <option>kmsg</option>, | |
356 | <option>journal+console</option>, | |
357 | <option>syslog+console</option>, | |
358 | <option>kmsg+console</option> or | |
359 | <option>socket</option>.</para> | |
360 | ||
361 | <para><option>inherit</option> duplicates the file descriptor | |
362 | of standard input for standard output.</para> | |
363 | ||
364 | <para><option>null</option> connects standard output to | |
365 | <filename>/dev/null</filename>, i.e. everything written to it | |
366 | will be lost.</para> | |
367 | ||
368 | <para><option>tty</option> connects standard output to a tty | |
369 | (as configured via <varname>TTYPath=</varname>, see below). If | |
370 | the TTY is used for output only, the executed process will not | |
371 | become the controlling process of the terminal, and will not | |
372 | fail or wait for other processes to release the | |
373 | terminal.</para> | |
374 | ||
375 | <para><option>journal</option> connects standard output with | |
376 | the journal which is accessible via | |
377 | <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
378 | Note that everything that is written to syslog or kmsg (see | |
379 | below) is implicitly stored in the journal as well, the | |
380 | specific two options listed below are hence supersets of this | |
381 | one.</para> | |
382 | ||
383 | <para><option>syslog</option> connects standard output to the | |
384 | <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
385 | system syslog service, in addition to the journal. Note that | |
386 | the journal daemon is usually configured to forward everything | |
387 | it receives to syslog anyway, in which case this option is no | |
388 | different from <option>journal</option>.</para> | |
389 | ||
390 | <para><option>kmsg</option> connects standard output with the | |
391 | kernel log buffer which is accessible via | |
392 | <citerefentry project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
393 | in addition to the journal. The journal daemon might be | |
394 | configured to send all logs to kmsg anyway, in which case this | |
395 | option is no different from <option>journal</option>.</para> | |
396 | ||
397 | <para><option>journal+console</option>, | |
398 | <option>syslog+console</option> and | |
399 | <option>kmsg+console</option> work in a similar way as the | |
400 | three options above but copy the output to the system console | |
401 | as well.</para> | |
402 | ||
403 | <para><option>socket</option> connects standard output to a | |
404 | socket acquired via socket activation. The semantics are | |
405 | similar to the same option of | |
406 | <varname>StandardInput=</varname>.</para> | |
407 | ||
408 | <para>This setting defaults to the value set with | |
409 | <option>DefaultStandardOutput=</option> in | |
410 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
411 | which defaults to <option>journal</option>.</para></listitem> | |
412 | </varlistentry> | |
413 | <varlistentry> | |
414 | <term><varname>StandardError=</varname></term> | |
415 | <listitem><para>Controls where file descriptor 2 (STDERR) of | |
416 | the executed processes is connected to. The available options | |
417 | are identical to those of <varname>StandardOutput=</varname>, | |
418 | with one exception: if set to <option>inherit</option> the | |
419 | file descriptor used for standard output is duplicated for | |
420 | standard error. This setting defaults to the value set with | |
421 | <option>DefaultStandardError=</option> in | |
422 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
423 | which defaults to <option>inherit</option>.</para></listitem> | |
424 | </varlistentry> | |
425 | <varlistentry> | |
426 | <term><varname>TTYPath=</varname></term> | |
427 | <listitem><para>Sets the terminal device node to use if | |
428 | standard input, output, or error are connected to a TTY (see | |
429 | above). Defaults to | |
430 | <filename>/dev/console</filename>.</para></listitem> | |
431 | </varlistentry> | |
432 | <varlistentry> | |
433 | <term><varname>TTYReset=</varname></term> | |
434 | <listitem><para>Reset the terminal device specified with | |
435 | <varname>TTYPath=</varname> before and after execution. | |
436 | Defaults to <literal>no</literal>.</para></listitem> | |
437 | </varlistentry> | |
438 | <varlistentry> | |
439 | <term><varname>TTYVHangup=</varname></term> | |
440 | <listitem><para>Disconnect all clients which have opened the | |
441 | terminal device specified with <varname>TTYPath=</varname> | |
442 | before and after execution. Defaults to | |
443 | <literal>no</literal>.</para></listitem> | |
444 | </varlistentry> | |
445 | <varlistentry> | |
446 | <term><varname>TTYVTDisallocate=</varname></term> | |
447 | <listitem><para>If the terminal device specified with | |
448 | <varname>TTYPath=</varname> is a virtual console terminal, try | |
449 | to deallocate the TTY before and after execution. This ensures | |
450 | that the screen and scrollback buffer is cleared. Defaults to | |
451 | <literal>no</literal>.</para></listitem> | |
452 | </varlistentry> | |
453 | <varlistentry> | |
454 | <term><varname>SyslogIdentifier=</varname></term> | |
455 | <listitem><para>Sets the process name to prefix log lines sent | |
456 | to the logging system or the kernel log buffer with. If not | |
457 | set, defaults to the process name of the executed process. | |
458 | This option is only useful when | |
459 | <varname>StandardOutput=</varname> or | |
460 | <varname>StandardError=</varname> are set to | |
461 | <option>syslog</option>, <option>journal</option> or | |
462 | <option>kmsg</option> (or to the same settings in combination | |
463 | with <option>+console</option>).</para></listitem> | |
464 | </varlistentry> | |
465 | <varlistentry> | |
466 | <term><varname>SyslogFacility=</varname></term> | |
467 | <listitem><para>Sets the syslog facility to use when logging | |
468 | to syslog. One of <option>kern</option>, | |
469 | <option>user</option>, <option>mail</option>, | |
470 | <option>daemon</option>, <option>auth</option>, | |
471 | <option>syslog</option>, <option>lpr</option>, | |
472 | <option>news</option>, <option>uucp</option>, | |
473 | <option>cron</option>, <option>authpriv</option>, | |
474 | <option>ftp</option>, <option>local0</option>, | |
475 | <option>local1</option>, <option>local2</option>, | |
476 | <option>local3</option>, <option>local4</option>, | |
477 | <option>local5</option>, <option>local6</option> or | |
478 | <option>local7</option>. See | |
479 | <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
480 | for details. This option is only useful when | |
481 | <varname>StandardOutput=</varname> or | |
482 | <varname>StandardError=</varname> are set to | |
483 | <option>syslog</option>. Defaults to | |
484 | <option>daemon</option>.</para></listitem> | |
485 | </varlistentry> | |
486 | <varlistentry> | |
487 | <term><varname>SyslogLevel=</varname></term> | |
488 | <listitem><para>Default syslog level to use when logging to | |
489 | syslog or the kernel log buffer. One of | |
490 | <option>emerg</option>, | |
491 | <option>alert</option>, | |
492 | <option>crit</option>, | |
493 | <option>err</option>, | |
494 | <option>warning</option>, | |
495 | <option>notice</option>, | |
496 | <option>info</option>, | |
497 | <option>debug</option>. See | |
498 | <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
499 | for details. This option is only useful when | |
500 | <varname>StandardOutput=</varname> or | |
501 | <varname>StandardError=</varname> are set to | |
502 | <option>syslog</option> or <option>kmsg</option>. Note that | |
503 | individual lines output by the daemon might be prefixed with a | |
504 | different log level which can be used to override the default | |
505 | log level specified here. The interpretation of these prefixes | |
506 | may be disabled with <varname>SyslogLevelPrefix=</varname>, | |
507 | see below. For details see | |
508 | <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
509 | ||
510 | Defaults to | |
511 | <option>info</option>.</para></listitem> | |
512 | </varlistentry> | |
513 | ||
514 | <varlistentry> | |
515 | <term><varname>SyslogLevelPrefix=</varname></term> | |
516 | <listitem><para>Takes a boolean argument. If true and | |
517 | <varname>StandardOutput=</varname> or | |
518 | <varname>StandardError=</varname> are set to | |
519 | <option>syslog</option>, <option>kmsg</option> or | |
520 | <option>journal</option>, log lines written by the executed | |
521 | process that are prefixed with a log level will be passed on | |
522 | to syslog with this log level set but the prefix removed. If | |
523 | set to false, the interpretation of these prefixes is disabled | |
524 | and the logged lines are passed on as-is. For details about | |
525 | this prefixing see | |
526 | <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
527 | Defaults to true.</para></listitem> | |
528 | </varlistentry> | |
529 | ||
530 | <varlistentry> | |
531 | <term><varname>TimerSlackNSec=</varname></term> | |
532 | <listitem><para>Sets the timer slack in nanoseconds for the | |
533 | executed processes. The timer slack controls the accuracy of | |
534 | wake-ups triggered by timers. See | |
535 | <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
536 | for more information. Note that in contrast to most other time | |
537 | span definitions this parameter takes an integer value in | |
538 | nano-seconds if no unit is specified. The usual time units are | |
539 | understood too.</para></listitem> | |
540 | </varlistentry> | |
541 | ||
542 | <varlistentry> | |
543 | <term><varname>LimitCPU=</varname></term> | |
544 | <term><varname>LimitFSIZE=</varname></term> | |
545 | <term><varname>LimitDATA=</varname></term> | |
546 | <term><varname>LimitSTACK=</varname></term> | |
547 | <term><varname>LimitCORE=</varname></term> | |
548 | <term><varname>LimitRSS=</varname></term> | |
549 | <term><varname>LimitNOFILE=</varname></term> | |
550 | <term><varname>LimitAS=</varname></term> | |
551 | <term><varname>LimitNPROC=</varname></term> | |
552 | <term><varname>LimitMEMLOCK=</varname></term> | |
553 | <term><varname>LimitLOCKS=</varname></term> | |
554 | <term><varname>LimitSIGPENDING=</varname></term> | |
555 | <term><varname>LimitMSGQUEUE=</varname></term> | |
556 | <term><varname>LimitNICE=</varname></term> | |
557 | <term><varname>LimitRTPRIO=</varname></term> | |
558 | <term><varname>LimitRTTIME=</varname></term> | |
559 | <listitem><para>These settings set both soft and hard limits | |
560 | of various resources for executed processes. See | |
561 | <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
562 | for details. Use the string <varname>infinity</varname> to | |
563 | configure no limit on a specific resource.</para></listitem> | |
564 | ||
565 | <table> | |
566 | <title>Limit directives and their equivalent with ulimit</title> | |
567 | ||
568 | <tgroup cols='2'> | |
569 | <colspec colname='directive' /> | |
570 | <colspec colname='equivalent' /> | |
571 | <thead> | |
572 | <row> | |
573 | <entry>Directive</entry> | |
574 | <entry>ulimit equivalent</entry> | |
575 | </row> | |
576 | </thead> | |
577 | <tbody> | |
578 | <row> | |
579 | <entry>LimitCPU</entry> | |
580 | <entry>ulimit -t</entry> | |
581 | </row> | |
582 | <row> | |
583 | <entry>LimitFSIZE</entry> | |
584 | <entry>ulimit -f</entry> | |
585 | </row> | |
586 | <row> | |
587 | <entry>LimitDATA</entry> | |
588 | <entry>ulimit -d</entry> | |
589 | </row> | |
590 | <row> | |
591 | <entry>LimitSTACK</entry> | |
592 | <entry>ulimit -s</entry> | |
593 | </row> | |
594 | <row> | |
595 | <entry>LimitCORE</entry> | |
596 | <entry>ulimit -c</entry> | |
597 | </row> | |
598 | <row> | |
599 | <entry>LimitRSS</entry> | |
600 | <entry>ulimit -m</entry> | |
601 | </row> | |
602 | <row> | |
603 | <entry>LimitNOFILE</entry> | |
604 | <entry>ulimit -n</entry> | |
605 | </row> | |
606 | <row> | |
607 | <entry>LimitAS</entry> | |
608 | <entry>ulimit -v</entry> | |
609 | </row> | |
610 | <row> | |
611 | <entry>LimitNPROC</entry> | |
612 | <entry>ulimit -u</entry> | |
613 | </row> | |
614 | <row> | |
615 | <entry>LimitMEMLOCK</entry> | |
616 | <entry>ulimit -l</entry> | |
617 | </row> | |
618 | <row> | |
619 | <entry>LimitLOCKS</entry> | |
620 | <entry>ulimit -x</entry> | |
621 | </row> | |
622 | <row> | |
623 | <entry>LimitSIGPENDING</entry> | |
624 | <entry>ulimit -i</entry> | |
625 | </row> | |
626 | <row> | |
627 | <entry>LimitMSGQUEUE</entry> | |
628 | <entry>ulimit -q</entry> | |
629 | </row> | |
630 | <row> | |
631 | <entry>LimitNICE</entry> | |
632 | <entry>ulimit -e</entry> | |
633 | </row> | |
634 | <row> | |
635 | <entry>LimitRTPRIO</entry> | |
636 | <entry>ulimit -r</entry> | |
637 | </row> | |
638 | <row> | |
639 | <entry>LimitRTTIME</entry> | |
640 | <entry>No equivalent</entry> | |
641 | </row> | |
642 | </tbody> | |
643 | </tgroup> | |
644 | </table> | |
645 | </varlistentry> | |
646 | ||
647 | <varlistentry> | |
648 | <term><varname>PAMName=</varname></term> | |
649 | <listitem><para>Sets the PAM service name to set up a session | |
650 | as. If set, the executed process will be registered as a PAM | |
651 | session under the specified service name. This is only useful | |
652 | in conjunction with the <varname>User=</varname> setting. If | |
653 | not set, no PAM session will be opened for the executed | |
654 | processes. See | |
655 | <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
656 | for details.</para></listitem> | |
657 | </varlistentry> | |
658 | ||
659 | <varlistentry> | |
660 | <term><varname>CapabilityBoundingSet=</varname></term> | |
661 | ||
662 | <listitem><para>Controls which capabilities to include in the | |
663 | capability bounding set for the executed process. See | |
664 | <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
665 | for details. Takes a whitespace-separated list of capability | |
666 | names as read by | |
3ba3a79d | 667 | <citerefentry project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>, |
798d3a52 ZJS |
668 | e.g. <constant>CAP_SYS_ADMIN</constant>, |
669 | <constant>CAP_DAC_OVERRIDE</constant>, | |
670 | <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will | |
671 | be included in the bounding set, all others are removed. If | |
672 | the list of capabilities is prefixed with | |
673 | <literal>~</literal>, all but the listed capabilities will be | |
674 | included, the effect of the assignment inverted. Note that | |
675 | this option also affects the respective capabilities in the | |
676 | effective, permitted and inheritable capability sets, on top | |
677 | of what <varname>Capabilities=</varname> does. If this option | |
678 | is not used, the capability bounding set is not modified on | |
679 | process execution, hence no limits on the capabilities of the | |
680 | process are enforced. This option may appear more than once in | |
681 | which case the bounding sets are merged. If the empty string | |
682 | is assigned to this option, the bounding set is reset to the | |
683 | empty capability set, and all prior settings have no effect. | |
684 | If set to <literal>~</literal> (without any further argument), | |
685 | the bounding set is reset to the full set of available | |
686 | capabilities, also undoing any previous | |
687 | settings.</para></listitem> | |
688 | </varlistentry> | |
689 | ||
690 | <varlistentry> | |
691 | <term><varname>SecureBits=</varname></term> | |
692 | <listitem><para>Controls the secure bits set for the executed | |
693 | process. Takes a space-separated combination of options from | |
694 | the following list: | |
695 | <option>keep-caps</option>, | |
696 | <option>keep-caps-locked</option>, | |
697 | <option>no-setuid-fixup</option>, | |
698 | <option>no-setuid-fixup-locked</option>, | |
699 | <option>noroot</option>, and | |
700 | <option>noroot-locked</option>. | |
701 | This option may appear more than once in which case the secure | |
702 | bits are ORed. If the empty string is assigned to this option, | |
703 | the bits are reset to 0. See | |
704 | <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
705 | for details.</para></listitem> | |
706 | </varlistentry> | |
707 | ||
708 | <varlistentry> | |
709 | <term><varname>Capabilities=</varname></term> | |
710 | <listitem><para>Controls the | |
711 | <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
712 | set for the executed process. Take a capability string | |
713 | describing the effective, permitted and inherited capability | |
714 | sets as documented in | |
3ba3a79d | 715 | <citerefentry project='mankier'><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>. |
798d3a52 ZJS |
716 | Note that these capability sets are usually influenced (and |
717 | filtered) by the capabilities attached to the executed file. | |
718 | Due to that <varname>CapabilityBoundingSet=</varname> is | |
719 | probably a much more useful setting.</para></listitem> | |
720 | </varlistentry> | |
721 | ||
722 | <varlistentry> | |
723 | <term><varname>ReadWriteDirectories=</varname></term> | |
724 | <term><varname>ReadOnlyDirectories=</varname></term> | |
725 | <term><varname>InaccessibleDirectories=</varname></term> | |
726 | ||
727 | <listitem><para>Sets up a new file system namespace for | |
728 | executed processes. These options may be used to limit access | |
729 | a process might have to the main file system hierarchy. Each | |
730 | setting takes a space-separated list of absolute directory | |
731 | paths. Directories listed in | |
732 | <varname>ReadWriteDirectories=</varname> are accessible from | |
733 | within the namespace with the same access rights as from | |
734 | outside. Directories listed in | |
735 | <varname>ReadOnlyDirectories=</varname> are accessible for | |
736 | reading only, writing will be refused even if the usual file | |
737 | access controls would permit this. Directories listed in | |
738 | <varname>InaccessibleDirectories=</varname> will be made | |
739 | inaccessible for processes inside the namespace. Note that | |
740 | restricting access with these options does not extend to | |
741 | submounts of a directory that are created later on. These | |
742 | options may be specified more than once in which case all | |
743 | directories listed will have limited access from within the | |
744 | namespace. If the empty string is assigned to this option, the | |
745 | specific list is reset, and all prior assignments have no | |
746 | effect.</para> | |
747 | <para>Paths in | |
748 | <varname>ReadOnlyDirectories=</varname> | |
749 | and | |
750 | <varname>InaccessibleDirectories=</varname> | |
751 | may be prefixed with | |
752 | <literal>-</literal>, in which case | |
753 | they will be ignored when they do not | |
754 | exist. Note that using this | |
755 | setting will disconnect propagation of | |
756 | mounts from the service to the host | |
757 | (propagation in the opposite direction | |
758 | continues to work). This means that | |
759 | this setting may not be used for | |
760 | services which shall be able to | |
761 | install mount points in the main mount | |
762 | namespace.</para></listitem> | |
763 | </varlistentry> | |
764 | ||
765 | <varlistentry> | |
766 | <term><varname>PrivateTmp=</varname></term> | |
767 | ||
768 | <listitem><para>Takes a boolean argument. If true, sets up a | |
769 | new file system namespace for the executed processes and | |
770 | mounts private <filename>/tmp</filename> and | |
771 | <filename>/var/tmp</filename> directories inside it that is | |
772 | not shared by processes outside of the namespace. This is | |
773 | useful to secure access to temporary files of the process, but | |
774 | makes sharing between processes via <filename>/tmp</filename> | |
775 | or <filename>/var/tmp</filename> impossible. If this is | |
776 | enabled, all temporary files created by a service in these | |
777 | directories will be removed after the service is stopped. | |
778 | Defaults to false. It is possible to run two or more units | |
779 | within the same private <filename>/tmp</filename> and | |
780 | <filename>/var/tmp</filename> namespace by using the | |
781 | <varname>JoinsNamespaceOf=</varname> directive, see | |
782 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
783 | for details. Note that using this setting will disconnect | |
784 | propagation of mounts from the service to the host | |
785 | (propagation in the opposite direction continues to work). | |
786 | This means that this setting may not be used for services | |
787 | which shall be able to install mount points in the main mount | |
788 | namespace.</para></listitem> | |
789 | </varlistentry> | |
790 | ||
791 | <varlistentry> | |
792 | <term><varname>PrivateDevices=</varname></term> | |
793 | ||
794 | <listitem><para>Takes a boolean argument. If true, sets up a | |
795 | new /dev namespace for the executed processes and only adds | |
796 | API pseudo devices such as <filename>/dev/null</filename>, | |
797 | <filename>/dev/zero</filename> or | |
798 | <filename>/dev/random</filename> (as well as the pseudo TTY | |
799 | subsystem) to it, but no physical devices such as | |
800 | <filename>/dev/sda</filename>. This is useful to securely turn | |
801 | off physical device access by the executed process. Defaults | |
802 | to false. Enabling this option will also remove | |
803 | <constant>CAP_MKNOD</constant> from the capability bounding | |
804 | set for the unit (see above), and set | |
805 | <varname>DevicePolicy=closed</varname> (see | |
806 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
807 | for details). Note that using this setting will disconnect | |
808 | propagation of mounts from the service to the host | |
809 | (propagation in the opposite direction continues to work). | |
810 | This means that this setting may not be used for services | |
811 | which shall be able to install mount points in the main mount | |
812 | namespace.</para></listitem> | |
813 | </varlistentry> | |
814 | ||
815 | <varlistentry> | |
816 | <term><varname>PrivateNetwork=</varname></term> | |
817 | ||
818 | <listitem><para>Takes a boolean argument. If true, sets up a | |
819 | new network namespace for the executed processes and | |
820 | configures only the loopback network device | |
821 | <literal>lo</literal> inside it. No other network devices will | |
822 | be available to the executed process. This is useful to | |
823 | securely turn off network access by the executed process. | |
824 | Defaults to false. It is possible to run two or more units | |
825 | within the same private network namespace by using the | |
826 | <varname>JoinsNamespaceOf=</varname> directive, see | |
827 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
828 | for details. Note that this option will disconnect all socket | |
829 | families from the host, this includes AF_NETLINK and AF_UNIX. | |
830 | The latter has the effect that AF_UNIX sockets in the abstract | |
831 | socket namespace will become unavailable to the processes | |
832 | (however, those located in the file system will continue to be | |
833 | accessible).</para></listitem> | |
834 | </varlistentry> | |
835 | ||
836 | <varlistentry> | |
837 | <term><varname>ProtectSystem=</varname></term> | |
838 | ||
839 | <listitem><para>Takes a boolean argument or | |
840 | <literal>full</literal>. If true, mounts the | |
841 | <filename>/usr</filename> and <filename>/boot</filename> | |
842 | directories read-only for processes invoked by this unit. If | |
843 | set to <literal>full</literal>, the <filename>/etc</filename> | |
844 | directory is mounted read-only, too. This setting ensures that | |
845 | any modification of the vendor supplied operating system (and | |
846 | optionally its configuration) is prohibited for the service. | |
847 | It is recommended to enable this setting for all long-running | |
848 | services, unless they are involved with system updates or need | |
849 | to modify the operating system in other ways. Note however | |
850 | that processes retaining the CAP_SYS_ADMIN capability can undo | |
851 | the effect of this setting. This setting is hence particularly | |
852 | useful for daemons which have this capability removed, for | |
853 | example with <varname>CapabilityBoundingSet=</varname>. | |
854 | Defaults to off.</para></listitem> | |
855 | </varlistentry> | |
856 | ||
857 | <varlistentry> | |
858 | <term><varname>ProtectHome=</varname></term> | |
859 | ||
860 | <listitem><para>Takes a boolean argument or | |
861 | <literal>read-only</literal>. If true, the directories | |
58331437 CH |
862 | <filename>/home</filename>, <filename>/root</filename> and |
863 | <filename>/run/user</filename> | |
798d3a52 | 864 | are made inaccessible and empty for processes invoked by this |
58331437 | 865 | unit. If set to <literal>read-only</literal>, the three |
798d3a52 ZJS |
866 | directories are made read-only instead. It is recommended to |
867 | enable this setting for all long-running services (in | |
868 | particular network-facing ones), to ensure they cannot get | |
869 | access to private user data, unless the services actually | |
870 | require access to the user's private data. Note however that | |
871 | processes retaining the CAP_SYS_ADMIN capability can undo the | |
872 | effect of this setting. This setting is hence particularly | |
873 | useful for daemons which have this capability removed, for | |
874 | example with <varname>CapabilityBoundingSet=</varname>. | |
875 | Defaults to off.</para></listitem> | |
876 | </varlistentry> | |
877 | ||
878 | <varlistentry> | |
879 | <term><varname>MountFlags=</varname></term> | |
880 | ||
881 | <listitem><para>Takes a mount propagation flag: | |
882 | <option>shared</option>, <option>slave</option> or | |
883 | <option>private</option>, which control whether mounts in the | |
884 | file system namespace set up for this unit's processes will | |
885 | receive or propagate mounts or unmounts. See | |
3ba3a79d | 886 | <citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
798d3a52 ZJS |
887 | for details. Defaults to <option>shared</option>. Use |
888 | <option>shared</option> to ensure that mounts and unmounts are | |
889 | propagated from the host to the container and vice versa. Use | |
890 | <option>slave</option> to run processes so that none of their | |
891 | mounts and unmounts will propagate to the host. Use | |
892 | <option>private</option> to also ensure that no mounts and | |
893 | unmounts from the host will propagate into the unit processes' | |
894 | namespace. Note that <option>slave</option> means that file | |
895 | systems mounted on the host might stay mounted continuously in | |
896 | the unit's namespace, and thus keep the device busy. Note that | |
897 | the file system namespace related options | |
898 | (<varname>PrivateTmp=</varname>, | |
899 | <varname>PrivateDevices=</varname>, | |
900 | <varname>ProtectSystem=</varname>, | |
901 | <varname>ProtectHome=</varname>, | |
902 | <varname>ReadOnlyDirectories=</varname>, | |
903 | <varname>InaccessibleDirectories=</varname> and | |
904 | <varname>ReadWriteDirectories=</varname>) require that mount | |
905 | and unmount propagation from the unit's file system namespace | |
906 | is disabled, and hence downgrade <option>shared</option> to | |
907 | <option>slave</option>. </para></listitem> | |
908 | </varlistentry> | |
909 | ||
910 | <varlistentry> | |
911 | <term><varname>UtmpIdentifier=</varname></term> | |
912 | ||
913 | <listitem><para>Takes a four character identifier string for | |
914 | an utmp/wtmp entry for this service. This should only be set | |
915 | for services such as <command>getty</command> implementations | |
916 | where utmp/wtmp entries must be created and cleared before and | |
917 | after execution. If the configured string is longer than four | |
918 | characters, it is truncated and the terminal four characters | |
919 | are used. This setting interprets %I style string | |
920 | replacements. This setting is unset by default, i.e. no | |
921 | utmp/wtmp entries are created or cleaned up for this | |
922 | service.</para></listitem> | |
923 | </varlistentry> | |
924 | ||
925 | <varlistentry> | |
926 | <term><varname>SELinuxContext=</varname></term> | |
927 | ||
928 | <listitem><para>Set the SELinux security context of the | |
929 | executed process. If set, this will override the automated | |
930 | domain transition. However, the policy still needs to | |
931 | authorize the transition. This directive is ignored if SELinux | |
932 | is disabled. If prefixed by <literal>-</literal>, all errors | |
933 | will be ignored. See | |
3ba3a79d | 934 | <citerefentry project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> |
798d3a52 ZJS |
935 | for details.</para></listitem> |
936 | </varlistentry> | |
937 | ||
938 | <varlistentry> | |
939 | <term><varname>AppArmorProfile=</varname></term> | |
940 | ||
941 | <listitem><para>Takes a profile name as argument. The process | |
942 | executed by the unit will switch to this profile when started. | |
943 | Profiles must already be loaded in the kernel, or the unit | |
944 | will fail. This result in a non operation if AppArmor is not | |
945 | enabled. If prefixed by <literal>-</literal>, all errors will | |
946 | be ignored. </para></listitem> | |
947 | </varlistentry> | |
948 | ||
949 | <varlistentry> | |
950 | <term><varname>SmackProcessLabel=</varname></term> | |
951 | ||
952 | <listitem><para>Takes a <option>SMACK64</option> security | |
953 | label as argument. The process executed by the unit will be | |
954 | started under this label and SMACK will decide whether the | |
955 | processes is allowed to run or not based on it. The process | |
956 | will continue to run under the label specified here unless the | |
957 | executable has its own <option>SMACK64EXEC</option> label, in | |
958 | which case the process will transition to run under that | |
959 | label. When not specified, the label that systemd is running | |
960 | under is used. This directive is ignored if SMACK is | |
961 | disabled.</para> | |
962 | ||
963 | <para>The value may be prefixed by <literal>-</literal>, in | |
964 | which case all errors will be ignored. An empty value may be | |
965 | specified to unset previous assignments.</para> | |
966 | </listitem> | |
967 | </varlistentry> | |
968 | ||
969 | <varlistentry> | |
970 | <term><varname>IgnoreSIGPIPE=</varname></term> | |
971 | ||
972 | <listitem><para>Takes a boolean argument. If true, causes | |
973 | <constant>SIGPIPE</constant> to be ignored in the executed | |
974 | process. Defaults to true because <constant>SIGPIPE</constant> | |
975 | generally is useful only in shell pipelines.</para></listitem> | |
976 | </varlistentry> | |
977 | ||
978 | <varlistentry> | |
979 | <term><varname>NoNewPrivileges=</varname></term> | |
980 | ||
981 | <listitem><para>Takes a boolean argument. If true, ensures | |
982 | that the service process and all its children can never gain | |
983 | new privileges. This option is more powerful than the | |
984 | respective secure bits flags (see above), as it also prohibits | |
985 | UID changes of any kind. This is the simplest, most effective | |
986 | way to ensure that a process and its children can never | |
987 | elevate privileges again.</para></listitem> | |
988 | </varlistentry> | |
989 | ||
990 | <varlistentry> | |
991 | <term><varname>SystemCallFilter=</varname></term> | |
992 | ||
993 | <listitem><para>Takes a space-separated list of system call | |
994 | names. If this setting is used, all system calls executed by | |
995 | the unit processes except for the listed ones will result in | |
996 | immediate process termination with the | |
997 | <constant>SIGSYS</constant> signal (whitelisting). If the | |
998 | first character of the list is <literal>~</literal>, the | |
999 | effect is inverted: only the listed system calls will result | |
1000 | in immediate process termination (blacklisting). If running in | |
1001 | user mode and this option is used, | |
1002 | <varname>NoNewPrivileges=yes</varname> is implied. This | |
1003 | feature makes use of the Secure Computing Mode 2 interfaces of | |
1004 | the kernel ('seccomp filtering') and is useful for enforcing a | |
1005 | minimal sandboxing environment. Note that the | |
1006 | <function>execve</function>, | |
1007 | <function>rt_sigreturn</function>, | |
1008 | <function>sigreturn</function>, | |
1009 | <function>exit_group</function>, <function>exit</function> | |
1010 | system calls are implicitly whitelisted and do not need to be | |
1011 | listed explicitly. This option may be specified more than once | |
1012 | in which case the filter masks are merged. If the empty string | |
1013 | is assigned, the filter is reset, all prior assignments will | |
1014 | have no effect.</para> | |
1015 | ||
1016 | <para>If you specify both types of this option (i.e. | |
1017 | whitelisting and blacklisting), the first encountered will | |
1018 | take precedence and will dictate the default action | |
1019 | (termination or approval of a system call). Then the next | |
1020 | occurrences of this option will add or delete the listed | |
1021 | system calls from the set of the filtered system calls, | |
1022 | depending of its type and the default action. (For example, if | |
1023 | you have started with a whitelisting of | |
1024 | <function>read</function> and <function>write</function>, and | |
1025 | right after it add a blacklisting of | |
1026 | <function>write</function>, then <function>write</function> | |
1027 | will be removed from the set.) </para></listitem> | |
1028 | </varlistentry> | |
1029 | ||
1030 | <varlistentry> | |
1031 | <term><varname>SystemCallErrorNumber=</varname></term> | |
1032 | ||
1033 | <listitem><para>Takes an <literal>errno</literal> error number | |
1034 | name to return when the system call filter configured with | |
1035 | <varname>SystemCallFilter=</varname> is triggered, instead of | |
1036 | terminating the process immediately. Takes an error name such | |
1037 | as <constant>EPERM</constant>, <constant>EACCES</constant> or | |
1038 | <constant>EUCLEAN</constant>. When this setting is not used, | |
1039 | or when the empty string is assigned, the process will be | |
1040 | terminated immediately when the filter is | |
1041 | triggered.</para></listitem> | |
1042 | </varlistentry> | |
1043 | ||
1044 | <varlistentry> | |
1045 | <term><varname>SystemCallArchitectures=</varname></term> | |
1046 | ||
1047 | <listitem><para>Takes a space separated list of architecture | |
1048 | identifiers to include in the system call filter. The known | |
1049 | architecture identifiers are <constant>x86</constant>, | |
1050 | <constant>x86-64</constant>, <constant>x32</constant>, | |
1051 | <constant>arm</constant> as well as the special identifier | |
1052 | <constant>native</constant>. Only system calls of the | |
1053 | specified architectures will be permitted to processes of this | |
1054 | unit. This is an effective way to disable compatibility with | |
1055 | non-native architectures for processes, for example to | |
1056 | prohibit execution of 32-bit x86 binaries on 64-bit x86-64 | |
1057 | systems. The special <constant>native</constant> identifier | |
1058 | implicitly maps to the native architecture of the system (or | |
1059 | more strictly: to the architecture the system manager is | |
1060 | compiled for). If running in user mode and this option is | |
1061 | used, <varname>NoNewPrivileges=yes</varname> is implied. Note | |
1062 | that setting this option to a non-empty list implies that | |
1063 | <constant>native</constant> is included too. By default, this | |
1064 | option is set to the empty list, i.e. no architecture system | |
1065 | call filtering is applied.</para></listitem> | |
1066 | </varlistentry> | |
1067 | ||
1068 | <varlistentry> | |
1069 | <term><varname>RestrictAddressFamilies=</varname></term> | |
1070 | ||
1071 | <listitem><para>Restricts the set of socket address families | |
1072 | accessible to the processes of this unit. Takes a | |
1073 | space-separated list of address family names to whitelist, | |
1074 | such as | |
1075 | <constant>AF_UNIX</constant>, | |
1076 | <constant>AF_INET</constant> or | |
1077 | <constant>AF_INET6</constant>. When | |
1078 | prefixed with <constant>~</constant> the listed address | |
1079 | families will be applied as blacklist, otherwise as whitelist. | |
1080 | Note that this restricts access to the | |
3ba3a79d | 1081 | <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
798d3a52 ZJS |
1082 | system call only. Sockets passed into the process by other |
1083 | means (for example, by using socket activation with socket | |
1084 | units, see | |
1085 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>) | |
1086 | are unaffected. Also, sockets created with | |
1087 | <function>socketpair()</function> (which creates connected | |
1088 | AF_UNIX sockets only) are unaffected. Note that this option | |
1089 | has no effect on 32-bit x86 and is ignored (but works | |
1090 | correctly on x86-64). If running in user mode and this option | |
1091 | is used, <varname>NoNewPrivileges=yes</varname> is implied. By | |
1092 | default, no restriction applies, all address families are | |
1093 | accessible to processes. If assigned the empty string, any | |
1094 | previous list changes are undone.</para> | |
1095 | ||
1096 | <para>Use this option to limit exposure of processes to remote | |
1097 | systems, in particular via exotic network protocols. Note that | |
1098 | in most cases, the local <constant>AF_UNIX</constant> address | |
1099 | family should be included in the configured whitelist as it is | |
1100 | frequently used for local communication, including for | |
1101 | <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
1102 | logging.</para></listitem> | |
1103 | </varlistentry> | |
1104 | ||
1105 | <varlistentry> | |
1106 | <term><varname>Personality=</varname></term> | |
1107 | ||
1108 | <listitem><para>Controls which kernel architecture | |
3ba3a79d | 1109 | <citerefentry project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
798d3a52 ZJS |
1110 | shall report, when invoked by unit processes. Takes one of |
1111 | <constant>x86</constant> and <constant>x86-64</constant>. This | |
1112 | is useful when running 32-bit services on a 64-bit host | |
1113 | system. If not specified, the personality is left unmodified | |
1114 | and thus reflects the personality of the host system's | |
1115 | kernel.</para></listitem> | |
1116 | </varlistentry> | |
1117 | ||
1118 | <varlistentry> | |
1119 | <term><varname>RuntimeDirectory=</varname></term> | |
1120 | <term><varname>RuntimeDirectoryMode=</varname></term> | |
1121 | ||
1122 | <listitem><para>Takes a list of directory names. If set, one | |
1123 | or more directories by the specified names will be created | |
1124 | below <filename>/run</filename> (for system services) or below | |
1125 | <varname>$XDG_RUNTIME_DIR</varname> (for user services) when | |
1126 | the unit is started, and removed when the unit is stopped. The | |
1127 | directories will have the access mode specified in | |
1128 | <varname>RuntimeDirectoryMode=</varname>, and will be owned by | |
1129 | the user and group specified in <varname>User=</varname> and | |
1130 | <varname>Group=</varname>. Use this to manage one or more | |
1131 | runtime directories of the unit and bind their lifetime to the | |
1132 | daemon runtime. The specified directory names must be | |
1133 | relative, and may not include a <literal>/</literal>, i.e. | |
1134 | must refer to simple directories to create or remove. This is | |
1135 | particularly useful for unprivileged daemons that cannot | |
1136 | create runtime directories in <filename>/run</filename> due to | |
1137 | lack of privileges, and to make sure the runtime directory is | |
1138 | cleaned up automatically after use. For runtime directories | |
1139 | that require more complex or different configuration or | |
1140 | lifetime guarantees, please consider using | |
1141 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem> | |
1142 | </varlistentry> | |
1143 | ||
1144 | </variablelist> | |
1145 | </refsect1> | |
1146 | ||
1147 | <refsect1> | |
1148 | <title>Environment variables in spawned processes</title> | |
1149 | ||
1150 | <para>Processes started by the system are executed in a clean | |
1151 | environment in which select variables listed below are set. System | |
1152 | processes started by systemd do not inherit variables from PID 1, | |
1153 | but processes started by user systemd instances inherit all | |
1154 | environment variables from the user systemd instance. | |
1155 | </para> | |
1156 | ||
1157 | <variablelist class='environment-variables'> | |
1158 | <varlistentry> | |
1159 | <term><varname>$PATH</varname></term> | |
1160 | ||
1161 | <listitem><para>Colon-separated list of directories to use | |
1162 | when launching executables. Systemd uses a fixed value of | |
1163 | <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>. | |
1164 | </para></listitem> | |
1165 | </varlistentry> | |
1166 | ||
1167 | <varlistentry> | |
1168 | <term><varname>$LANG</varname></term> | |
1169 | ||
1170 | <listitem><para>Locale. Can be set in | |
3ba3a79d | 1171 | <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
798d3a52 ZJS |
1172 | or on the kernel command line (see |
1173 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
1174 | and | |
1175 | <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>). | |
1176 | </para></listitem> | |
1177 | </varlistentry> | |
1178 | ||
1179 | <varlistentry> | |
1180 | <term><varname>$USER</varname></term> | |
1181 | <term><varname>$LOGNAME</varname></term> | |
1182 | <term><varname>$HOME</varname></term> | |
1183 | <term><varname>$SHELL</varname></term> | |
1184 | ||
1185 | <listitem><para>User name (twice), home directory, and the | |
1186 | login shell. The variables are set for the units that have | |
1187 | <varname>User=</varname> set, which includes user | |
1188 | <command>systemd</command> instances. See | |
3ba3a79d | 1189 | <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>. |
798d3a52 ZJS |
1190 | </para></listitem> |
1191 | </varlistentry> | |
1192 | ||
1193 | <varlistentry> | |
1194 | <term><varname>$XDG_RUNTIME_DIR</varname></term> | |
1195 | ||
1196 | <listitem><para>The directory for volatile state. Set for the | |
1197 | user <command>systemd</command> instance, and also in user | |
1198 | sessions. See | |
1199 | <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
1200 | </para></listitem> | |
1201 | </varlistentry> | |
1202 | ||
1203 | <varlistentry> | |
1204 | <term><varname>$XDG_SESSION_ID</varname></term> | |
1205 | <term><varname>$XDG_SEAT</varname></term> | |
1206 | <term><varname>$XDG_VTNR</varname></term> | |
1207 | ||
1208 | <listitem><para>The identifier of the session, the seat name, | |
1209 | and virtual terminal of the session. Set by | |
1210 | <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
1211 | for login sessions. <varname>$XDG_SEAT</varname> and | |
1212 | <varname>$XDG_VTNR</varname> will only be set when attached to | |
1213 | a seat and a tty.</para></listitem> | |
1214 | </varlistentry> | |
1215 | ||
1216 | <varlistentry> | |
1217 | <term><varname>$MAINPID</varname></term> | |
1218 | ||
1219 | <listitem><para>The PID of the units main process if it is | |
1220 | known. This is only set for control processes as invoked by | |
1221 | <varname>ExecReload=</varname> and similar. </para></listitem> | |
1222 | </varlistentry> | |
1223 | ||
1224 | <varlistentry> | |
1225 | <term><varname>$MANAGERPID</varname></term> | |
1226 | ||
1227 | <listitem><para>The PID of the user <command>systemd</command> | |
1228 | instance, set for processes spawned by it. </para></listitem> | |
1229 | </varlistentry> | |
1230 | ||
1231 | <varlistentry> | |
1232 | <term><varname>$LISTEN_FDS</varname></term> | |
1233 | <term><varname>$LISTEN_PID</varname></term> | |
1234 | ||
1235 | <listitem><para>Information about file descriptors passed to a | |
1236 | service for socket activation. See | |
1237 | <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
1238 | </para></listitem> | |
1239 | </varlistentry> | |
1240 | ||
1241 | <varlistentry> | |
1242 | <term><varname>$TERM</varname></term> | |
1243 | ||
1244 | <listitem><para>Terminal type, set only for units connected to | |
1245 | a terminal (<varname>StandardInput=tty</varname>, | |
1246 | <varname>StandardOutput=tty</varname>, or | |
1247 | <varname>StandardError=tty</varname>). See | |
1248 | <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
1249 | </para></listitem> | |
1250 | </varlistentry> | |
1251 | </variablelist> | |
1252 | ||
1253 | <para>Additional variables may be configured by the following | |
1254 | means: for processes spawned in specific units, use the | |
1255 | <varname>Environment=</varname> and | |
1256 | <varname>EnvironmentFile=</varname> options above; to specify | |
1257 | variables globally, use <varname>DefaultEnvironment=</varname> | |
1258 | (see | |
1259 | <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) | |
1260 | or the kernel option <varname>systemd.setenv=</varname> (see | |
1261 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>). | |
1262 | Additional variables may also be set through PAM, | |
1263 | cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> | |
1264 | </refsect1> | |
1265 | ||
1266 | <refsect1> | |
1267 | <title>See Also</title> | |
1268 | <para> | |
1269 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
1270 | <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
1271 | <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
1272 | <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1273 | <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1274 | <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1275 | <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1276 | <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1277 | <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1278 | <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1279 | <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>, | |
1280 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
1281 | <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
1282 | </para> | |
1283 | </refsect1> | |
dd1eb43b LP |
1284 | |
1285 | </refentry> |