]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.exec.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
systemctl: consider service running only when it is in active or reloading state...
[thirdparty/systemd.git] / man / systemd.exec.xml
CommitLineData
023a4f67 1<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
dd1eb43b 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
12b42c76 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
dd1eb43b
LP		 4
5<!--
6 This file is part of systemd.
7
8 Copyright 2010 Lennart Poettering
9
10 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
dd1eb43b
LP		 13 (at your option) any later version.
14
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 18 Lesser General Public License for more details.
dd1eb43b 19
5430f7f2 20 You should have received a copy of the GNU Lesser General Public License
dd1eb43b
LP		 21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22-->
23
24<refentry id="systemd.exec">
798d3a52
ZJS		 25 <refentryinfo>
26 <title>systemd.exec</title>
27 <productname>systemd</productname>
28
29 <authorgroup>
30 <author>
31 <contrib>Developer</contrib>
32 <firstname>Lennart</firstname>
33 <surname>Poettering</surname>
34 <email>lennart@poettering.net</email>
35 </author>
36 </authorgroup>
37 </refentryinfo>
38
39 <refmeta>
40 <refentrytitle>systemd.exec</refentrytitle>
41 <manvolnum>5</manvolnum>
42 </refmeta>
43
44 <refnamediv>
45 <refname>systemd.exec</refname>
46 <refpurpose>Execution environment configuration</refpurpose>
47 </refnamediv>
48
49 <refsynopsisdiv>
50 <para><filename><replaceable>service</replaceable>.service</filename>,
51 <filename><replaceable>socket</replaceable>.socket</filename>,
52 <filename><replaceable>mount</replaceable>.mount</filename>,
53 <filename><replaceable>swap</replaceable>.swap</filename></para>
54 </refsynopsisdiv>
55
56 <refsect1>
57 <title>Description</title>
58
59 <para>Unit configuration files for services, sockets, mount
60 points, and swap devices share a subset of configuration options
61 which define the execution environment of spawned
62 processes.</para>
63
64 <para>This man page lists the configuration options shared by
65 these four unit types. See
66 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
67 for the common options of all unit configuration files, and
68 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
69 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
70 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
71 and
72 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
73 for more information on the specific unit configuration files. The
74 execution specific configuration options are configured in the
75 [Service], [Socket], [Mount], or [Swap] sections, depending on the
76 unit type.</para>
77 </refsect1>
78
c129bd5d
LP		 79 <refsect1>
80 <title>Automatic Dependencies</title>
81
82 <para>A few execution parameters result in additional, automatic
83 dependencies to be added.</para>
84
85 <para>Units with <varname>WorkingDirectory=</varname> or
86 <varname>RootDirectory=</varname> set automatically gain
87 dependencies of type <varname>Requires=</varname> and
88 <varname>After=</varname> on all mount units required to access
89 the specified paths. This is equivalent to having them listed
90 explicitly in <varname>RequiresMountsFor=</varname>.</para>
91
92 <para>Similar, units with <varname>PrivateTmp=</varname> enabled
93 automatically get mount unit dependencies for all mounts
94 required to access <filename>/tmp</filename> and
95 <filename>/var/tmp</filename>.</para>
96
dfe85b38
LP		 97 <para>Units whose standard output or error output is connected to <option>journal</option>, <option>syslog</option>
98 or <option>kmsg</option> (or their combinations with console output, see below) automatically acquire dependencies
99 of type <varname>After=</varname> on <filename>systemd-journald.socket</filename>.</para>
c129bd5d
LP		 100 </refsect1>
101
798d3a52
ZJS		 102 <refsect1>
103 <title>Options</title>
104
105 <variablelist class='unit-directives'>
106
107 <varlistentry>
108 <term><varname>WorkingDirectory=</varname></term>
109
043cc715
AP		 110 <listitem><para>Takes a directory path relative to the service's root
111 directory specified by <varname>RootDirectory=</varname>, or the
5f5d8eab 112 special value <literal>~</literal>. Sets the working directory
b938cb90 113 for executed processes. If set to <literal>~</literal>, the
5f5d8eab
LP		 114 home directory of the user specified in
115 <varname>User=</varname> is used. If not set, defaults to the
116 root directory when systemd is running as a system instance
117 and the respective user's home directory if run as user. If
118 the setting is prefixed with the <literal>-</literal>
119 character, a missing working directory is not considered
043cc715
AP		 120 fatal. If <varname>RootDirectory=</varname> is not set, then
121 <varname>WorkingDirectory=</varname> is relative to the root of
122 the system running the service manager.
123 Note that setting this parameter might result in
c129bd5d
LP		 124 additional dependencies to be added to the unit (see
125 above).</para></listitem>
798d3a52
ZJS		 126 </varlistentry>
127
128 <varlistentry>
129 <term><varname>RootDirectory=</varname></term>
130
043cc715
AP		 131 <listitem><para>Takes a directory path relative to the host's root directory
132 (i.e. the root of the system running the service manager). Sets the
5f5d8eab
LP		 133 root directory for executed processes, with the <citerefentry
134 project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
798d3a52 135 system call. If this is used, it must be ensured that the
5f5d8eab 136 process binary and all its auxiliary files are available in
c129bd5d
LP		 137 the <function>chroot()</function> jail. Note that setting this
138 parameter might result in additional dependencies to be added
139 to the unit (see above).</para></listitem>
798d3a52
ZJS		 140 </varlistentry>
141
142 <varlistentry>
143 <term><varname>User=</varname></term>
144 <term><varname>Group=</varname></term>
145
29206d46
LP		 146 <listitem><para>Set the UNIX user or group that the processes are executed as, respectively. Takes a single
147 user or group name, or numeric ID as argument. If no group is set, the default group of the user is used. This
dadd6ecf 148 setting does not affect commands whose command line is prefixed with <literal>+</literal>.</para></listitem>
29206d46
LP		 149 </varlistentry>
150
151 <varlistentry>
152 <term><varname>DynamicUser=</varname></term>
153
154 <listitem><para>Takes a boolean parameter. If set, a UNIX user and group pair is allocated dynamically when the
155 unit is started, and released as soon as it is stopped. The user and group will not be added to
156 <filename>/etc/passwd</filename> or <filename>/etc/group</filename>, but are managed transiently during
157 runtime. The <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
158 glibc NSS module provides integration of these dynamic users/groups into the system's user and group
159 databases. The user and group name to use may be configured via <varname>User=</varname> and
160 <varname>Group=</varname> (see above). If these options are not used and dynamic user/group allocation is
161 enabled for a unit, the name of the dynamic user/group is implicitly derived from the unit name. If the unit
162 name without the type suffix qualifies as valid user name it is used directly, otherwise a name incorporating a
163 hash of it is used. If a statically allocated user or group of the configured name already exists, it is used
164 and no dynamic user/group is allocated. Dynamic users/groups are allocated from the UID/GID range
165 61184…65519. It is recommended to avoid this range for regular system or login users. At any point in time
166 each UID/GID from this range is only assigned to zero or one dynamically allocated users/groups in
167 use. However, UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running
168 as part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by these
169 users/groups around, as a different unit might get the same UID/GID assigned later on, and thus gain access to
170 these files or directories. If <varname>DynamicUser=</varname> is enabled, <varname>PrivateTmp=</varname> is
171 implied. This ensures that the lifetime of temporary files created by the executed processes is bound to the
172 runtime of the service, and hence the lifetime of the dynamic user/group. Since <filename>/tmp</filename> and
173 <filename>/var/tmp</filename> are usually the only world-writable directories on a system this ensures that a
174 unit making use of dynamic user/group allocation cannot leave files around after unit termination. Use
175 <varname>RuntimeDirectory=</varname> (see below) in order to assign a writable runtime directory to a service,
176 owned by the dynamic user/group and removed automatically when the unit is terminated. Defaults to
177 off.</para></listitem>
798d3a52
ZJS		 178 </varlistentry>
179
180 <varlistentry>
181 <term><varname>SupplementaryGroups=</varname></term>
182
183 <listitem><para>Sets the supplementary Unix groups the
184 processes are executed as. This takes a space-separated list
185 of group names or IDs. This option may be specified more than
b938cb90
JE		 186 once, in which case all listed groups are set as supplementary
187 groups. When the empty string is assigned, the list of
798d3a52
ZJS		 188 supplementary groups is reset, and all assignments prior to
189 this one will have no effect. In any way, this option does not
190 override, but extends the list of supplementary groups
191 configured in the system group database for the
43eb109a 192 user. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
798d3a52
ZJS		 193 </varlistentry>
194
195 <varlistentry>
196 <term><varname>Nice=</varname></term>
197
198 <listitem><para>Sets the default nice level (scheduling
199 priority) for executed processes. Takes an integer between -20
200 (highest priority) and 19 (lowest priority). See
201 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
202 for details.</para></listitem>
203 </varlistentry>
204
205 <varlistentry>
206 <term><varname>OOMScoreAdjust=</varname></term>
207
208 <listitem><para>Sets the adjustment level for the
209 Out-Of-Memory killer for executed processes. Takes an integer
210 between -1000 (to disable OOM killing for this process) and
211 1000 (to make killing of this process under memory pressure
212 very likely). See <ulink
213 url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
214 for details.</para></listitem>
215 </varlistentry>
216
217 <varlistentry>
218 <term><varname>IOSchedulingClass=</varname></term>
219
b938cb90 220 <listitem><para>Sets the I/O scheduling class for executed
798d3a52
ZJS		 221 processes. Takes an integer between 0 and 3 or one of the
222 strings <option>none</option>, <option>realtime</option>,
223 <option>best-effort</option> or <option>idle</option>. See
224 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
225 for details.</para></listitem>
226 </varlistentry>
227
228 <varlistentry>
229 <term><varname>IOSchedulingPriority=</varname></term>
230
b938cb90 231 <listitem><para>Sets the I/O scheduling priority for executed
798d3a52
ZJS		 232 processes. Takes an integer between 0 (highest priority) and 7
233 (lowest priority). The available priorities depend on the
b938cb90 234 selected I/O scheduling class (see above). See
798d3a52
ZJS		 235 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
236 for details.</para></listitem>
237 </varlistentry>
238
239 <varlistentry>
240 <term><varname>CPUSchedulingPolicy=</varname></term>
241
242 <listitem><para>Sets the CPU scheduling policy for executed
243 processes. Takes one of
244 <option>other</option>,
245 <option>batch</option>,
246 <option>idle</option>,
247 <option>fifo</option> or
248 <option>rr</option>. See
249 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
250 for details.</para></listitem>
251 </varlistentry>
252
253 <varlistentry>
254 <term><varname>CPUSchedulingPriority=</varname></term>
255
256 <listitem><para>Sets the CPU scheduling priority for executed
257 processes. The available priority range depends on the
258 selected CPU scheduling policy (see above). For real-time
259 scheduling policies an integer between 1 (lowest priority) and
260 99 (highest priority) can be used. See
261 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
262 for details. </para></listitem>
263 </varlistentry>
264
265 <varlistentry>
266 <term><varname>CPUSchedulingResetOnFork=</varname></term>
267
268 <listitem><para>Takes a boolean argument. If true, elevated
269 CPU scheduling priorities and policies will be reset when the
270 executed processes fork, and can hence not leak into child
271 processes. See
272 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
273 for details. Defaults to false.</para></listitem>
274 </varlistentry>
275
276 <varlistentry>
277 <term><varname>CPUAffinity=</varname></term>
278
279 <listitem><para>Controls the CPU affinity of the executed
71b1c27a
FB		 280 processes. Takes a list of CPU indices or ranges separated by
281 either whitespace or commas. CPU ranges are specified by the
282 lower and upper CPU indices separated by a dash.
b938cb90 283 This option may be specified more than once, in which case the
798d3a52
ZJS		 284 specified CPU affinity masks are merged. If the empty string
285 is assigned, the mask is reset, all assignments prior to this
286 will have no effect. See
287 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
288 for details.</para></listitem>
289 </varlistentry>
290
291 <varlistentry>
292 <term><varname>UMask=</varname></term>
293
294 <listitem><para>Controls the file mode creation mask. Takes an
295 access mode in octal notation. See
296 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
297 for details. Defaults to 0022.</para></listitem>
298 </varlistentry>
299
300 <varlistentry>
301 <term><varname>Environment=</varname></term>
302
303 <listitem><para>Sets environment variables for executed
304 processes. Takes a space-separated list of variable
b938cb90 305 assignments. This option may be specified more than once, in
798d3a52
ZJS		 306 which case all listed variables will be set. If the same
307 variable is set twice, the later setting will override the
308 earlier setting. If the empty string is assigned to this
309 option, the list of environment variables is reset, all prior
310 assignments have no effect. Variable expansion is not
311 performed inside the strings, however, specifier expansion is
312 possible. The $ character has no special meaning. If you need
313 to assign a value containing spaces to a variable, use double
314 quotes (") for the assignment.</para>
315
316 <para>Example:
317 <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
318 gives three variables <literal>VAR1</literal>,
319 <literal>VAR2</literal>, <literal>VAR3</literal>
320 with the values <literal>word1 word2</literal>,
321 <literal>word3</literal>, <literal>$word 5 6</literal>.
322 </para>
323
324 <para>
325 See
326 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
327 for details about environment variables.</para></listitem>
328 </varlistentry>
329 <varlistentry>
330 <term><varname>EnvironmentFile=</varname></term>
331 <listitem><para>Similar to <varname>Environment=</varname> but
332 reads the environment variables from a text file. The text
333 file should contain new-line-separated variable assignments.
8f0d2981
RM		 334 Empty lines, lines without an <literal>=</literal> separator,
335 or lines starting with ; or # will be ignored,
798d3a52
ZJS		 336 which may be used for commenting. A line ending with a
337 backslash will be concatenated with the following one,
338 allowing multiline variable definitions. The parser strips
339 leading and trailing whitespace from the values of
340 assignments, unless you use double quotes (").</para>
341
342 <para>The argument passed should be an absolute filename or
343 wildcard expression, optionally prefixed with
344 <literal>-</literal>, which indicates that if the file does
345 not exist, it will not be read and no error or warning message
346 is logged. This option may be specified more than once in
347 which case all specified files are read. If the empty string
348 is assigned to this option, the list of file to read is reset,
349 all prior assignments have no effect.</para>
350
351 <para>The files listed with this directive will be read
352 shortly before the process is executed (more specifically,
353 after all processes from a previous unit state terminated.
354 This means you can generate these files in one unit state, and
f407824d
DH		 355 read it with this option in the next).</para>
356
357 <para>Settings from these
798d3a52
ZJS		 358 files override settings made with
359 <varname>Environment=</varname>. If the same variable is set
360 twice from these files, the files will be read in the order
361 they are specified and the later setting will override the
362 earlier setting.</para></listitem>
363 </varlistentry>
364
b4c14404
FB		 365 <varlistentry>
366 <term><varname>PassEnvironment=</varname></term>
367
368 <listitem><para>Pass environment variables from the systemd system
369 manager to executed processes. Takes a space-separated list of variable
370 names. This option may be specified more than once, in which case all
371 listed variables will be set. If the empty string is assigned to this
372 option, the list of environment variables is reset, all prior
373 assignments have no effect. Variables that are not set in the system
374 manager will not be passed and will be silently ignored.</para>
375
376 <para>Variables passed from this setting are overridden by those passed
377 from <varname>Environment=</varname> or
378 <varname>EnvironmentFile=</varname>.</para>
379
380 <para>Example:
381 <programlisting>PassEnvironment=VAR1 VAR2 VAR3</programlisting>
382 passes three variables <literal>VAR1</literal>,
383 <literal>VAR2</literal>, <literal>VAR3</literal>
384 with the values set for those variables in PID1.</para>
385
386 <para>
387 See
388 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
389 for details about environment variables.</para></listitem>
390 </varlistentry>
391
798d3a52
ZJS		 392 <varlistentry>
393 <term><varname>StandardInput=</varname></term>
394 <listitem><para>Controls where file descriptor 0 (STDIN) of
395 the executed processes is connected to. Takes one of
396 <option>null</option>,
397 <option>tty</option>,
398 <option>tty-force</option>,
399 <option>tty-fail</option> or
400 <option>socket</option>.</para>
401
402 <para>If <option>null</option> is selected, standard input
403 will be connected to <filename>/dev/null</filename>, i.e. all
404 read attempts by the process will result in immediate
405 EOF.</para>
406
407 <para>If <option>tty</option> is selected, standard input is
408 connected to a TTY (as configured by
409 <varname>TTYPath=</varname>, see below) and the executed
410 process becomes the controlling process of the terminal. If
411 the terminal is already being controlled by another process,
412 the executed process waits until the current controlling
413 process releases the terminal.</para>
414
415 <para><option>tty-force</option> is similar to
416 <option>tty</option>, but the executed process is forcefully
417 and immediately made the controlling process of the terminal,
418 potentially removing previous controlling processes from the
419 terminal.</para>
420
421 <para><option>tty-fail</option> is similar to
422 <option>tty</option> but if the terminal already has a
423 controlling process start-up of the executed process
424 fails.</para>
425
426 <para>The <option>socket</option> option is only valid in
427 socket-activated services, and only when the socket
428 configuration file (see
429 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
430 for details) specifies a single socket only. If this option is
431 set, standard input will be connected to the socket the
432 service was activated from, which is primarily useful for
433 compatibility with daemons designed for use with the
434 traditional
b5c7d097 435 <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52
ZJS		 436 daemon.</para>
437
438 <para>This setting defaults to
439 <option>null</option>.</para></listitem>
440 </varlistentry>
c129bd5d 441
798d3a52
ZJS		 442 <varlistentry>
443 <term><varname>StandardOutput=</varname></term>
444 <listitem><para>Controls where file descriptor 1 (STDOUT) of
445 the executed processes is connected to. Takes one of
446 <option>inherit</option>,
447 <option>null</option>,
448 <option>tty</option>,
449 <option>journal</option>,
450 <option>syslog</option>,
451 <option>kmsg</option>,
452 <option>journal+console</option>,
453 <option>syslog+console</option>,
454 <option>kmsg+console</option> or
455 <option>socket</option>.</para>
456
457 <para><option>inherit</option> duplicates the file descriptor
458 of standard input for standard output.</para>
459
460 <para><option>null</option> connects standard output to
461 <filename>/dev/null</filename>, i.e. everything written to it
462 will be lost.</para>
463
464 <para><option>tty</option> connects standard output to a tty
465 (as configured via <varname>TTYPath=</varname>, see below). If
466 the TTY is used for output only, the executed process will not
467 become the controlling process of the terminal, and will not
468 fail or wait for other processes to release the
469 terminal.</para>
470
471 <para><option>journal</option> connects standard output with
472 the journal which is accessible via
473 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
474 Note that everything that is written to syslog or kmsg (see
475 below) is implicitly stored in the journal as well, the
476 specific two options listed below are hence supersets of this
477 one.</para>
478
479 <para><option>syslog</option> connects standard output to the
480 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
481 system syslog service, in addition to the journal. Note that
482 the journal daemon is usually configured to forward everything
483 it receives to syslog anyway, in which case this option is no
484 different from <option>journal</option>.</para>
485
486 <para><option>kmsg</option> connects standard output with the
487 kernel log buffer which is accessible via
488 <citerefentry project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
489 in addition to the journal. The journal daemon might be
490 configured to send all logs to kmsg anyway, in which case this
491 option is no different from <option>journal</option>.</para>
492
493 <para><option>journal+console</option>,
494 <option>syslog+console</option> and
495 <option>kmsg+console</option> work in a similar way as the
496 three options above but copy the output to the system console
497 as well.</para>
498
499 <para><option>socket</option> connects standard output to a
500 socket acquired via socket activation. The semantics are
501 similar to the same option of
502 <varname>StandardInput=</varname>.</para>
503
dfe85b38
LP		 504 <para>If the standard output (or error output, see below) of a unit is connected to the journal, syslog or the
505 kernel log buffer, the unit will implicitly gain a dependency of type <varname>After=</varname> on
28c75e25
LP		 506 <filename>systemd-journald.socket</filename> (also see the automatic dependencies section above).</para>
507
798d3a52
ZJS		 508 <para>This setting defaults to the value set with
509 <option>DefaultStandardOutput=</option> in
510 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
c129bd5d
LP		 511 which defaults to <option>journal</option>. Note that setting
512 this parameter might result in additional dependencies to be
513 added to the unit (see above).</para></listitem>
798d3a52 514 </varlistentry>
c129bd5d 515
798d3a52
ZJS		 516 <varlistentry>
517 <term><varname>StandardError=</varname></term>
518 <listitem><para>Controls where file descriptor 2 (STDERR) of
519 the executed processes is connected to. The available options
520 are identical to those of <varname>StandardOutput=</varname>,
521 with one exception: if set to <option>inherit</option> the
522 file descriptor used for standard output is duplicated for
523 standard error. This setting defaults to the value set with
524 <option>DefaultStandardError=</option> in
525 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
c129bd5d
LP		 526 which defaults to <option>inherit</option>. Note that setting
527 this parameter might result in additional dependencies to be
528 added to the unit (see above).</para></listitem>
798d3a52 529 </varlistentry>
c129bd5d 530
798d3a52
ZJS		 531 <varlistentry>
532 <term><varname>TTYPath=</varname></term>
533 <listitem><para>Sets the terminal device node to use if
534 standard input, output, or error are connected to a TTY (see
535 above). Defaults to
536 <filename>/dev/console</filename>.</para></listitem>
537 </varlistentry>
538 <varlistentry>
539 <term><varname>TTYReset=</varname></term>
540 <listitem><para>Reset the terminal device specified with
541 <varname>TTYPath=</varname> before and after execution.
542 Defaults to <literal>no</literal>.</para></listitem>
543 </varlistentry>
544 <varlistentry>
545 <term><varname>TTYVHangup=</varname></term>
546 <listitem><para>Disconnect all clients which have opened the
547 terminal device specified with <varname>TTYPath=</varname>
548 before and after execution. Defaults to
549 <literal>no</literal>.</para></listitem>
550 </varlistentry>
551 <varlistentry>
552 <term><varname>TTYVTDisallocate=</varname></term>
553 <listitem><para>If the terminal device specified with
554 <varname>TTYPath=</varname> is a virtual console terminal, try
555 to deallocate the TTY before and after execution. This ensures
556 that the screen and scrollback buffer is cleared. Defaults to
557 <literal>no</literal>.</para></listitem>
558 </varlistentry>
559 <varlistentry>
560 <term><varname>SyslogIdentifier=</varname></term>
561 <listitem><para>Sets the process name to prefix log lines sent
562 to the logging system or the kernel log buffer with. If not
563 set, defaults to the process name of the executed process.
564 This option is only useful when
565 <varname>StandardOutput=</varname> or
566 <varname>StandardError=</varname> are set to
567 <option>syslog</option>, <option>journal</option> or
568 <option>kmsg</option> (or to the same settings in combination
569 with <option>+console</option>).</para></listitem>
570 </varlistentry>
571 <varlistentry>
572 <term><varname>SyslogFacility=</varname></term>
573 <listitem><para>Sets the syslog facility to use when logging
574 to syslog. One of <option>kern</option>,
575 <option>user</option>, <option>mail</option>,
576 <option>daemon</option>, <option>auth</option>,
577 <option>syslog</option>, <option>lpr</option>,
578 <option>news</option>, <option>uucp</option>,
579 <option>cron</option>, <option>authpriv</option>,
580 <option>ftp</option>, <option>local0</option>,
581 <option>local1</option>, <option>local2</option>,
582 <option>local3</option>, <option>local4</option>,
583 <option>local5</option>, <option>local6</option> or
584 <option>local7</option>. See
585 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
586 for details. This option is only useful when
587 <varname>StandardOutput=</varname> or
588 <varname>StandardError=</varname> are set to
589 <option>syslog</option>. Defaults to
590 <option>daemon</option>.</para></listitem>
591 </varlistentry>
592 <varlistentry>
593 <term><varname>SyslogLevel=</varname></term>
a8eaaee7 594 <listitem><para>The default syslog level to use when logging to
798d3a52
ZJS		 595 syslog or the kernel log buffer. One of
596 <option>emerg</option>,
597 <option>alert</option>,
598 <option>crit</option>,
599 <option>err</option>,
600 <option>warning</option>,
601 <option>notice</option>,
602 <option>info</option>,
603 <option>debug</option>. See
604 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
605 for details. This option is only useful when
606 <varname>StandardOutput=</varname> or
607 <varname>StandardError=</varname> are set to
608 <option>syslog</option> or <option>kmsg</option>. Note that
609 individual lines output by the daemon might be prefixed with a
610 different log level which can be used to override the default
611 log level specified here. The interpretation of these prefixes
612 may be disabled with <varname>SyslogLevelPrefix=</varname>,
b938cb90 613 see below. For details, see
798d3a52
ZJS		 614 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
615
616 Defaults to
617 <option>info</option>.</para></listitem>
618 </varlistentry>
619
620 <varlistentry>
621 <term><varname>SyslogLevelPrefix=</varname></term>
622 <listitem><para>Takes a boolean argument. If true and
623 <varname>StandardOutput=</varname> or
624 <varname>StandardError=</varname> are set to
625 <option>syslog</option>, <option>kmsg</option> or
626 <option>journal</option>, log lines written by the executed
627 process that are prefixed with a log level will be passed on
628 to syslog with this log level set but the prefix removed. If
629 set to false, the interpretation of these prefixes is disabled
630 and the logged lines are passed on as-is. For details about
631 this prefixing see
632 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
633 Defaults to true.</para></listitem>
634 </varlistentry>
635
636 <varlistentry>
637 <term><varname>TimerSlackNSec=</varname></term>
638 <listitem><para>Sets the timer slack in nanoseconds for the
639 executed processes. The timer slack controls the accuracy of
640 wake-ups triggered by timers. See
641 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
642 for more information. Note that in contrast to most other time
643 span definitions this parameter takes an integer value in
644 nano-seconds if no unit is specified. The usual time units are
645 understood too.</para></listitem>
646 </varlistentry>
647
648 <varlistentry>
649 <term><varname>LimitCPU=</varname></term>
650 <term><varname>LimitFSIZE=</varname></term>
651 <term><varname>LimitDATA=</varname></term>
652 <term><varname>LimitSTACK=</varname></term>
653 <term><varname>LimitCORE=</varname></term>
654 <term><varname>LimitRSS=</varname></term>
655 <term><varname>LimitNOFILE=</varname></term>
656 <term><varname>LimitAS=</varname></term>
657 <term><varname>LimitNPROC=</varname></term>
658 <term><varname>LimitMEMLOCK=</varname></term>
659 <term><varname>LimitLOCKS=</varname></term>
660 <term><varname>LimitSIGPENDING=</varname></term>
661 <term><varname>LimitMSGQUEUE=</varname></term>
662 <term><varname>LimitNICE=</varname></term>
663 <term><varname>LimitRTPRIO=</varname></term>
664 <term><varname>LimitRTTIME=</varname></term>
29857001
LP		 665 <listitem><para>Set soft and hard limits on various resources for executed processes. See
666 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details on
667 the resource limit concept. Resource limits may be specified in two formats: either as single value to set a
668 specific soft and hard limit to the same value, or as colon-separated pair <option>soft:hard</option> to set
669 both limits individually (e.g. <literal>LimitAS=4G:16G</literal>). Use the string <varname>infinity</varname>
670 to configure no limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base
671 1024) may be used for resource limits measured in bytes (e.g. LimitAS=16G). For the limits referring to time
672 values, the usual time units ms, s, min, h and so on may be used (see
673 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
674 details). Note that if no time unit is specified for <varname>LimitCPU=</varname> the default unit of seconds
675 is implied, while for <varname>LimitRTTIME=</varname> the default unit of microseconds is implied. Also, note
676 that the effective granularity of the limits might influence their enforcement. For example, time limits
677 specified for <varname>LimitCPU=</varname> will be rounded up implicitly to multiples of 1s. For
678 <varname>LimitNICE=</varname> the value may be specified in two syntaxes: if prefixed with <literal>+</literal>
679 or <literal>-</literal>, the value is understood as regular Linux nice value in the range -20..19. If not
680 prefixed like this the value is understood as raw resource limit parameter in the range 0..40 (with 0 being
681 equivalent to 1).</para>
a4c18002
LP		 682
683 <para>Note that most process resource limits configured with
684 these options are per-process, and processes may fork in order
685 to acquire a new set of resources that are accounted
686 independently of the original process, and may thus escape
687 limits set. Also note that <varname>LimitRSS=</varname> is not
688 implemented on Linux, and setting it has no effect. Often it
689 is advisable to prefer the resource controls listed in
690 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
691 over these per-process limits, as they apply to services as a
692 whole, may be altered dynamically at runtime, and are
693 generally more expressive. For example,
694 <varname>MemoryLimit=</varname> is a more powerful (and
695 working) replacement for <varname>LimitRSS=</varname>.</para>
798d3a52
ZJS		 696
697 <table>
698 <title>Limit directives and their equivalent with ulimit</title>
699
a4c18002 700 <tgroup cols='3'>
798d3a52
ZJS		 701 <colspec colname='directive' />
702 <colspec colname='equivalent' />
a4c18002 703 <colspec colname='unit' />
798d3a52
ZJS		 704 <thead>
705 <row>
706 <entry>Directive</entry>
707 <entry>ulimit equivalent</entry>
a4c18002 708 <entry>Unit</entry>
798d3a52
ZJS		 709 </row>
710 </thead>
711 <tbody>
712 <row>
a4c18002 713 <entry>LimitCPU=</entry>
798d3a52 714 <entry>ulimit -t</entry>
a4c18002 715 <entry>Seconds</entry>
798d3a52
ZJS		 716 </row>
717 <row>
a4c18002 718 <entry>LimitFSIZE=</entry>
798d3a52 719 <entry>ulimit -f</entry>
a4c18002 720 <entry>Bytes</entry>
798d3a52
ZJS		 721 </row>
722 <row>
a4c18002 723 <entry>LimitDATA=</entry>
798d3a52 724 <entry>ulimit -d</entry>
a4c18002 725 <entry>Bytes</entry>
798d3a52
ZJS		 726 </row>
727 <row>
a4c18002 728 <entry>LimitSTACK=</entry>
798d3a52 729 <entry>ulimit -s</entry>
a4c18002 730 <entry>Bytes</entry>
798d3a52
ZJS		 731 </row>
732 <row>
a4c18002 733 <entry>LimitCORE=</entry>
798d3a52 734 <entry>ulimit -c</entry>
a4c18002 735 <entry>Bytes</entry>
798d3a52
ZJS		 736 </row>
737 <row>
a4c18002 738 <entry>LimitRSS=</entry>
798d3a52 739 <entry>ulimit -m</entry>
a4c18002 740 <entry>Bytes</entry>
798d3a52
ZJS		 741 </row>
742 <row>
a4c18002 743 <entry>LimitNOFILE=</entry>
798d3a52 744 <entry>ulimit -n</entry>
a4c18002 745 <entry>Number of File Descriptors</entry>
798d3a52
ZJS		 746 </row>
747 <row>
a4c18002 748 <entry>LimitAS=</entry>
798d3a52 749 <entry>ulimit -v</entry>
a4c18002 750 <entry>Bytes</entry>
798d3a52
ZJS		 751 </row>
752 <row>
a4c18002 753 <entry>LimitNPROC=</entry>
798d3a52 754 <entry>ulimit -u</entry>
a4c18002 755 <entry>Number of Processes</entry>
798d3a52
ZJS		 756 </row>
757 <row>
a4c18002 758 <entry>LimitMEMLOCK=</entry>
798d3a52 759 <entry>ulimit -l</entry>
a4c18002 760 <entry>Bytes</entry>
798d3a52
ZJS		 761 </row>
762 <row>
a4c18002 763 <entry>LimitLOCKS=</entry>
798d3a52 764 <entry>ulimit -x</entry>
a4c18002 765 <entry>Number of Locks</entry>
798d3a52
ZJS		 766 </row>
767 <row>
a4c18002 768 <entry>LimitSIGPENDING=</entry>
798d3a52 769 <entry>ulimit -i</entry>
a4c18002 770 <entry>Number of Queued Signals</entry>
798d3a52
ZJS		 771 </row>
772 <row>
a4c18002 773 <entry>LimitMSGQUEUE=</entry>
798d3a52 774 <entry>ulimit -q</entry>
a4c18002 775 <entry>Bytes</entry>
798d3a52
ZJS		 776 </row>
777 <row>
a4c18002 778 <entry>LimitNICE=</entry>
798d3a52 779 <entry>ulimit -e</entry>
a4c18002 780 <entry>Nice Level</entry>
798d3a52
ZJS		 781 </row>
782 <row>
a4c18002 783 <entry>LimitRTPRIO=</entry>
798d3a52 784 <entry>ulimit -r</entry>
a4c18002 785 <entry>Realtime Priority</entry>
798d3a52
ZJS		 786 </row>
787 <row>
a4c18002 788 <entry>LimitRTTIME=</entry>
798d3a52 789 <entry>No equivalent</entry>
a4c18002 790 <entry>Microseconds</entry>
798d3a52
ZJS		 791 </row>
792 </tbody>
793 </tgroup>
a4c18002 794 </table></listitem>
798d3a52
ZJS		 795 </varlistentry>
796
797 <varlistentry>
798 <term><varname>PAMName=</varname></term>
799 <listitem><para>Sets the PAM service name to set up a session
800 as. If set, the executed process will be registered as a PAM
801 session under the specified service name. This is only useful
802 in conjunction with the <varname>User=</varname> setting. If
803 not set, no PAM session will be opened for the executed
804 processes. See
805 <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
806 for details.</para></listitem>
807 </varlistentry>
808
809 <varlistentry>
810 <term><varname>CapabilityBoundingSet=</varname></term>
811
479050b3
LP		 812 <listitem><para>Controls which capabilities to include in the capability bounding set for the executed
813 process. See <citerefentry
814 project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
815 details. Takes a whitespace-separated list of capability names as read by <citerefentry
816 project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
817 e.g. <constant>CAP_SYS_ADMIN</constant>, <constant>CAP_DAC_OVERRIDE</constant>,
818 <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be included in the bounding set, all others are
819 removed. If the list of capabilities is prefixed with <literal>~</literal>, all but the listed capabilities
820 will be included, the effect of the assignment inverted. Note that this option also affects the respective
821 capabilities in the effective, permitted and inheritable capability sets. If this option is not used, the
822 capability bounding set is not modified on process execution, hence no limits on the capabilities of the
823 process are enforced. This option may appear more than once, in which case the bounding sets are merged. If the
824 empty string is assigned to this option, the bounding set is reset to the empty capability set, and all prior
825 settings have no effect. If set to <literal>~</literal> (without any further argument), the bounding set is
cf677fe6 826 reset to the full set of available capabilities, also undoing any previous settings. This does not affect
43eb109a 827 commands prefixed with <literal>+</literal>.</para></listitem>
798d3a52
ZJS		 828 </varlistentry>
829
ece87975
IP		 830 <varlistentry>
831 <term><varname>AmbientCapabilities=</varname></term>
832
833 <listitem><para>Controls which capabilities to include in the
834 ambient capability set for the executed process. Takes a
835 whitespace-separated list of capability names as read by
836 <citerefentry project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
837 e.g. <constant>CAP_SYS_ADMIN</constant>,
838 <constant>CAP_DAC_OVERRIDE</constant>,
839 <constant>CAP_SYS_PTRACE</constant>. This option may appear more than
840 once in which case the ambient capability sets are merged.
841 If the list of capabilities is prefixed with <literal>~</literal>, all
842 but the listed capabilities will be included, the effect of the
843 assignment inverted. If the empty string is
844 assigned to this option, the ambient capability set is reset to
845 the empty capability set, and all prior settings have no effect.
846 If set to <literal>~</literal> (without any further argument), the
847 ambient capability set is reset to the full set of available
848 capabilities, also undoing any previous settings. Note that adding
849 capabilities to ambient capability set adds them to the process's
850 inherited capability set.
851 </para><para>
852 Ambient capability sets are useful if you want to execute a process
853 as a non-privileged user but still want to give it some capabilities.
854 Note that in this case option <constant>keep-caps</constant> is
855 automatically added to <varname>SecureBits=</varname> to retain the
cf677fe6 856 capabilities over the user change. <varname>AmbientCapabilities=</varname> does not affect
43eb109a 857 commands prefixed with <literal>+</literal>.</para></listitem>
ece87975
IP		 858 </varlistentry>
859
798d3a52
ZJS		 860 <varlistentry>
861 <term><varname>SecureBits=</varname></term>
862 <listitem><para>Controls the secure bits set for the executed
863 process. Takes a space-separated combination of options from
864 the following list:
865 <option>keep-caps</option>,
866 <option>keep-caps-locked</option>,
867 <option>no-setuid-fixup</option>,
868 <option>no-setuid-fixup-locked</option>,
869 <option>noroot</option>, and
870 <option>noroot-locked</option>.
b938cb90 871 This option may appear more than once, in which case the secure
798d3a52 872 bits are ORed. If the empty string is assigned to this option,
43eb109a 873 the bits are reset to 0. This does not affect commands prefixed with <literal>+</literal>.
cf677fe6 874 See <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 875 for details.</para></listitem>
876 </varlistentry>
877
798d3a52 878 <varlistentry>
2a624c36
AP		 879 <term><varname>ReadWritePaths=</varname></term>
880 <term><varname>ReadOnlyPaths=</varname></term>
881 <term><varname>InaccessiblePaths=</varname></term>
798d3a52
ZJS		 882
883 <listitem><para>Sets up a new file system namespace for
884 executed processes. These options may be used to limit access
885 a process might have to the main file system hierarchy. Each
c4b41707 886 setting takes a space-separated list of paths relative to
043cc715 887 the host's root directory (i.e. the system running the service manager).
c4b41707 888 Note that if entries contain symlinks, they are resolved from the host's root directory as well.
2a624c36
AP		 889 Entries (files or directories) listed in
890 <varname>ReadWritePaths=</varname> are accessible from
798d3a52 891 within the namespace with the same access rights as from
c4b41707 892 outside. Entries listed in
2a624c36 893 <varname>ReadOnlyPaths=</varname> are accessible for
798d3a52 894 reading only, writing will be refused even if the usual file
c4b41707 895 access controls would permit this. Entries listed in
2a624c36 896 <varname>InaccessiblePaths=</varname> will be made
b50a16af
NBS		 897 inaccessible for processes inside the namespace, and may not
898 countain any other mountpoints, including those specified by
2a624c36
AP		 899 <varname>ReadWritePaths=</varname> or
900 <varname>ReadOnlyPaths=</varname>.
b50a16af 901 Note that restricting access with these options does not extend
c4b41707
AP		 902 to submounts of a directory that are created later on.
903 Non-directory paths can be specified as well. These
b938cb90 904 options may be specified more than once, in which case all
c4b41707 905 paths listed will have limited access from within the
798d3a52
ZJS		 906 namespace. If the empty string is assigned to this option, the
907 specific list is reset, and all prior assignments have no
908 effect.</para>
909 <para>Paths in
2a624c36 910 <varname>ReadOnlyPaths=</varname>
798d3a52 911 and
2a624c36 912 <varname>InaccessiblePaths=</varname>
798d3a52
ZJS		 913 may be prefixed with
914 <literal>-</literal>, in which case
915 they will be ignored when they do not
916 exist. Note that using this
917 setting will disconnect propagation of
918 mounts from the service to the host
919 (propagation in the opposite direction
920 continues to work). This means that
921 this setting may not be used for
922 services which shall be able to
923 install mount points in the main mount
924 namespace.</para></listitem>
925 </varlistentry>
926
927 <varlistentry>
928 <term><varname>PrivateTmp=</varname></term>
929
930 <listitem><para>Takes a boolean argument. If true, sets up a
931 new file system namespace for the executed processes and
932 mounts private <filename>/tmp</filename> and
933 <filename>/var/tmp</filename> directories inside it that is
934 not shared by processes outside of the namespace. This is
935 useful to secure access to temporary files of the process, but
936 makes sharing between processes via <filename>/tmp</filename>
937 or <filename>/var/tmp</filename> impossible. If this is
938 enabled, all temporary files created by a service in these
939 directories will be removed after the service is stopped.
940 Defaults to false. It is possible to run two or more units
941 within the same private <filename>/tmp</filename> and
942 <filename>/var/tmp</filename> namespace by using the
943 <varname>JoinsNamespaceOf=</varname> directive, see
944 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
945 for details. Note that using this setting will disconnect
946 propagation of mounts from the service to the host
947 (propagation in the opposite direction continues to work).
948 This means that this setting may not be used for services
949 which shall be able to install mount points in the main mount
950 namespace.</para></listitem>
951 </varlistentry>
952
953 <varlistentry>
954 <term><varname>PrivateDevices=</varname></term>
955
956 <listitem><para>Takes a boolean argument. If true, sets up a
957 new /dev namespace for the executed processes and only adds
958 API pseudo devices such as <filename>/dev/null</filename>,
959 <filename>/dev/zero</filename> or
960 <filename>/dev/random</filename> (as well as the pseudo TTY
961 subsystem) to it, but no physical devices such as
962 <filename>/dev/sda</filename>. This is useful to securely turn
963 off physical device access by the executed process. Defaults
964 to false. Enabling this option will also remove
965 <constant>CAP_MKNOD</constant> from the capability bounding
966 set for the unit (see above), and set
967 <varname>DevicePolicy=closed</varname> (see
968 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
969 for details). Note that using this setting will disconnect
970 propagation of mounts from the service to the host
971 (propagation in the opposite direction continues to work).
972 This means that this setting may not be used for services
973 which shall be able to install mount points in the main mount
737ba3c8 974 namespace. The /dev namespace will be mounted read-only and 'noexec'.
975 The latter may break old programs which try to set up executable
976 memory by using <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry>
977 of <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>.</para></listitem>
798d3a52
ZJS		 978 </varlistentry>
979
980 <varlistentry>
981 <term><varname>PrivateNetwork=</varname></term>
982
983 <listitem><para>Takes a boolean argument. If true, sets up a
984 new network namespace for the executed processes and
985 configures only the loopback network device
986 <literal>lo</literal> inside it. No other network devices will
987 be available to the executed process. This is useful to
988 securely turn off network access by the executed process.
989 Defaults to false. It is possible to run two or more units
990 within the same private network namespace by using the
991 <varname>JoinsNamespaceOf=</varname> directive, see
992 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
993 for details. Note that this option will disconnect all socket
994 families from the host, this includes AF_NETLINK and AF_UNIX.
995 The latter has the effect that AF_UNIX sockets in the abstract
996 socket namespace will become unavailable to the processes
997 (however, those located in the file system will continue to be
998 accessible).</para></listitem>
999 </varlistentry>
1000
1001 <varlistentry>
1002 <term><varname>ProtectSystem=</varname></term>
1003
1004 <listitem><para>Takes a boolean argument or
1005 <literal>full</literal>. If true, mounts the
1006 <filename>/usr</filename> and <filename>/boot</filename>
1007 directories read-only for processes invoked by this unit. If
1008 set to <literal>full</literal>, the <filename>/etc</filename>
1009 directory is mounted read-only, too. This setting ensures that
b938cb90 1010 any modification of the vendor-supplied operating system (and
798d3a52
ZJS		 1011 optionally its configuration) is prohibited for the service.
1012 It is recommended to enable this setting for all long-running
1013 services, unless they are involved with system updates or need
1014 to modify the operating system in other ways. Note however
1015 that processes retaining the CAP_SYS_ADMIN capability can undo
1016 the effect of this setting. This setting is hence particularly
1017 useful for daemons which have this capability removed, for
1018 example with <varname>CapabilityBoundingSet=</varname>.
1019 Defaults to off.</para></listitem>
1020 </varlistentry>
1021
1022 <varlistentry>
1023 <term><varname>ProtectHome=</varname></term>
1024
1025 <listitem><para>Takes a boolean argument or
1026 <literal>read-only</literal>. If true, the directories
58331437
CH		 1027 <filename>/home</filename>, <filename>/root</filename> and
1028 <filename>/run/user</filename>
798d3a52 1029 are made inaccessible and empty for processes invoked by this
58331437 1030 unit. If set to <literal>read-only</literal>, the three
798d3a52
ZJS		 1031 directories are made read-only instead. It is recommended to
1032 enable this setting for all long-running services (in
1033 particular network-facing ones), to ensure they cannot get
1034 access to private user data, unless the services actually
1035 require access to the user's private data. Note however that
1036 processes retaining the CAP_SYS_ADMIN capability can undo the
1037 effect of this setting. This setting is hence particularly
1038 useful for daemons which have this capability removed, for
1039 example with <varname>CapabilityBoundingSet=</varname>.
1040 Defaults to off.</para></listitem>
1041 </varlistentry>
1042
1043 <varlistentry>
1044 <term><varname>MountFlags=</varname></term>
1045
1046 <listitem><para>Takes a mount propagation flag:
1047 <option>shared</option>, <option>slave</option> or
1048 <option>private</option>, which control whether mounts in the
1049 file system namespace set up for this unit's processes will
1050 receive or propagate mounts or unmounts. See
3ba3a79d 1051 <citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
798d3a52
ZJS		 1052 for details. Defaults to <option>shared</option>. Use
1053 <option>shared</option> to ensure that mounts and unmounts are
1054 propagated from the host to the container and vice versa. Use
1055 <option>slave</option> to run processes so that none of their
1056 mounts and unmounts will propagate to the host. Use
1057 <option>private</option> to also ensure that no mounts and
1058 unmounts from the host will propagate into the unit processes'
1059 namespace. Note that <option>slave</option> means that file
1060 systems mounted on the host might stay mounted continuously in
1061 the unit's namespace, and thus keep the device busy. Note that
1062 the file system namespace related options
1063 (<varname>PrivateTmp=</varname>,
1064 <varname>PrivateDevices=</varname>,
1065 <varname>ProtectSystem=</varname>,
1066 <varname>ProtectHome=</varname>,
2a624c36
AP		 1067 <varname>ReadOnlyPaths=</varname>,
1068 <varname>InaccessiblePaths=</varname> and
1069 <varname>ReadWritePaths=</varname>) require that mount
798d3a52
ZJS		 1070 and unmount propagation from the unit's file system namespace
1071 is disabled, and hence downgrade <option>shared</option> to
1072 <option>slave</option>. </para></listitem>
1073 </varlistentry>
1074
1075 <varlistentry>
1076 <term><varname>UtmpIdentifier=</varname></term>
1077
1078 <listitem><para>Takes a four character identifier string for
023a4f67
LP		 1079 an <citerefentry
1080 project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1081 and wtmp entry for this service. This should only be
1082 set for services such as <command>getty</command>
1083 implementations (such as <citerefentry
1084 project='die-net'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
798d3a52 1085 where utmp/wtmp entries must be created and cleared before and
023a4f67
LP		 1086 after execution, or for services that shall be executed as if
1087 they were run by a <command>getty</command> process (see
1088 below). If the configured string is longer than four
798d3a52
ZJS		 1089 characters, it is truncated and the terminal four characters
1090 are used. This setting interprets %I style string
1091 replacements. This setting is unset by default, i.e. no
1092 utmp/wtmp entries are created or cleaned up for this
1093 service.</para></listitem>
1094 </varlistentry>
1095
023a4f67
LP		 1096 <varlistentry>
1097 <term><varname>UtmpMode=</varname></term>
1098
1099 <listitem><para>Takes one of <literal>init</literal>,
1100 <literal>login</literal> or <literal>user</literal>. If
1101 <varname>UtmpIdentifier=</varname> is set, controls which
1102 type of <citerefentry
1103 project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>/wtmp
1104 entries for this service are generated. This setting has no
1105 effect unless <varname>UtmpIdentifier=</varname> is set
1106 too. If <literal>init</literal> is set, only an
1107 <constant>INIT_PROCESS</constant> entry is generated and the
6cd16034
LP		 1108 invoked process must implement a
1109 <command>getty</command>-compatible utmp/wtmp logic. If
1110 <literal>login</literal> is set, first an
a8eaaee7 1111 <constant>INIT_PROCESS</constant> entry, followed by a
6cd16034 1112 <constant>LOGIN_PROCESS</constant> entry is generated. In
b938cb90 1113 this case, the invoked process must implement a <citerefentry
023a4f67
LP		 1114 project='die-net'><refentrytitle>login</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible
1115 utmp/wtmp logic. If <literal>user</literal> is set, first an
1116 <constant>INIT_PROCESS</constant> entry, then a
a8eaaee7 1117 <constant>LOGIN_PROCESS</constant> entry and finally a
023a4f67 1118 <constant>USER_PROCESS</constant> entry is generated. In this
b938cb90 1119 case, the invoked process may be any process that is suitable
023a4f67
LP		 1120 to be run as session leader. Defaults to
1121 <literal>init</literal>.</para></listitem>
1122 </varlistentry>
1123
798d3a52
ZJS		 1124 <varlistentry>
1125 <term><varname>SELinuxContext=</varname></term>
1126
1127 <listitem><para>Set the SELinux security context of the
1128 executed process. If set, this will override the automated
1129 domain transition. However, the policy still needs to
1130 authorize the transition. This directive is ignored if SELinux
1131 is disabled. If prefixed by <literal>-</literal>, all errors
43eb109a 1132 will be ignored. This does not affect commands prefixed with <literal>+</literal>.
cf677fe6 1133 See <citerefentry project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
798d3a52
ZJS		 1134 for details.</para></listitem>
1135 </varlistentry>
1136
1137 <varlistentry>
1138 <term><varname>AppArmorProfile=</varname></term>
1139
1140 <listitem><para>Takes a profile name as argument. The process
1141 executed by the unit will switch to this profile when started.
1142 Profiles must already be loaded in the kernel, or the unit
1143 will fail. This result in a non operation if AppArmor is not
1144 enabled. If prefixed by <literal>-</literal>, all errors will
43eb109a 1145 be ignored. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
798d3a52
ZJS		 1146 </varlistentry>
1147
1148 <varlistentry>
1149 <term><varname>SmackProcessLabel=</varname></term>
1150
1151 <listitem><para>Takes a <option>SMACK64</option> security
1152 label as argument. The process executed by the unit will be
1153 started under this label and SMACK will decide whether the
b938cb90 1154 process is allowed to run or not, based on it. The process
798d3a52
ZJS		 1155 will continue to run under the label specified here unless the
1156 executable has its own <option>SMACK64EXEC</option> label, in
1157 which case the process will transition to run under that
1158 label. When not specified, the label that systemd is running
1159 under is used. This directive is ignored if SMACK is
1160 disabled.</para>
1161
1162 <para>The value may be prefixed by <literal>-</literal>, in
1163 which case all errors will be ignored. An empty value may be
cf677fe6 1164 specified to unset previous assignments. This does not affect
43eb109a 1165 commands prefixed with <literal>+</literal>.</para>
798d3a52
ZJS		 1166 </listitem>
1167 </varlistentry>
1168
1169 <varlistentry>
1170 <term><varname>IgnoreSIGPIPE=</varname></term>
1171
1172 <listitem><para>Takes a boolean argument. If true, causes
1173 <constant>SIGPIPE</constant> to be ignored in the executed
1174 process. Defaults to true because <constant>SIGPIPE</constant>
1175 generally is useful only in shell pipelines.</para></listitem>
1176 </varlistentry>
1177
1178 <varlistentry>
1179 <term><varname>NoNewPrivileges=</varname></term>
1180
1181 <listitem><para>Takes a boolean argument. If true, ensures
1182 that the service process and all its children can never gain
1183 new privileges. This option is more powerful than the
1184 respective secure bits flags (see above), as it also prohibits
1185 UID changes of any kind. This is the simplest, most effective
1186 way to ensure that a process and its children can never
1187 elevate privileges again.</para></listitem>
1188 </varlistentry>
1189
1190 <varlistentry>
1191 <term><varname>SystemCallFilter=</varname></term>
1192
1193 <listitem><para>Takes a space-separated list of system call
1194 names. If this setting is used, all system calls executed by
1195 the unit processes except for the listed ones will result in
1196 immediate process termination with the
1197 <constant>SIGSYS</constant> signal (whitelisting). If the
1198 first character of the list is <literal>~</literal>, the
1199 effect is inverted: only the listed system calls will result
1200 in immediate process termination (blacklisting). If running in
19c0b0b9 1201 user mode, or in system mode, but without the
008dce38 1202 <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting
19c0b0b9 1203 <varname>User=nobody</varname>),
798d3a52
ZJS		 1204 <varname>NoNewPrivileges=yes</varname> is implied. This
1205 feature makes use of the Secure Computing Mode 2 interfaces of
1206 the kernel ('seccomp filtering') and is useful for enforcing a
1207 minimal sandboxing environment. Note that the
1208 <function>execve</function>,
1209 <function>rt_sigreturn</function>,
1210 <function>sigreturn</function>,
1211 <function>exit_group</function>, <function>exit</function>
1212 system calls are implicitly whitelisted and do not need to be
b938cb90 1213 listed explicitly. This option may be specified more than once,
798d3a52
ZJS		 1214 in which case the filter masks are merged. If the empty string
1215 is assigned, the filter is reset, all prior assignments will
43eb109a 1216 have no effect. This does not affect commands prefixed with <literal>+</literal>.</para>
798d3a52
ZJS		 1217
1218 <para>If you specify both types of this option (i.e.
1219 whitelisting and blacklisting), the first encountered will
1220 take precedence and will dictate the default action
1221 (termination or approval of a system call). Then the next
1222 occurrences of this option will add or delete the listed
1223 system calls from the set of the filtered system calls,
1224 depending of its type and the default action. (For example, if
1225 you have started with a whitelisting of
1226 <function>read</function> and <function>write</function>, and
1227 right after it add a blacklisting of
1228 <function>write</function>, then <function>write</function>
201c1cc2
TM		 1229 will be removed from the set.)</para>
1230
1231 <para>As the number of possible system
1232 calls is large, predefined sets of system calls are provided.
1233 A set starts with <literal>@</literal> character, followed by
1234 name of the set.
1235
1236 <table>
1237 <title>Currently predefined system call sets</title>
1238
1239 <tgroup cols='2'>
1240 <colspec colname='set' />
1241 <colspec colname='description' />
1242 <thead>
1243 <row>
1244 <entry>Set</entry>
1245 <entry>Description</entry>
1246 </row>
1247 </thead>
1248 <tbody>
1249 <row>
1250 <entry>@clock</entry>
1f9ac68b
LP		 1251 <entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
1252 </row>
1253 <row>
1254 <entry>@cpu-emulation</entry>
1255 <entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
1256 </row>
1257 <row>
1258 <entry>@debug</entry>
1259 <entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2
TM		 1260 </row>
1261 <row>
1262 <entry>@io-event</entry>
1f9ac68b 1263 <entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2
TM		 1264 </row>
1265 <row>
1266 <entry>@ipc</entry>
1f9ac68b
LP		 1267 <entry>SysV IPC, POSIX Message Queues or other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
1268 </row>
1269 <row>
1270 <entry>@keyring</entry>
1271 <entry>Kernel keyring access (<citerefentry project='man-pages'><refentrytitle>keyctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2
TM		 1272 </row>
1273 <row>
1274 <entry>@module</entry>
1f9ac68b 1275 <entry>Kernel module control (<citerefentry project='man-pages'><refentrytitle>init_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>delete_module</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2
TM		 1276 </row>
1277 <row>
1278 <entry>@mount</entry>
1f9ac68b 1279 <entry>File system mounting and unmounting (<citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
201c1cc2
TM		 1280 </row>
1281 <row>
1282 <entry>@network-io</entry>
1f9ac68b 1283 <entry>Socket I/O (including local AF_UNIX): <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry>
201c1cc2
TM		 1284 </row>
1285 <row>
1286 <entry>@obsolete</entry>
1f9ac68b 1287 <entry>Unusual, obsolete or unimplemented (<citerefentry project='man-pages'><refentrytitle>create_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>gtty</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
201c1cc2
TM		 1288 </row>
1289 <row>
1290 <entry>@privileged</entry>
1f9ac68b 1291 <entry>All system calls which need super-user capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
201c1cc2
TM		 1292 </row>
1293 <row>
1294 <entry>@process</entry>
1f9ac68b 1295 <entry>Process control, execution, namespaces (<citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>kill</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>, …</entry>
201c1cc2
TM		 1296 </row>
1297 <row>
1298 <entry>@raw-io</entry>
1f9ac68b 1299 <entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …</entry>
201c1cc2
TM		 1300 </row>
1301 </tbody>
1302 </tgroup>
1303 </table>
1304
1305 Note, that as new system calls are added to the kernel, additional system calls might be added to the groups
1306 above, so the contents of the sets may change between systemd versions.</para></listitem>
798d3a52
ZJS		 1307 </varlistentry>
1308
1309 <varlistentry>
1310 <term><varname>SystemCallErrorNumber=</varname></term>
1311
1312 <listitem><para>Takes an <literal>errno</literal> error number
1313 name to return when the system call filter configured with
1314 <varname>SystemCallFilter=</varname> is triggered, instead of
1315 terminating the process immediately. Takes an error name such
1316 as <constant>EPERM</constant>, <constant>EACCES</constant> or
1317 <constant>EUCLEAN</constant>. When this setting is not used,
1318 or when the empty string is assigned, the process will be
1319 terminated immediately when the filter is
1320 triggered.</para></listitem>
1321 </varlistentry>
1322
1323 <varlistentry>
1324 <term><varname>SystemCallArchitectures=</varname></term>
1325
b938cb90 1326 <listitem><para>Takes a space-separated list of architecture
798d3a52
ZJS		 1327 identifiers to include in the system call filter. The known
1328 architecture identifiers are <constant>x86</constant>,
1329 <constant>x86-64</constant>, <constant>x32</constant>,
1330 <constant>arm</constant> as well as the special identifier
1331 <constant>native</constant>. Only system calls of the
1332 specified architectures will be permitted to processes of this
1333 unit. This is an effective way to disable compatibility with
1334 non-native architectures for processes, for example to
1335 prohibit execution of 32-bit x86 binaries on 64-bit x86-64
1336 systems. The special <constant>native</constant> identifier
1337 implicitly maps to the native architecture of the system (or
1338 more strictly: to the architecture the system manager is
19c0b0b9
RC		 1339 compiled for). If running in user mode, or in system mode,
1340 but without the <constant>CAP_SYS_ADMIN</constant>
008dce38 1341 capability (e.g. setting <varname>User=nobody</varname>),
19c0b0b9 1342 <varname>NoNewPrivileges=yes</varname> is implied. Note
798d3a52
ZJS		 1343 that setting this option to a non-empty list implies that
1344 <constant>native</constant> is included too. By default, this
1345 option is set to the empty list, i.e. no architecture system
1346 call filtering is applied.</para></listitem>
1347 </varlistentry>
1348
1349 <varlistentry>
1350 <term><varname>RestrictAddressFamilies=</varname></term>
1351
1352 <listitem><para>Restricts the set of socket address families
1353 accessible to the processes of this unit. Takes a
1354 space-separated list of address family names to whitelist,
1355 such as
1356 <constant>AF_UNIX</constant>,
1357 <constant>AF_INET</constant> or
1358 <constant>AF_INET6</constant>. When
1359 prefixed with <constant>~</constant> the listed address
1360 families will be applied as blacklist, otherwise as whitelist.
1361 Note that this restricts access to the
3ba3a79d 1362 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
798d3a52
ZJS		 1363 system call only. Sockets passed into the process by other
1364 means (for example, by using socket activation with socket
1365 units, see
1366 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1367 are unaffected. Also, sockets created with
1368 <function>socketpair()</function> (which creates connected
1369 AF_UNIX sockets only) are unaffected. Note that this option
1370 has no effect on 32-bit x86 and is ignored (but works
19c0b0b9
RC		 1371 correctly on x86-64). If running in user mode, or in system
1372 mode, but without the <constant>CAP_SYS_ADMIN</constant>
008dce38 1373 capability (e.g. setting <varname>User=nobody</varname>),
19c0b0b9 1374 <varname>NoNewPrivileges=yes</varname> is implied. By
798d3a52
ZJS		 1375 default, no restriction applies, all address families are
1376 accessible to processes. If assigned the empty string, any
1377 previous list changes are undone.</para>
1378
1379 <para>Use this option to limit exposure of processes to remote
1380 systems, in particular via exotic network protocols. Note that
1381 in most cases, the local <constant>AF_UNIX</constant> address
1382 family should be included in the configured whitelist as it is
1383 frequently used for local communication, including for
1384 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
43eb109a 1385 logging. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
798d3a52
ZJS		 1386 </varlistentry>
1387
1388 <varlistentry>
1389 <term><varname>Personality=</varname></term>
1390
7882632d
LP		 1391 <listitem><para>Controls which kernel architecture <citerefentry
1392 project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> shall report,
1393 when invoked by unit processes. Takes one of the architecture identifiers <constant>x86</constant>,
1394 <constant>x86-64</constant>, <constant>ppc</constant>, <constant>ppc-le</constant>, <constant>ppc64</constant>,
1395 <constant>ppc64-le</constant>, <constant>s390</constant> or <constant>s390x</constant>. Which personality
1396 architectures are supported depends on the system architecture. Usually the 64bit versions of the various
1397 system architectures support their immediate 32bit personality architecture counterpart, but no others. For
1398 example, <constant>x86-64</constant> systems support the <constant>x86-64</constant> and
1399 <constant>x86</constant> personalities but no others. The personality feature is useful when running 32-bit
1400 services on a 64-bit host system. If not specified, the personality is left unmodified and thus reflects the
1401 personality of the host system's kernel.</para></listitem>
798d3a52
ZJS		 1402 </varlistentry>
1403
1404 <varlistentry>
1405 <term><varname>RuntimeDirectory=</varname></term>
1406 <term><varname>RuntimeDirectoryMode=</varname></term>
1407
1408 <listitem><para>Takes a list of directory names. If set, one
1409 or more directories by the specified names will be created
1410 below <filename>/run</filename> (for system services) or below
1411 <varname>$XDG_RUNTIME_DIR</varname> (for user services) when
1412 the unit is started, and removed when the unit is stopped. The
1413 directories will have the access mode specified in
1414 <varname>RuntimeDirectoryMode=</varname>, and will be owned by
1415 the user and group specified in <varname>User=</varname> and
1416 <varname>Group=</varname>. Use this to manage one or more
1417 runtime directories of the unit and bind their lifetime to the
1418 daemon runtime. The specified directory names must be
1419 relative, and may not include a <literal>/</literal>, i.e.
1420 must refer to simple directories to create or remove. This is
1421 particularly useful for unprivileged daemons that cannot
1422 create runtime directories in <filename>/run</filename> due to
1423 lack of privileges, and to make sure the runtime directory is
1424 cleaned up automatically after use. For runtime directories
1425 that require more complex or different configuration or
1426 lifetime guarantees, please consider using
1427 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
1428 </varlistentry>
1429
f3e43635
TM		 1430 <varlistentry>
1431 <term><varname>MemoryDenyWriteExecute=</varname></term>
1432
1433 <listitem><para>Takes a boolean argument. If set, attempts to create memory mappings that are writable and
1434 executable at the same time, or to change existing memory mappings to become executable are prohibited.
1435 Specifically, a system call filter is added that rejects
1436 <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1437 system calls with both <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set
1438 and <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1439 system calls with <constant>PROT_EXEC</constant> set. Note that this option is incompatible with programs
1440 that generate program code dynamically at runtime, such as JIT execution engines, or programs compiled making
1441 use of the code "trampoline" feature of various C compilers. This option improves service security, as it makes
1442 harder for software exploits to change running code dynamically.
1443 </para></listitem>
1444 </varlistentry>
1445
f4170c67
LP		 1446 <varlistentry>
1447 <term><varname>RestrictRealtime=</varname></term>
1448
1449 <listitem><para>Takes a boolean argument. If set, any attempts to enable realtime scheduling in a process of
1450 the unit are refused. This restricts access to realtime task scheduling policies such as
1451 <constant>SCHED_FIFO</constant>, <constant>SCHED_RR</constant> or <constant>SCHED_DEADLINE</constant>. See
1452 <citerefentry><refentrytitle>sched</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details about
1453 these scheduling policies. Realtime scheduling policies may be used to monopolize CPU time for longer periods
1454 of time, and may hence be used to lock up or otherwise trigger Denial-of-Service situations on the system. It
1455 is hence recommended to restrict access to realtime scheduling to the few programs that actually require
1456 them. Defaults to off.</para></listitem>
1457 </varlistentry>
1458
798d3a52
ZJS		 1459 </variablelist>
1460 </refsect1>
1461
1462 <refsect1>
1463 <title>Environment variables in spawned processes</title>
1464
1465 <para>Processes started by the system are executed in a clean
1466 environment in which select variables listed below are set. System
1467 processes started by systemd do not inherit variables from PID 1,
1468 but processes started by user systemd instances inherit all
1469 environment variables from the user systemd instance.
1470 </para>
1471
1472 <variablelist class='environment-variables'>
1473 <varlistentry>
1474 <term><varname>$PATH</varname></term>
1475
1476 <listitem><para>Colon-separated list of directories to use
1477 when launching executables. Systemd uses a fixed value of
1478 <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>.
1479 </para></listitem>
1480 </varlistentry>
1481
1482 <varlistentry>
1483 <term><varname>$LANG</varname></term>
1484
1485 <listitem><para>Locale. Can be set in
3ba3a79d 1486 <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
798d3a52
ZJS		 1487 or on the kernel command line (see
1488 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1489 and
1490 <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>).
1491 </para></listitem>
1492 </varlistentry>
1493
1494 <varlistentry>
1495 <term><varname>$USER</varname></term>
1496 <term><varname>$LOGNAME</varname></term>
1497 <term><varname>$HOME</varname></term>
1498 <term><varname>$SHELL</varname></term>
1499
1500 <listitem><para>User name (twice), home directory, and the
1501 login shell. The variables are set for the units that have
1502 <varname>User=</varname> set, which includes user
1503 <command>systemd</command> instances. See
3ba3a79d 1504 <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
798d3a52
ZJS		 1505 </para></listitem>
1506 </varlistentry>
1507
1508 <varlistentry>
1509 <term><varname>$XDG_RUNTIME_DIR</varname></term>
1510
1511 <listitem><para>The directory for volatile state. Set for the
1512 user <command>systemd</command> instance, and also in user
1513 sessions. See
1514 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1515 </para></listitem>
1516 </varlistentry>
1517
1518 <varlistentry>
1519 <term><varname>$XDG_SESSION_ID</varname></term>
1520 <term><varname>$XDG_SEAT</varname></term>
1521 <term><varname>$XDG_VTNR</varname></term>
1522
1523 <listitem><para>The identifier of the session, the seat name,
1524 and virtual terminal of the session. Set by
1525 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
1526 for login sessions. <varname>$XDG_SEAT</varname> and
1527 <varname>$XDG_VTNR</varname> will only be set when attached to
1528 a seat and a tty.</para></listitem>
1529 </varlistentry>
1530
1531 <varlistentry>
1532 <term><varname>$MAINPID</varname></term>
1533
1534 <listitem><para>The PID of the units main process if it is
1535 known. This is only set for control processes as invoked by
1536 <varname>ExecReload=</varname> and similar. </para></listitem>
1537 </varlistentry>
1538
1539 <varlistentry>
1540 <term><varname>$MANAGERPID</varname></term>
1541
1542 <listitem><para>The PID of the user <command>systemd</command>
1543 instance, set for processes spawned by it. </para></listitem>
1544 </varlistentry>
1545
1546 <varlistentry>
1547 <term><varname>$LISTEN_FDS</varname></term>
1548 <term><varname>$LISTEN_PID</varname></term>
5c019cf2 1549 <term><varname>$LISTEN_FDNAMES</varname></term>
798d3a52
ZJS		 1550
1551 <listitem><para>Information about file descriptors passed to a
1552 service for socket activation. See
1553 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1554 </para></listitem>
1555 </varlistentry>
1556
5c019cf2
EV		 1557 <varlistentry>
1558 <term><varname>$NOTIFY_SOCKET</varname></term>
1559
1560 <listitem><para>The socket
1561 <function>sd_notify()</function> talks to. See
1562 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1563 </para></listitem>
1564 </varlistentry>
1565
1566 <varlistentry>
1567 <term><varname>$WATCHDOG_PID</varname></term>
1568 <term><varname>$WATCHDOG_USEC</varname></term>
1569
1570 <listitem><para>Information about watchdog keep-alive notifications. See
1571 <citerefentry><refentrytitle>sd_watchdog_enabled</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1572 </para></listitem>
1573 </varlistentry>
1574
798d3a52
ZJS		 1575 <varlistentry>
1576 <term><varname>$TERM</varname></term>
1577
1578 <listitem><para>Terminal type, set only for units connected to
1579 a terminal (<varname>StandardInput=tty</varname>,
1580 <varname>StandardOutput=tty</varname>, or
1581 <varname>StandardError=tty</varname>). See
1582 <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
1583 </para></listitem>
1584 </varlistentry>
7bce046b
LP		 1585
1586 <varlistentry>
1587 <term><varname>$JOURNAL_STREAM</varname></term>
1588
1589 <listitem><para>If the standard output or standard error output of the executed processes are connected to the
1590 journal (for example, by setting <varname>StandardError=journal</varname>) <varname>$JOURNAL_STREAM</varname>
1591 contains the device and inode numbers of the connection file descriptor, formatted in decimal, separated by a
1592 colon (<literal>:</literal>). This permits invoked processes to safely detect whether their standard output or
1593 standard error output are connected to the journal. The device and inode numbers of the file descriptors should
1594 be compared with the values set in the environment variable to determine whether the process output is still
1595 connected to the journal. Note that it is generally not sufficient to only check whether
1596 <varname>$JOURNAL_STREAM</varname> is set at all as services might invoke external processes replacing their
1597 standard output or standard error output, without unsetting the environment variable.</para>
1598
1599 <para>This environment variable is primarily useful to allow services to optionally upgrade their used log
1600 protocol to the native journal protocol (using
1601 <citerefentry><refentrytitle>sd_journal_print</refentrytitle><manvolnum>3</manvolnum></citerefentry> and other
1602 functions) if their standard output or standard error output is connected to the journal anyway, thus enabling
1603 delivery of structured metadata along with logged messages.</para></listitem>
1604 </varlistentry>
798d3a52
ZJS		 1605 </variablelist>
1606
1607 <para>Additional variables may be configured by the following
1608 means: for processes spawned in specific units, use the
5c019cf2
EV		 1609 <varname>Environment=</varname>, <varname>EnvironmentFile=</varname>
1610 and <varname>PassEnvironment=</varname> options above; to specify
798d3a52
ZJS		 1611 variables globally, use <varname>DefaultEnvironment=</varname>
1612 (see
1613 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1614 or the kernel option <varname>systemd.setenv=</varname> (see
1615 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
1616 Additional variables may also be set through PAM,
1617 cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
1618 </refsect1>
1619
1620 <refsect1>
1621 <title>See Also</title>
1622 <para>
1623 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1624 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1625 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1626 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1627 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1628 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1629 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1630 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1631 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1632 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
a4c18002 1633 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
798d3a52
ZJS		 1634 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
1635 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1636 <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1637 </para>
1638 </refsect1>
dd1eb43b
LP		 1639
1640</refentry>
Unnamed repository; edit this file 'description' to name the repository.