]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.exec.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
namespace: don't make the root directory of a namespace a mount if it already is one
[thirdparty/systemd.git] / man / systemd.exec.xml
CommitLineData
023a4f67 1<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
dd1eb43b 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
12b42c76 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
dd1eb43b
LP		 4
5<!--
6 This file is part of systemd.
7
8 Copyright 2010 Lennart Poettering
9
10 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
dd1eb43b
LP		 13 (at your option) any later version.
14
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 18 Lesser General Public License for more details.
dd1eb43b 19
5430f7f2 20 You should have received a copy of the GNU Lesser General Public License
dd1eb43b
LP		 21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22-->
23
24<refentry id="systemd.exec">
798d3a52
ZJS		 25 <refentryinfo>
26 <title>systemd.exec</title>
27 <productname>systemd</productname>
28
29 <authorgroup>
30 <author>
31 <contrib>Developer</contrib>
32 <firstname>Lennart</firstname>
33 <surname>Poettering</surname>
34 <email>lennart@poettering.net</email>
35 </author>
36 </authorgroup>
37 </refentryinfo>
38
39 <refmeta>
40 <refentrytitle>systemd.exec</refentrytitle>
41 <manvolnum>5</manvolnum>
42 </refmeta>
43
44 <refnamediv>
45 <refname>systemd.exec</refname>
46 <refpurpose>Execution environment configuration</refpurpose>
47 </refnamediv>
48
49 <refsynopsisdiv>
50 <para><filename><replaceable>service</replaceable>.service</filename>,
51 <filename><replaceable>socket</replaceable>.socket</filename>,
52 <filename><replaceable>mount</replaceable>.mount</filename>,
53 <filename><replaceable>swap</replaceable>.swap</filename></para>
54 </refsynopsisdiv>
55
56 <refsect1>
57 <title>Description</title>
58
59 <para>Unit configuration files for services, sockets, mount
60 points, and swap devices share a subset of configuration options
61 which define the execution environment of spawned
62 processes.</para>
63
64 <para>This man page lists the configuration options shared by
65 these four unit types. See
66 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
67 for the common options of all unit configuration files, and
68 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
69 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
70 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
71 and
72 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
73 for more information on the specific unit configuration files. The
74 execution specific configuration options are configured in the
75 [Service], [Socket], [Mount], or [Swap] sections, depending on the
76 unit type.</para>
77 </refsect1>
78
c129bd5d
LP		 79 <refsect1>
80 <title>Automatic Dependencies</title>
81
82 <para>A few execution parameters result in additional, automatic
83 dependencies to be added.</para>
84
85 <para>Units with <varname>WorkingDirectory=</varname> or
86 <varname>RootDirectory=</varname> set automatically gain
87 dependencies of type <varname>Requires=</varname> and
88 <varname>After=</varname> on all mount units required to access
89 the specified paths. This is equivalent to having them listed
90 explicitly in <varname>RequiresMountsFor=</varname>.</para>
91
92 <para>Similar, units with <varname>PrivateTmp=</varname> enabled
93 automatically get mount unit dependencies for all mounts
94 required to access <filename>/tmp</filename> and
95 <filename>/var/tmp</filename>.</para>
96
dfe85b38
LP		 97 <para>Units whose standard output or error output is connected to <option>journal</option>, <option>syslog</option>
98 or <option>kmsg</option> (or their combinations with console output, see below) automatically acquire dependencies
99 of type <varname>After=</varname> on <filename>systemd-journald.socket</filename>.</para>
c129bd5d
LP		 100 </refsect1>
101
798d3a52
ZJS		 102 <refsect1>
103 <title>Options</title>
104
105 <variablelist class='unit-directives'>
106
107 <varlistentry>
108 <term><varname>WorkingDirectory=</varname></term>
109
d251207d
LP		 110 <listitem><para>Takes a directory path relative to the service's root directory specified by
111 <varname>RootDirectory=</varname>, or the special value <literal>~</literal>. Sets the working directory for
112 executed processes. If set to <literal>~</literal>, the home directory of the user specified in
113 <varname>User=</varname> is used. If not set, defaults to the root directory when systemd is running as a
114 system instance and the respective user's home directory if run as user. If the setting is prefixed with the
115 <literal>-</literal> character, a missing working directory is not considered fatal. If
116 <varname>RootDirectory=</varname> is not set, then <varname>WorkingDirectory=</varname> is relative to the root
117 of the system running the service manager. Note that setting this parameter might result in additional
118 dependencies to be added to the unit (see above).</para></listitem>
798d3a52
ZJS		 119 </varlistentry>
120
121 <varlistentry>
122 <term><varname>RootDirectory=</varname></term>
123
d251207d
LP		 124 <listitem><para>Takes a directory path relative to the host's root directory (i.e. the root of the system
125 running the service manager). Sets the root directory for executed processes, with the <citerefentry
126 project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> system
127 call. If this is used, it must be ensured that the process binary and all its auxiliary files are available in
128 the <function>chroot()</function> jail. Note that setting this parameter might result in additional
129 dependencies to be added to the unit (see above).</para>
130
131 <para>The <varname>PrivateUsers=</varname> setting is particularly useful in conjunction with
132 <varname>RootDirectory=</varname>. For details, see below.</para></listitem>
798d3a52
ZJS		 133 </varlistentry>
134
135 <varlistentry>
136 <term><varname>User=</varname></term>
137 <term><varname>Group=</varname></term>
138
29206d46
LP		 139 <listitem><para>Set the UNIX user or group that the processes are executed as, respectively. Takes a single
140 user or group name, or numeric ID as argument. If no group is set, the default group of the user is used. This
dadd6ecf 141 setting does not affect commands whose command line is prefixed with <literal>+</literal>.</para></listitem>
29206d46
LP		 142 </varlistentry>
143
144 <varlistentry>
145 <term><varname>DynamicUser=</varname></term>
146
147 <listitem><para>Takes a boolean parameter. If set, a UNIX user and group pair is allocated dynamically when the
148 unit is started, and released as soon as it is stopped. The user and group will not be added to
149 <filename>/etc/passwd</filename> or <filename>/etc/group</filename>, but are managed transiently during
150 runtime. The <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
151 glibc NSS module provides integration of these dynamic users/groups into the system's user and group
152 databases. The user and group name to use may be configured via <varname>User=</varname> and
153 <varname>Group=</varname> (see above). If these options are not used and dynamic user/group allocation is
154 enabled for a unit, the name of the dynamic user/group is implicitly derived from the unit name. If the unit
155 name without the type suffix qualifies as valid user name it is used directly, otherwise a name incorporating a
156 hash of it is used. If a statically allocated user or group of the configured name already exists, it is used
157 and no dynamic user/group is allocated. Dynamic users/groups are allocated from the UID/GID range
158 61184…65519. It is recommended to avoid this range for regular system or login users. At any point in time
159 each UID/GID from this range is only assigned to zero or one dynamically allocated users/groups in
160 use. However, UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running
161 as part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by these
162 users/groups around, as a different unit might get the same UID/GID assigned later on, and thus gain access to
63bb64a0 163 these files or directories. If <varname>DynamicUser=</varname> is enabled, <varname>RemoveIPC=</varname>,
00d9ef85
LP		 164 <varname>PrivateTmp=</varname> are implied. This ensures that the lifetime of IPC objects and temporary files
165 created by the executed processes is bound to the runtime of the service, and hence the lifetime of the dynamic
166 user/group. Since <filename>/tmp</filename> and <filename>/var/tmp</filename> are usually the only
167 world-writable directories on a system this ensures that a unit making use of dynamic user/group allocation
63bb64a0
LP		 168 cannot leave files around after unit termination. Moreover <varname>ProtectSystem=strict</varname> and
169 <varname>ProtectHome=read-only</varname> are implied, thus prohibiting the service to write to arbitrary file
170 system locations. In order to allow the service to write to certain directories, they have to be whitelisted
171 using <varname>ReadWritePaths=</varname>, but care must be taken so that that UID/GID recycling doesn't
172 create security issues involving files created by the service. Use <varname>RuntimeDirectory=</varname> (see
173 below) in order to assign a writable runtime directory to a service, owned by the dynamic user/group and
174 removed automatically when the unit is terminated. Defaults to off.</para></listitem>
798d3a52
ZJS		 175 </varlistentry>
176
177 <varlistentry>
178 <term><varname>SupplementaryGroups=</varname></term>
179
180 <listitem><para>Sets the supplementary Unix groups the
181 processes are executed as. This takes a space-separated list
182 of group names or IDs. This option may be specified more than
b938cb90
JE		 183 once, in which case all listed groups are set as supplementary
184 groups. When the empty string is assigned, the list of
798d3a52
ZJS		 185 supplementary groups is reset, and all assignments prior to
186 this one will have no effect. In any way, this option does not
187 override, but extends the list of supplementary groups
188 configured in the system group database for the
43eb109a 189 user. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
798d3a52
ZJS		 190 </varlistentry>
191
00d9ef85
LP		 192 <varlistentry>
193 <term><varname>RemoveIPC=</varname></term>
194
195 <listitem><para>Takes a boolean parameter. If set, all System V and POSIX IPC objects owned by the user and
196 group the processes of this unit are run as are removed when the unit is stopped. This setting only has an
197 effect if at least one of <varname>User=</varname>, <varname>Group=</varname> and
198 <varname>DynamicUser=</varname> are used. It has no effect on IPC objects owned by the root user. Specifically,
199 this removes System V semaphores, as well as System V and POSIX shared memory segments and message queues. If
200 multiple units use the same user or group the IPC objects are removed when the last of these units is
201 stopped. This setting is implied if <varname>DynamicUser=</varname> is set.</para></listitem>
202 </varlistentry>
203
798d3a52
ZJS		 204 <varlistentry>
205 <term><varname>Nice=</varname></term>
206
207 <listitem><para>Sets the default nice level (scheduling
208 priority) for executed processes. Takes an integer between -20
209 (highest priority) and 19 (lowest priority). See
210 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
211 for details.</para></listitem>
212 </varlistentry>
213
214 <varlistentry>
215 <term><varname>OOMScoreAdjust=</varname></term>
216
217 <listitem><para>Sets the adjustment level for the
218 Out-Of-Memory killer for executed processes. Takes an integer
219 between -1000 (to disable OOM killing for this process) and
220 1000 (to make killing of this process under memory pressure
221 very likely). See <ulink
222 url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
223 for details.</para></listitem>
224 </varlistentry>
225
226 <varlistentry>
227 <term><varname>IOSchedulingClass=</varname></term>
228
b938cb90 229 <listitem><para>Sets the I/O scheduling class for executed
798d3a52
ZJS		 230 processes. Takes an integer between 0 and 3 or one of the
231 strings <option>none</option>, <option>realtime</option>,
232 <option>best-effort</option> or <option>idle</option>. See
233 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
234 for details.</para></listitem>
235 </varlistentry>
236
237 <varlistentry>
238 <term><varname>IOSchedulingPriority=</varname></term>
239
b938cb90 240 <listitem><para>Sets the I/O scheduling priority for executed
798d3a52
ZJS		 241 processes. Takes an integer between 0 (highest priority) and 7
242 (lowest priority). The available priorities depend on the
b938cb90 243 selected I/O scheduling class (see above). See
798d3a52
ZJS		 244 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
245 for details.</para></listitem>
246 </varlistentry>
247
248 <varlistentry>
249 <term><varname>CPUSchedulingPolicy=</varname></term>
250
251 <listitem><para>Sets the CPU scheduling policy for executed
252 processes. Takes one of
253 <option>other</option>,
254 <option>batch</option>,
255 <option>idle</option>,
256 <option>fifo</option> or
257 <option>rr</option>. See
258 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
259 for details.</para></listitem>
260 </varlistentry>
261
262 <varlistentry>
263 <term><varname>CPUSchedulingPriority=</varname></term>
264
265 <listitem><para>Sets the CPU scheduling priority for executed
266 processes. The available priority range depends on the
267 selected CPU scheduling policy (see above). For real-time
268 scheduling policies an integer between 1 (lowest priority) and
269 99 (highest priority) can be used. See
270 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
271 for details. </para></listitem>
272 </varlistentry>
273
274 <varlistentry>
275 <term><varname>CPUSchedulingResetOnFork=</varname></term>
276
277 <listitem><para>Takes a boolean argument. If true, elevated
278 CPU scheduling priorities and policies will be reset when the
279 executed processes fork, and can hence not leak into child
280 processes. See
281 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
282 for details. Defaults to false.</para></listitem>
283 </varlistentry>
284
285 <varlistentry>
286 <term><varname>CPUAffinity=</varname></term>
287
288 <listitem><para>Controls the CPU affinity of the executed
71b1c27a
FB		 289 processes. Takes a list of CPU indices or ranges separated by
290 either whitespace or commas. CPU ranges are specified by the
291 lower and upper CPU indices separated by a dash.
b938cb90 292 This option may be specified more than once, in which case the
798d3a52
ZJS		 293 specified CPU affinity masks are merged. If the empty string
294 is assigned, the mask is reset, all assignments prior to this
295 will have no effect. See
296 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
297 for details.</para></listitem>
298 </varlistentry>
299
300 <varlistentry>
301 <term><varname>UMask=</varname></term>
302
303 <listitem><para>Controls the file mode creation mask. Takes an
304 access mode in octal notation. See
305 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
306 for details. Defaults to 0022.</para></listitem>
307 </varlistentry>
308
309 <varlistentry>
310 <term><varname>Environment=</varname></term>
311
312 <listitem><para>Sets environment variables for executed
313 processes. Takes a space-separated list of variable
b938cb90 314 assignments. This option may be specified more than once, in
798d3a52
ZJS		 315 which case all listed variables will be set. If the same
316 variable is set twice, the later setting will override the
317 earlier setting. If the empty string is assigned to this
318 option, the list of environment variables is reset, all prior
319 assignments have no effect. Variable expansion is not
320 performed inside the strings, however, specifier expansion is
321 possible. The $ character has no special meaning. If you need
322 to assign a value containing spaces to a variable, use double
323 quotes (") for the assignment.</para>
324
325 <para>Example:
326 <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
327 gives three variables <literal>VAR1</literal>,
328 <literal>VAR2</literal>, <literal>VAR3</literal>
329 with the values <literal>word1 word2</literal>,
330 <literal>word3</literal>, <literal>$word 5 6</literal>.
331 </para>
332
333 <para>
334 See
335 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
336 for details about environment variables.</para></listitem>
337 </varlistentry>
338 <varlistentry>
339 <term><varname>EnvironmentFile=</varname></term>
340 <listitem><para>Similar to <varname>Environment=</varname> but
341 reads the environment variables from a text file. The text
342 file should contain new-line-separated variable assignments.
8f0d2981
RM		 343 Empty lines, lines without an <literal>=</literal> separator,
344 or lines starting with ; or # will be ignored,
798d3a52
ZJS		 345 which may be used for commenting. A line ending with a
346 backslash will be concatenated with the following one,
347 allowing multiline variable definitions. The parser strips
348 leading and trailing whitespace from the values of
349 assignments, unless you use double quotes (").</para>
350
351 <para>The argument passed should be an absolute filename or
352 wildcard expression, optionally prefixed with
353 <literal>-</literal>, which indicates that if the file does
354 not exist, it will not be read and no error or warning message
355 is logged. This option may be specified more than once in
356 which case all specified files are read. If the empty string
357 is assigned to this option, the list of file to read is reset,
358 all prior assignments have no effect.</para>
359
360 <para>The files listed with this directive will be read
361 shortly before the process is executed (more specifically,
362 after all processes from a previous unit state terminated.
363 This means you can generate these files in one unit state, and
f407824d
DH		 364 read it with this option in the next).</para>
365
366 <para>Settings from these
798d3a52
ZJS		 367 files override settings made with
368 <varname>Environment=</varname>. If the same variable is set
369 twice from these files, the files will be read in the order
370 they are specified and the later setting will override the
371 earlier setting.</para></listitem>
372 </varlistentry>
373
b4c14404
FB		 374 <varlistentry>
375 <term><varname>PassEnvironment=</varname></term>
376
377 <listitem><para>Pass environment variables from the systemd system
378 manager to executed processes. Takes a space-separated list of variable
379 names. This option may be specified more than once, in which case all
380 listed variables will be set. If the empty string is assigned to this
381 option, the list of environment variables is reset, all prior
382 assignments have no effect. Variables that are not set in the system
383 manager will not be passed and will be silently ignored.</para>
384
385 <para>Variables passed from this setting are overridden by those passed
386 from <varname>Environment=</varname> or
387 <varname>EnvironmentFile=</varname>.</para>
388
389 <para>Example:
390 <programlisting>PassEnvironment=VAR1 VAR2 VAR3</programlisting>
391 passes three variables <literal>VAR1</literal>,
392 <literal>VAR2</literal>, <literal>VAR3</literal>
393 with the values set for those variables in PID1.</para>
394
395 <para>
396 See
397 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
398 for details about environment variables.</para></listitem>
399 </varlistentry>
400
798d3a52
ZJS		 401 <varlistentry>
402 <term><varname>StandardInput=</varname></term>
403 <listitem><para>Controls where file descriptor 0 (STDIN) of
404 the executed processes is connected to. Takes one of
405 <option>null</option>,
406 <option>tty</option>,
407 <option>tty-force</option>,
408 <option>tty-fail</option> or
409 <option>socket</option>.</para>
410
411 <para>If <option>null</option> is selected, standard input
412 will be connected to <filename>/dev/null</filename>, i.e. all
413 read attempts by the process will result in immediate
414 EOF.</para>
415
416 <para>If <option>tty</option> is selected, standard input is
417 connected to a TTY (as configured by
418 <varname>TTYPath=</varname>, see below) and the executed
419 process becomes the controlling process of the terminal. If
420 the terminal is already being controlled by another process,
421 the executed process waits until the current controlling
422 process releases the terminal.</para>
423
424 <para><option>tty-force</option> is similar to
425 <option>tty</option>, but the executed process is forcefully
426 and immediately made the controlling process of the terminal,
427 potentially removing previous controlling processes from the
428 terminal.</para>
429
430 <para><option>tty-fail</option> is similar to
431 <option>tty</option> but if the terminal already has a
432 controlling process start-up of the executed process
433 fails.</para>
434
435 <para>The <option>socket</option> option is only valid in
436 socket-activated services, and only when the socket
437 configuration file (see
438 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
439 for details) specifies a single socket only. If this option is
440 set, standard input will be connected to the socket the
441 service was activated from, which is primarily useful for
442 compatibility with daemons designed for use with the
443 traditional
b5c7d097 444 <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52
ZJS		 445 daemon.</para>
446
447 <para>This setting defaults to
448 <option>null</option>.</para></listitem>
449 </varlistentry>
c129bd5d 450
798d3a52
ZJS		 451 <varlistentry>
452 <term><varname>StandardOutput=</varname></term>
453 <listitem><para>Controls where file descriptor 1 (STDOUT) of
454 the executed processes is connected to. Takes one of
455 <option>inherit</option>,
456 <option>null</option>,
457 <option>tty</option>,
458 <option>journal</option>,
459 <option>syslog</option>,
460 <option>kmsg</option>,
461 <option>journal+console</option>,
462 <option>syslog+console</option>,
463 <option>kmsg+console</option> or
464 <option>socket</option>.</para>
465
466 <para><option>inherit</option> duplicates the file descriptor
467 of standard input for standard output.</para>
468
469 <para><option>null</option> connects standard output to
470 <filename>/dev/null</filename>, i.e. everything written to it
471 will be lost.</para>
472
473 <para><option>tty</option> connects standard output to a tty
474 (as configured via <varname>TTYPath=</varname>, see below). If
475 the TTY is used for output only, the executed process will not
476 become the controlling process of the terminal, and will not
477 fail or wait for other processes to release the
478 terminal.</para>
479
480 <para><option>journal</option> connects standard output with
481 the journal which is accessible via
482 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
483 Note that everything that is written to syslog or kmsg (see
484 below) is implicitly stored in the journal as well, the
485 specific two options listed below are hence supersets of this
486 one.</para>
487
488 <para><option>syslog</option> connects standard output to the
489 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
490 system syslog service, in addition to the journal. Note that
491 the journal daemon is usually configured to forward everything
492 it receives to syslog anyway, in which case this option is no
493 different from <option>journal</option>.</para>
494
495 <para><option>kmsg</option> connects standard output with the
496 kernel log buffer which is accessible via
497 <citerefentry project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
498 in addition to the journal. The journal daemon might be
499 configured to send all logs to kmsg anyway, in which case this
500 option is no different from <option>journal</option>.</para>
501
502 <para><option>journal+console</option>,
503 <option>syslog+console</option> and
504 <option>kmsg+console</option> work in a similar way as the
505 three options above but copy the output to the system console
506 as well.</para>
507
508 <para><option>socket</option> connects standard output to a
509 socket acquired via socket activation. The semantics are
510 similar to the same option of
511 <varname>StandardInput=</varname>.</para>
512
dfe85b38
LP		 513 <para>If the standard output (or error output, see below) of a unit is connected to the journal, syslog or the
514 kernel log buffer, the unit will implicitly gain a dependency of type <varname>After=</varname> on
28c75e25
LP		 515 <filename>systemd-journald.socket</filename> (also see the automatic dependencies section above).</para>
516
798d3a52
ZJS		 517 <para>This setting defaults to the value set with
518 <option>DefaultStandardOutput=</option> in
519 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
c129bd5d
LP		 520 which defaults to <option>journal</option>. Note that setting
521 this parameter might result in additional dependencies to be
522 added to the unit (see above).</para></listitem>
798d3a52 523 </varlistentry>
c129bd5d 524
798d3a52
ZJS		 525 <varlistentry>
526 <term><varname>StandardError=</varname></term>
527 <listitem><para>Controls where file descriptor 2 (STDERR) of
528 the executed processes is connected to. The available options
529 are identical to those of <varname>StandardOutput=</varname>,
530 with one exception: if set to <option>inherit</option> the
531 file descriptor used for standard output is duplicated for
532 standard error. This setting defaults to the value set with
533 <option>DefaultStandardError=</option> in
534 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
c129bd5d
LP		 535 which defaults to <option>inherit</option>. Note that setting
536 this parameter might result in additional dependencies to be
537 added to the unit (see above).</para></listitem>
798d3a52 538 </varlistentry>
c129bd5d 539
798d3a52
ZJS		 540 <varlistentry>
541 <term><varname>TTYPath=</varname></term>
542 <listitem><para>Sets the terminal device node to use if
543 standard input, output, or error are connected to a TTY (see
544 above). Defaults to
545 <filename>/dev/console</filename>.</para></listitem>
546 </varlistentry>
547 <varlistentry>
548 <term><varname>TTYReset=</varname></term>
549 <listitem><para>Reset the terminal device specified with
550 <varname>TTYPath=</varname> before and after execution.
551 Defaults to <literal>no</literal>.</para></listitem>
552 </varlistentry>
553 <varlistentry>
554 <term><varname>TTYVHangup=</varname></term>
555 <listitem><para>Disconnect all clients which have opened the
556 terminal device specified with <varname>TTYPath=</varname>
557 before and after execution. Defaults to
558 <literal>no</literal>.</para></listitem>
559 </varlistentry>
560 <varlistentry>
561 <term><varname>TTYVTDisallocate=</varname></term>
562 <listitem><para>If the terminal device specified with
563 <varname>TTYPath=</varname> is a virtual console terminal, try
564 to deallocate the TTY before and after execution. This ensures
565 that the screen and scrollback buffer is cleared. Defaults to
566 <literal>no</literal>.</para></listitem>
567 </varlistentry>
568 <varlistentry>
569 <term><varname>SyslogIdentifier=</varname></term>
570 <listitem><para>Sets the process name to prefix log lines sent
571 to the logging system or the kernel log buffer with. If not
572 set, defaults to the process name of the executed process.
573 This option is only useful when
574 <varname>StandardOutput=</varname> or
575 <varname>StandardError=</varname> are set to
576 <option>syslog</option>, <option>journal</option> or
577 <option>kmsg</option> (or to the same settings in combination
578 with <option>+console</option>).</para></listitem>
579 </varlistentry>
580 <varlistentry>
581 <term><varname>SyslogFacility=</varname></term>
582 <listitem><para>Sets the syslog facility to use when logging
583 to syslog. One of <option>kern</option>,
584 <option>user</option>, <option>mail</option>,
585 <option>daemon</option>, <option>auth</option>,
586 <option>syslog</option>, <option>lpr</option>,
587 <option>news</option>, <option>uucp</option>,
588 <option>cron</option>, <option>authpriv</option>,
589 <option>ftp</option>, <option>local0</option>,
590 <option>local1</option>, <option>local2</option>,
591 <option>local3</option>, <option>local4</option>,
592 <option>local5</option>, <option>local6</option> or
593 <option>local7</option>. See
594 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
595 for details. This option is only useful when
596 <varname>StandardOutput=</varname> or
597 <varname>StandardError=</varname> are set to
598 <option>syslog</option>. Defaults to
599 <option>daemon</option>.</para></listitem>
600 </varlistentry>
601 <varlistentry>
602 <term><varname>SyslogLevel=</varname></term>
a8eaaee7 603 <listitem><para>The default syslog level to use when logging to
798d3a52
ZJS		 604 syslog or the kernel log buffer. One of
605 <option>emerg</option>,
606 <option>alert</option>,
607 <option>crit</option>,
608 <option>err</option>,
609 <option>warning</option>,
610 <option>notice</option>,
611 <option>info</option>,
612 <option>debug</option>. See
613 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
614 for details. This option is only useful when
615 <varname>StandardOutput=</varname> or
616 <varname>StandardError=</varname> are set to
617 <option>syslog</option> or <option>kmsg</option>. Note that
618 individual lines output by the daemon might be prefixed with a
619 different log level which can be used to override the default
620 log level specified here. The interpretation of these prefixes
621 may be disabled with <varname>SyslogLevelPrefix=</varname>,
b938cb90 622 see below. For details, see
798d3a52
ZJS		 623 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
624
625 Defaults to
626 <option>info</option>.</para></listitem>
627 </varlistentry>
628
629 <varlistentry>
630 <term><varname>SyslogLevelPrefix=</varname></term>
631 <listitem><para>Takes a boolean argument. If true and
632 <varname>StandardOutput=</varname> or
633 <varname>StandardError=</varname> are set to
634 <option>syslog</option>, <option>kmsg</option> or
635 <option>journal</option>, log lines written by the executed
636 process that are prefixed with a log level will be passed on
637 to syslog with this log level set but the prefix removed. If
638 set to false, the interpretation of these prefixes is disabled
639 and the logged lines are passed on as-is. For details about
640 this prefixing see
641 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
642 Defaults to true.</para></listitem>
643 </varlistentry>
644
645 <varlistentry>
646 <term><varname>TimerSlackNSec=</varname></term>
647 <listitem><para>Sets the timer slack in nanoseconds for the
648 executed processes. The timer slack controls the accuracy of
649 wake-ups triggered by timers. See
650 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
651 for more information. Note that in contrast to most other time
652 span definitions this parameter takes an integer value in
653 nano-seconds if no unit is specified. The usual time units are
654 understood too.</para></listitem>
655 </varlistentry>
656
657 <varlistentry>
658 <term><varname>LimitCPU=</varname></term>
659 <term><varname>LimitFSIZE=</varname></term>
660 <term><varname>LimitDATA=</varname></term>
661 <term><varname>LimitSTACK=</varname></term>
662 <term><varname>LimitCORE=</varname></term>
663 <term><varname>LimitRSS=</varname></term>
664 <term><varname>LimitNOFILE=</varname></term>
665 <term><varname>LimitAS=</varname></term>
666 <term><varname>LimitNPROC=</varname></term>
667 <term><varname>LimitMEMLOCK=</varname></term>
668 <term><varname>LimitLOCKS=</varname></term>
669 <term><varname>LimitSIGPENDING=</varname></term>
670 <term><varname>LimitMSGQUEUE=</varname></term>
671 <term><varname>LimitNICE=</varname></term>
672 <term><varname>LimitRTPRIO=</varname></term>
673 <term><varname>LimitRTTIME=</varname></term>
29857001
LP		 674 <listitem><para>Set soft and hard limits on various resources for executed processes. See
675 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details on
676 the resource limit concept. Resource limits may be specified in two formats: either as single value to set a
677 specific soft and hard limit to the same value, or as colon-separated pair <option>soft:hard</option> to set
678 both limits individually (e.g. <literal>LimitAS=4G:16G</literal>). Use the string <varname>infinity</varname>
679 to configure no limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base
680 1024) may be used for resource limits measured in bytes (e.g. LimitAS=16G). For the limits referring to time
681 values, the usual time units ms, s, min, h and so on may be used (see
682 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
683 details). Note that if no time unit is specified for <varname>LimitCPU=</varname> the default unit of seconds
684 is implied, while for <varname>LimitRTTIME=</varname> the default unit of microseconds is implied. Also, note
685 that the effective granularity of the limits might influence their enforcement. For example, time limits
686 specified for <varname>LimitCPU=</varname> will be rounded up implicitly to multiples of 1s. For
687 <varname>LimitNICE=</varname> the value may be specified in two syntaxes: if prefixed with <literal>+</literal>
688 or <literal>-</literal>, the value is understood as regular Linux nice value in the range -20..19. If not
689 prefixed like this the value is understood as raw resource limit parameter in the range 0..40 (with 0 being
690 equivalent to 1).</para>
a4c18002
LP		 691
692 <para>Note that most process resource limits configured with
693 these options are per-process, and processes may fork in order
694 to acquire a new set of resources that are accounted
695 independently of the original process, and may thus escape
696 limits set. Also note that <varname>LimitRSS=</varname> is not
697 implemented on Linux, and setting it has no effect. Often it
698 is advisable to prefer the resource controls listed in
699 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
700 over these per-process limits, as they apply to services as a
701 whole, may be altered dynamically at runtime, and are
702 generally more expressive. For example,
703 <varname>MemoryLimit=</varname> is a more powerful (and
704 working) replacement for <varname>LimitRSS=</varname>.</para>
798d3a52
ZJS		 705
706 <table>
707 <title>Limit directives and their equivalent with ulimit</title>
708
a4c18002 709 <tgroup cols='3'>
798d3a52
ZJS		 710 <colspec colname='directive' />
711 <colspec colname='equivalent' />
a4c18002 712 <colspec colname='unit' />
798d3a52
ZJS		 713 <thead>
714 <row>
715 <entry>Directive</entry>
716 <entry>ulimit equivalent</entry>
a4c18002 717 <entry>Unit</entry>
798d3a52
ZJS		 718 </row>
719 </thead>
720 <tbody>
721 <row>
a4c18002 722 <entry>LimitCPU=</entry>
798d3a52 723 <entry>ulimit -t</entry>
a4c18002 724 <entry>Seconds</entry>
798d3a52
ZJS		 725 </row>
726 <row>
a4c18002 727 <entry>LimitFSIZE=</entry>
798d3a52 728 <entry>ulimit -f</entry>
a4c18002 729 <entry>Bytes</entry>
798d3a52
ZJS		 730 </row>
731 <row>
a4c18002 732 <entry>LimitDATA=</entry>
798d3a52 733 <entry>ulimit -d</entry>
a4c18002 734 <entry>Bytes</entry>
798d3a52
ZJS		 735 </row>
736 <row>
a4c18002 737 <entry>LimitSTACK=</entry>
798d3a52 738 <entry>ulimit -s</entry>
a4c18002 739 <entry>Bytes</entry>
798d3a52
ZJS		 740 </row>
741 <row>
a4c18002 742 <entry>LimitCORE=</entry>
798d3a52 743 <entry>ulimit -c</entry>
a4c18002 744 <entry>Bytes</entry>
798d3a52
ZJS		 745 </row>
746 <row>
a4c18002 747 <entry>LimitRSS=</entry>
798d3a52 748 <entry>ulimit -m</entry>
a4c18002 749 <entry>Bytes</entry>
798d3a52
ZJS		 750 </row>
751 <row>
a4c18002 752 <entry>LimitNOFILE=</entry>
798d3a52 753 <entry>ulimit -n</entry>
a4c18002 754 <entry>Number of File Descriptors</entry>
798d3a52
ZJS		 755 </row>
756 <row>
a4c18002 757 <entry>LimitAS=</entry>
798d3a52 758 <entry>ulimit -v</entry>
a4c18002 759 <entry>Bytes</entry>
798d3a52
ZJS		 760 </row>
761 <row>
a4c18002 762 <entry>LimitNPROC=</entry>
798d3a52 763 <entry>ulimit -u</entry>
a4c18002 764 <entry>Number of Processes</entry>
798d3a52
ZJS		 765 </row>
766 <row>
a4c18002 767 <entry>LimitMEMLOCK=</entry>
798d3a52 768 <entry>ulimit -l</entry>
a4c18002 769 <entry>Bytes</entry>
798d3a52
ZJS		 770 </row>
771 <row>
a4c18002 772 <entry>LimitLOCKS=</entry>
798d3a52 773 <entry>ulimit -x</entry>
a4c18002 774 <entry>Number of Locks</entry>
798d3a52
ZJS		 775 </row>
776 <row>
a4c18002 777 <entry>LimitSIGPENDING=</entry>
798d3a52 778 <entry>ulimit -i</entry>
a4c18002 779 <entry>Number of Queued Signals</entry>
798d3a52
ZJS		 780 </row>
781 <row>
a4c18002 782 <entry>LimitMSGQUEUE=</entry>
798d3a52 783 <entry>ulimit -q</entry>
a4c18002 784 <entry>Bytes</entry>
798d3a52
ZJS		 785 </row>
786 <row>
a4c18002 787 <entry>LimitNICE=</entry>
798d3a52 788 <entry>ulimit -e</entry>
a4c18002 789 <entry>Nice Level</entry>
798d3a52
ZJS		 790 </row>
791 <row>
a4c18002 792 <entry>LimitRTPRIO=</entry>
798d3a52 793 <entry>ulimit -r</entry>
a4c18002 794 <entry>Realtime Priority</entry>
798d3a52
ZJS		 795 </row>
796 <row>
a4c18002 797 <entry>LimitRTTIME=</entry>
798d3a52 798 <entry>No equivalent</entry>
a4c18002 799 <entry>Microseconds</entry>
798d3a52
ZJS		 800 </row>
801 </tbody>
802 </tgroup>
a4c18002 803 </table></listitem>
798d3a52
ZJS		 804 </varlistentry>
805
806 <varlistentry>
807 <term><varname>PAMName=</varname></term>
808 <listitem><para>Sets the PAM service name to set up a session
809 as. If set, the executed process will be registered as a PAM
810 session under the specified service name. This is only useful
811 in conjunction with the <varname>User=</varname> setting. If
812 not set, no PAM session will be opened for the executed
813 processes. See
814 <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
815 for details.</para></listitem>
816 </varlistentry>
817
818 <varlistentry>
819 <term><varname>CapabilityBoundingSet=</varname></term>
820
479050b3
LP		 821 <listitem><para>Controls which capabilities to include in the capability bounding set for the executed
822 process. See <citerefentry
823 project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
824 details. Takes a whitespace-separated list of capability names as read by <citerefentry
825 project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
826 e.g. <constant>CAP_SYS_ADMIN</constant>, <constant>CAP_DAC_OVERRIDE</constant>,
827 <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be included in the bounding set, all others are
828 removed. If the list of capabilities is prefixed with <literal>~</literal>, all but the listed capabilities
829 will be included, the effect of the assignment inverted. Note that this option also affects the respective
830 capabilities in the effective, permitted and inheritable capability sets. If this option is not used, the
831 capability bounding set is not modified on process execution, hence no limits on the capabilities of the
832 process are enforced. This option may appear more than once, in which case the bounding sets are merged. If the
833 empty string is assigned to this option, the bounding set is reset to the empty capability set, and all prior
834 settings have no effect. If set to <literal>~</literal> (without any further argument), the bounding set is
cf677fe6 835 reset to the full set of available capabilities, also undoing any previous settings. This does not affect
43eb109a 836 commands prefixed with <literal>+</literal>.</para></listitem>
798d3a52
ZJS		 837 </varlistentry>
838
ece87975
IP		 839 <varlistentry>
840 <term><varname>AmbientCapabilities=</varname></term>
841
842 <listitem><para>Controls which capabilities to include in the
843 ambient capability set for the executed process. Takes a
844 whitespace-separated list of capability names as read by
845 <citerefentry project='mankier'><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
846 e.g. <constant>CAP_SYS_ADMIN</constant>,
847 <constant>CAP_DAC_OVERRIDE</constant>,
848 <constant>CAP_SYS_PTRACE</constant>. This option may appear more than
849 once in which case the ambient capability sets are merged.
850 If the list of capabilities is prefixed with <literal>~</literal>, all
851 but the listed capabilities will be included, the effect of the
852 assignment inverted. If the empty string is
853 assigned to this option, the ambient capability set is reset to
854 the empty capability set, and all prior settings have no effect.
855 If set to <literal>~</literal> (without any further argument), the
856 ambient capability set is reset to the full set of available
857 capabilities, also undoing any previous settings. Note that adding
858 capabilities to ambient capability set adds them to the process's
859 inherited capability set.
860 </para><para>
861 Ambient capability sets are useful if you want to execute a process
862 as a non-privileged user but still want to give it some capabilities.
863 Note that in this case option <constant>keep-caps</constant> is
864 automatically added to <varname>SecureBits=</varname> to retain the
cf677fe6 865 capabilities over the user change. <varname>AmbientCapabilities=</varname> does not affect
43eb109a 866 commands prefixed with <literal>+</literal>.</para></listitem>
ece87975
IP		 867 </varlistentry>
868
798d3a52
ZJS		 869 <varlistentry>
870 <term><varname>SecureBits=</varname></term>
871 <listitem><para>Controls the secure bits set for the executed
872 process. Takes a space-separated combination of options from
873 the following list:
874 <option>keep-caps</option>,
875 <option>keep-caps-locked</option>,
876 <option>no-setuid-fixup</option>,
877 <option>no-setuid-fixup-locked</option>,
878 <option>noroot</option>, and
879 <option>noroot-locked</option>.
b938cb90 880 This option may appear more than once, in which case the secure
798d3a52 881 bits are ORed. If the empty string is assigned to this option,
43eb109a 882 the bits are reset to 0. This does not affect commands prefixed with <literal>+</literal>.
cf677fe6 883 See <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 884 for details.</para></listitem>
885 </varlistentry>
886
798d3a52 887 <varlistentry>
2a624c36
AP		 888 <term><varname>ReadWritePaths=</varname></term>
889 <term><varname>ReadOnlyPaths=</varname></term>
890 <term><varname>InaccessiblePaths=</varname></term>
798d3a52
ZJS		 891
892 <listitem><para>Sets up a new file system namespace for
893 executed processes. These options may be used to limit access
894 a process might have to the main file system hierarchy. Each
c4b41707 895 setting takes a space-separated list of paths relative to
043cc715 896 the host's root directory (i.e. the system running the service manager).
c4b41707 897 Note that if entries contain symlinks, they are resolved from the host's root directory as well.
2a624c36
AP		 898 Entries (files or directories) listed in
899 <varname>ReadWritePaths=</varname> are accessible from
798d3a52 900 within the namespace with the same access rights as from
c4b41707 901 outside. Entries listed in
2a624c36 902 <varname>ReadOnlyPaths=</varname> are accessible for
798d3a52 903 reading only, writing will be refused even if the usual file
c4b41707 904 access controls would permit this. Entries listed in
2a624c36 905 <varname>InaccessiblePaths=</varname> will be made
b50a16af
NBS		 906 inaccessible for processes inside the namespace, and may not
907 countain any other mountpoints, including those specified by
2a624c36
AP		 908 <varname>ReadWritePaths=</varname> or
909 <varname>ReadOnlyPaths=</varname>.
b50a16af 910 Note that restricting access with these options does not extend
c4b41707
AP		 911 to submounts of a directory that are created later on.
912 Non-directory paths can be specified as well. These
b938cb90 913 options may be specified more than once, in which case all
c4b41707 914 paths listed will have limited access from within the
798d3a52
ZJS		 915 namespace. If the empty string is assigned to this option, the
916 specific list is reset, and all prior assignments have no
917 effect.</para>
918 <para>Paths in
2a624c36 919 <varname>ReadOnlyPaths=</varname>
798d3a52 920 and
2a624c36 921 <varname>InaccessiblePaths=</varname>
798d3a52
ZJS		 922 may be prefixed with
923 <literal>-</literal>, in which case
924 they will be ignored when they do not
925 exist. Note that using this
926 setting will disconnect propagation of
927 mounts from the service to the host
928 (propagation in the opposite direction
929 continues to work). This means that
930 this setting may not be used for
931 services which shall be able to
932 install mount points in the main mount
933 namespace.</para></listitem>
934 </varlistentry>
935
936 <varlistentry>
937 <term><varname>PrivateTmp=</varname></term>
938
00d9ef85
LP		 939 <listitem><para>Takes a boolean argument. If true, sets up a new file system namespace for the executed
940 processes and mounts private <filename>/tmp</filename> and <filename>/var/tmp</filename> directories inside it
941 that is not shared by processes outside of the namespace. This is useful to secure access to temporary files of
942 the process, but makes sharing between processes via <filename>/tmp</filename> or <filename>/var/tmp</filename>
943 impossible. If this is enabled, all temporary files created by a service in these directories will be removed
944 after the service is stopped. Defaults to false. It is possible to run two or more units within the same
945 private <filename>/tmp</filename> and <filename>/var/tmp</filename> namespace by using the
798d3a52 946 <varname>JoinsNamespaceOf=</varname> directive, see
00d9ef85
LP		 947 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
948 details. Note that using this setting will disconnect propagation of mounts from the service to the host
949 (propagation in the opposite direction continues to work). This means that this setting may not be used for
950 services which shall be able to install mount points in the main mount namespace. This setting is implied if
951 <varname>DynamicUser=</varname> is set.</para></listitem>
798d3a52
ZJS		 952 </varlistentry>
953
954 <varlistentry>
955 <term><varname>PrivateDevices=</varname></term>
956
957 <listitem><para>Takes a boolean argument. If true, sets up a
958 new /dev namespace for the executed processes and only adds
959 API pseudo devices such as <filename>/dev/null</filename>,
960 <filename>/dev/zero</filename> or
961 <filename>/dev/random</filename> (as well as the pseudo TTY
962 subsystem) to it, but no physical devices such as
963 <filename>/dev/sda</filename>. This is useful to securely turn
964 off physical device access by the executed process. Defaults
965 to false. Enabling this option will also remove
966 <constant>CAP_MKNOD</constant> from the capability bounding
967 set for the unit (see above), and set
968 <varname>DevicePolicy=closed</varname> (see
969 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
970 for details). Note that using this setting will disconnect
971 propagation of mounts from the service to the host
972 (propagation in the opposite direction continues to work).
973 This means that this setting may not be used for services
974 which shall be able to install mount points in the main mount
737ba3c8 975 namespace. The /dev namespace will be mounted read-only and 'noexec'.
976 The latter may break old programs which try to set up executable
977 memory by using <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry>
978 of <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>.</para></listitem>
798d3a52
ZJS		 979 </varlistentry>
980
981 <varlistentry>
982 <term><varname>PrivateNetwork=</varname></term>
983
984 <listitem><para>Takes a boolean argument. If true, sets up a
985 new network namespace for the executed processes and
986 configures only the loopback network device
987 <literal>lo</literal> inside it. No other network devices will
988 be available to the executed process. This is useful to
989 securely turn off network access by the executed process.
990 Defaults to false. It is possible to run two or more units
991 within the same private network namespace by using the
992 <varname>JoinsNamespaceOf=</varname> directive, see
993 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
994 for details. Note that this option will disconnect all socket
995 families from the host, this includes AF_NETLINK and AF_UNIX.
996 The latter has the effect that AF_UNIX sockets in the abstract
997 socket namespace will become unavailable to the processes
998 (however, those located in the file system will continue to be
999 accessible).</para></listitem>
1000 </varlistentry>
1001
1002 <varlistentry>
d251207d
LP		 1003 <term><varname>PrivateUsers=</varname></term>
1004
1005 <listitem><para>Takes a boolean argument. If true, sets up a new user namespace for the executed processes and
1006 configures a minimal user and group mapping, that maps the <literal>root</literal> user and group as well as
1007 the unit's own user and group to themselves and everything else to the <literal>nobody</literal> user and
1008 group. This is useful to securely detach the user and group databases used by the unit from the rest of the
1009 system, and thus to create an effective sandbox environment. All files, directories, processes, IPC objects and
1010 other resources owned by users/groups not equalling <literal>root</literal> or the unit's own will stay visible
1011 from within the unit but appear owned by the <literal>nobody</literal> user and group. If this mode is enabled,
1012 all unit processes are run without privileges in the host user namespace (regardless if the unit's own
1013 user/group is <literal>root</literal> or not). Specifically this means that the process will have zero process
1014 capabilities on the host's user namespace, but full capabilities within the service's user namespace. Settings
1015 such as <varname>CapabilityBoundingSet=</varname> will affect only the latter, and there's no way to acquire
1016 additional capabilities in the host's user namespace. Defaults to off.</para>
1017
1018 <para>This setting is particularly useful in conjunction with <varname>RootDirectory=</varname>, as the need to
1019 synchronize the user and group databases in the root directory and on the host is reduced, as the only users
1020 and groups who need to be matched are <literal>root</literal>, <literal>nobody</literal> and the unit's own
1021 user and group.</para></listitem>
1022 </varlistentry>
1023
798d3a52
ZJS		 1024 <varlistentry>
1025 <term><varname>ProtectSystem=</varname></term>
1026
3f815163
LP		 1027 <listitem><para>Takes a boolean argument or the special values <literal>full</literal> or
1028 <literal>strict</literal>. If true, mounts the <filename>/usr</filename> and <filename>/boot</filename>
1029 directories read-only for processes invoked by this unit. If set to <literal>full</literal>, the
1030 <filename>/etc</filename> directory is mounted read-only, too. If set to <literal>strict</literal> the entire
1031 file system hierarchy is mounted read-only, except for the API file system subtrees <filename>/dev</filename>,
1032 <filename>/proc</filename> and <filename>/sys</filename> (protect these directories using
1033 <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
1034 <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the vendor-supplied
1035 operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is
1036 recommended to enable this setting for all long-running services, unless they are involved with system updates
1037 or need to modify the operating system in other ways. If this option is used,
1038 <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being made read-only. Note
1039 that processes retaining the <constant>CAP_SYS_ADMIN</constant> capability (and with no system call filter that
1040 prohibits mount-related system calls applied) can undo the effect of this setting. This setting is hence
1041 particularly useful for daemons which have this either the <literal>@mount</literal> set filtered using
1042 <varname>SystemCallFilter=</varname>, or have the <constant>CAP_SYS_ADMIN</constant> capability removed, for
1043 example with <varname>CapabilityBoundingSet=</varname>. Defaults to off.</para></listitem>
798d3a52
ZJS		 1044 </varlistentry>
1045
1046 <varlistentry>
1047 <term><varname>ProtectHome=</varname></term>
1048
1049 <listitem><para>Takes a boolean argument or
1050 <literal>read-only</literal>. If true, the directories
58331437
CH		 1051 <filename>/home</filename>, <filename>/root</filename> and
1052 <filename>/run/user</filename>
798d3a52 1053 are made inaccessible and empty for processes invoked by this
58331437 1054 unit. If set to <literal>read-only</literal>, the three
798d3a52
ZJS		 1055 directories are made read-only instead. It is recommended to
1056 enable this setting for all long-running services (in
1057 particular network-facing ones), to ensure they cannot get
1058 access to private user data, unless the services actually
1059 require access to the user's private data. Note however that
1060 processes retaining the CAP_SYS_ADMIN capability can undo the
1061 effect of this setting. This setting is hence particularly
1062 useful for daemons which have this capability removed, for
1063 example with <varname>CapabilityBoundingSet=</varname>.
1064 Defaults to off.</para></listitem>
59eeb84b
LP		 1065 </varlistentry>
1066
1067 <varlistentry>
1068 <term><varname>ProtectKernelTunables=</varname></term>
1069
1070 <listitem><para>Takes a boolean argument. If true, kernel variables accessible through
1071 <filename>/proc/sys</filename> and <filename>/sys</filename> will be made read-only to all processes of the
1072 unit. Usually, tunable kernel variables should only be written at boot-time, with the
1073 <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> mechanism. Almost
1074 no services need to write to these at runtime; it is hence recommended to turn this on for most
1075 services. Defaults to off.</para></listitem>
1076 </varlistentry>
1077
1078 <varlistentry>
1079 <term><varname>ProtectControlGroups=</varname></term>
1080
1081 <listitem><para>Takes a boolean argument. If true, the Linux Control Groups ("cgroups") hierarchies accessible
1082 through <filename>/sys/fs/cgroup</filename> will be made read-only to all processes of the unit. Except for
1083 container managers no services should require write access to the control groups hierarchies; it is hence
1084 recommended to turn this on for most services. Defaults to off.</para></listitem>
798d3a52
ZJS		 1085 </varlistentry>
1086
1087 <varlistentry>
1088 <term><varname>MountFlags=</varname></term>
1089
1090 <listitem><para>Takes a mount propagation flag:
1091 <option>shared</option>, <option>slave</option> or
1092 <option>private</option>, which control whether mounts in the
1093 file system namespace set up for this unit's processes will
1094 receive or propagate mounts or unmounts. See
3ba3a79d 1095 <citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
798d3a52
ZJS		 1096 for details. Defaults to <option>shared</option>. Use
1097 <option>shared</option> to ensure that mounts and unmounts are
1098 propagated from the host to the container and vice versa. Use
1099 <option>slave</option> to run processes so that none of their
1100 mounts and unmounts will propagate to the host. Use
1101 <option>private</option> to also ensure that no mounts and
1102 unmounts from the host will propagate into the unit processes'
1103 namespace. Note that <option>slave</option> means that file
1104 systems mounted on the host might stay mounted continuously in
1105 the unit's namespace, and thus keep the device busy. Note that
1106 the file system namespace related options
1107 (<varname>PrivateTmp=</varname>,
1108 <varname>PrivateDevices=</varname>,
1109 <varname>ProtectSystem=</varname>,
1110 <varname>ProtectHome=</varname>,
2a624c36
AP		 1111 <varname>ReadOnlyPaths=</varname>,
1112 <varname>InaccessiblePaths=</varname> and
1113 <varname>ReadWritePaths=</varname>) require that mount
798d3a52
ZJS		 1114 and unmount propagation from the unit's file system namespace
1115 is disabled, and hence downgrade <option>shared</option> to
1116 <option>slave</option>. </para></listitem>
1117 </varlistentry>
1118
1119 <varlistentry>
1120 <term><varname>UtmpIdentifier=</varname></term>
1121
1122 <listitem><para>Takes a four character identifier string for
023a4f67
LP		 1123 an <citerefentry
1124 project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1125 and wtmp entry for this service. This should only be
1126 set for services such as <command>getty</command>
1127 implementations (such as <citerefentry
1128 project='die-net'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
798d3a52 1129 where utmp/wtmp entries must be created and cleared before and
023a4f67
LP		 1130 after execution, or for services that shall be executed as if
1131 they were run by a <command>getty</command> process (see
1132 below). If the configured string is longer than four
798d3a52
ZJS		 1133 characters, it is truncated and the terminal four characters
1134 are used. This setting interprets %I style string
1135 replacements. This setting is unset by default, i.e. no
1136 utmp/wtmp entries are created or cleaned up for this
1137 service.</para></listitem>
1138 </varlistentry>
1139
023a4f67
LP		 1140 <varlistentry>
1141 <term><varname>UtmpMode=</varname></term>
1142
1143 <listitem><para>Takes one of <literal>init</literal>,
1144 <literal>login</literal> or <literal>user</literal>. If
1145 <varname>UtmpIdentifier=</varname> is set, controls which
1146 type of <citerefentry
1147 project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>/wtmp
1148 entries for this service are generated. This setting has no
1149 effect unless <varname>UtmpIdentifier=</varname> is set
1150 too. If <literal>init</literal> is set, only an
1151 <constant>INIT_PROCESS</constant> entry is generated and the
6cd16034
LP		 1152 invoked process must implement a
1153 <command>getty</command>-compatible utmp/wtmp logic. If
1154 <literal>login</literal> is set, first an
a8eaaee7 1155 <constant>INIT_PROCESS</constant> entry, followed by a
6cd16034 1156 <constant>LOGIN_PROCESS</constant> entry is generated. In
b938cb90 1157 this case, the invoked process must implement a <citerefentry
023a4f67
LP		 1158 project='die-net'><refentrytitle>login</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible
1159 utmp/wtmp logic. If <literal>user</literal> is set, first an
1160 <constant>INIT_PROCESS</constant> entry, then a
a8eaaee7 1161 <constant>LOGIN_PROCESS</constant> entry and finally a
023a4f67 1162 <constant>USER_PROCESS</constant> entry is generated. In this
b938cb90 1163 case, the invoked process may be any process that is suitable
023a4f67
LP		 1164 to be run as session leader. Defaults to
1165 <literal>init</literal>.</para></listitem>
1166 </varlistentry>
1167
798d3a52
ZJS		 1168 <varlistentry>
1169 <term><varname>SELinuxContext=</varname></term>
1170
1171 <listitem><para>Set the SELinux security context of the
1172 executed process. If set, this will override the automated
1173 domain transition. However, the policy still needs to
1174 authorize the transition. This directive is ignored if SELinux
1175 is disabled. If prefixed by <literal>-</literal>, all errors
43eb109a 1176 will be ignored. This does not affect commands prefixed with <literal>+</literal>.
cf677fe6 1177 See <citerefentry project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
798d3a52
ZJS		 1178 for details.</para></listitem>
1179 </varlistentry>
1180
1181 <varlistentry>
1182 <term><varname>AppArmorProfile=</varname></term>
1183
1184 <listitem><para>Takes a profile name as argument. The process
1185 executed by the unit will switch to this profile when started.
1186 Profiles must already be loaded in the kernel, or the unit
1187 will fail. This result in a non operation if AppArmor is not
1188 enabled. If prefixed by <literal>-</literal>, all errors will
43eb109a 1189 be ignored. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
798d3a52
ZJS		 1190 </varlistentry>
1191
1192 <varlistentry>
1193 <term><varname>SmackProcessLabel=</varname></term>
1194
1195 <listitem><para>Takes a <option>SMACK64</option> security
1196 label as argument. The process executed by the unit will be
1197 started under this label and SMACK will decide whether the
b938cb90 1198 process is allowed to run or not, based on it. The process
798d3a52
ZJS		 1199 will continue to run under the label specified here unless the
1200 executable has its own <option>SMACK64EXEC</option> label, in
1201 which case the process will transition to run under that
1202 label. When not specified, the label that systemd is running
1203 under is used. This directive is ignored if SMACK is
1204 disabled.</para>
1205
1206 <para>The value may be prefixed by <literal>-</literal>, in
1207 which case all errors will be ignored. An empty value may be
cf677fe6 1208 specified to unset previous assignments. This does not affect
43eb109a 1209 commands prefixed with <literal>+</literal>.</para>
798d3a52
ZJS		 1210 </listitem>
1211 </varlistentry>
1212
1213 <varlistentry>
1214 <term><varname>IgnoreSIGPIPE=</varname></term>
1215
1216 <listitem><para>Takes a boolean argument. If true, causes
1217 <constant>SIGPIPE</constant> to be ignored in the executed
1218 process. Defaults to true because <constant>SIGPIPE</constant>
1219 generally is useful only in shell pipelines.</para></listitem>
1220 </varlistentry>
1221
1222 <varlistentry>
1223 <term><varname>NoNewPrivileges=</varname></term>
1224
1225 <listitem><para>Takes a boolean argument. If true, ensures
1226 that the service process and all its children can never gain
1227 new privileges. This option is more powerful than the
1228 respective secure bits flags (see above), as it also prohibits
1229 UID changes of any kind. This is the simplest, most effective
1230 way to ensure that a process and its children can never
1231 elevate privileges again.</para></listitem>
1232 </varlistentry>
1233
1234 <varlistentry>
1235 <term><varname>SystemCallFilter=</varname></term>
1236
1237 <listitem><para>Takes a space-separated list of system call
1238 names. If this setting is used, all system calls executed by
1239 the unit processes except for the listed ones will result in
1240 immediate process termination with the
1241 <constant>SIGSYS</constant> signal (whitelisting). If the
1242 first character of the list is <literal>~</literal>, the
1243 effect is inverted: only the listed system calls will result
1244 in immediate process termination (blacklisting). If running in
19c0b0b9 1245 user mode, or in system mode, but without the
008dce38 1246 <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting
19c0b0b9 1247 <varname>User=nobody</varname>),
798d3a52
ZJS		 1248 <varname>NoNewPrivileges=yes</varname> is implied. This
1249 feature makes use of the Secure Computing Mode 2 interfaces of
1250 the kernel ('seccomp filtering') and is useful for enforcing a
1251 minimal sandboxing environment. Note that the
1252 <function>execve</function>,
1253 <function>rt_sigreturn</function>,
1254 <function>sigreturn</function>,
1255 <function>exit_group</function>, <function>exit</function>
1256 system calls are implicitly whitelisted and do not need to be
b938cb90 1257 listed explicitly. This option may be specified more than once,
798d3a52
ZJS		 1258 in which case the filter masks are merged. If the empty string
1259 is assigned, the filter is reset, all prior assignments will
43eb109a 1260 have no effect. This does not affect commands prefixed with <literal>+</literal>.</para>
798d3a52
ZJS		 1261
1262 <para>If you specify both types of this option (i.e.
1263 whitelisting and blacklisting), the first encountered will
1264 take precedence and will dictate the default action
1265 (termination or approval of a system call). Then the next
1266 occurrences of this option will add or delete the listed
1267 system calls from the set of the filtered system calls,
1268 depending of its type and the default action. (For example, if
1269 you have started with a whitelisting of
1270 <function>read</function> and <function>write</function>, and
1271 right after it add a blacklisting of
1272 <function>write</function>, then <function>write</function>
201c1cc2
TM		 1273 will be removed from the set.)</para>
1274
1275 <para>As the number of possible system
1276 calls is large, predefined sets of system calls are provided.
1277 A set starts with <literal>@</literal> character, followed by
1278 name of the set.
1279
1280 <table>
1281 <title>Currently predefined system call sets</title>
1282
1283 <tgroup cols='2'>
1284 <colspec colname='set' />
1285 <colspec colname='description' />
1286 <thead>
1287 <row>
1288 <entry>Set</entry>
1289 <entry>Description</entry>
1290 </row>
1291 </thead>
1292 <tbody>
1293 <row>
1294 <entry>@clock</entry>
1f9ac68b
LP		 1295 <entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
1296 </row>
1297 <row>
1298 <entry>@cpu-emulation</entry>
1299 <entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
1300 </row>
1301 <row>
1302 <entry>@debug</entry>
1303 <entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2
TM		 1304 </row>
1305 <row>
1306 <entry>@io-event</entry>
1f9ac68b 1307 <entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2
TM		 1308 </row>
1309 <row>
1310 <entry>@ipc</entry>
1f9ac68b
LP		 1311 <entry>SysV IPC, POSIX Message Queues or other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
1312 </row>
1313 <row>
1314 <entry>@keyring</entry>
1315 <entry>Kernel keyring access (<citerefentry project='man-pages'><refentrytitle>keyctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2
TM		 1316 </row>
1317 <row>
1318 <entry>@module</entry>
1f9ac68b 1319 <entry>Kernel module control (<citerefentry project='man-pages'><refentrytitle>init_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>delete_module</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2
TM		 1320 </row>
1321 <row>
1322 <entry>@mount</entry>
1f9ac68b 1323 <entry>File system mounting and unmounting (<citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
201c1cc2
TM		 1324 </row>
1325 <row>
1326 <entry>@network-io</entry>
1f9ac68b 1327 <entry>Socket I/O (including local AF_UNIX): <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry>
201c1cc2
TM		 1328 </row>
1329 <row>
1330 <entry>@obsolete</entry>
1f9ac68b 1331 <entry>Unusual, obsolete or unimplemented (<citerefentry project='man-pages'><refentrytitle>create_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>gtty</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
201c1cc2
TM		 1332 </row>
1333 <row>
1334 <entry>@privileged</entry>
1f9ac68b 1335 <entry>All system calls which need super-user capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
201c1cc2
TM		 1336 </row>
1337 <row>
1338 <entry>@process</entry>
1f9ac68b 1339 <entry>Process control, execution, namespaces (<citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>kill</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>, …</entry>
201c1cc2
TM		 1340 </row>
1341 <row>
1342 <entry>@raw-io</entry>
1f9ac68b 1343 <entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …</entry>
201c1cc2
TM		 1344 </row>
1345 </tbody>
1346 </tgroup>
1347 </table>
1348
1349 Note, that as new system calls are added to the kernel, additional system calls might be added to the groups
1350 above, so the contents of the sets may change between systemd versions.</para></listitem>
798d3a52
ZJS		 1351 </varlistentry>
1352
1353 <varlistentry>
1354 <term><varname>SystemCallErrorNumber=</varname></term>
1355
1356 <listitem><para>Takes an <literal>errno</literal> error number
1357 name to return when the system call filter configured with
1358 <varname>SystemCallFilter=</varname> is triggered, instead of
1359 terminating the process immediately. Takes an error name such
1360 as <constant>EPERM</constant>, <constant>EACCES</constant> or
1361 <constant>EUCLEAN</constant>. When this setting is not used,
1362 or when the empty string is assigned, the process will be
1363 terminated immediately when the filter is
1364 triggered.</para></listitem>
1365 </varlistentry>
1366
1367 <varlistentry>
1368 <term><varname>SystemCallArchitectures=</varname></term>
1369
b938cb90 1370 <listitem><para>Takes a space-separated list of architecture
798d3a52
ZJS		 1371 identifiers to include in the system call filter. The known
1372 architecture identifiers are <constant>x86</constant>,
1373 <constant>x86-64</constant>, <constant>x32</constant>,
1374 <constant>arm</constant> as well as the special identifier
1375 <constant>native</constant>. Only system calls of the
1376 specified architectures will be permitted to processes of this
1377 unit. This is an effective way to disable compatibility with
1378 non-native architectures for processes, for example to
1379 prohibit execution of 32-bit x86 binaries on 64-bit x86-64
1380 systems. The special <constant>native</constant> identifier
1381 implicitly maps to the native architecture of the system (or
1382 more strictly: to the architecture the system manager is
19c0b0b9
RC		 1383 compiled for). If running in user mode, or in system mode,
1384 but without the <constant>CAP_SYS_ADMIN</constant>
008dce38 1385 capability (e.g. setting <varname>User=nobody</varname>),
19c0b0b9 1386 <varname>NoNewPrivileges=yes</varname> is implied. Note
798d3a52
ZJS		 1387 that setting this option to a non-empty list implies that
1388 <constant>native</constant> is included too. By default, this
1389 option is set to the empty list, i.e. no architecture system
1390 call filtering is applied.</para></listitem>
1391 </varlistentry>
1392
1393 <varlistentry>
1394 <term><varname>RestrictAddressFamilies=</varname></term>
1395
1396 <listitem><para>Restricts the set of socket address families
1397 accessible to the processes of this unit. Takes a
1398 space-separated list of address family names to whitelist,
1399 such as
1400 <constant>AF_UNIX</constant>,
1401 <constant>AF_INET</constant> or
1402 <constant>AF_INET6</constant>. When
1403 prefixed with <constant>~</constant> the listed address
1404 families will be applied as blacklist, otherwise as whitelist.
1405 Note that this restricts access to the
3ba3a79d 1406 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
798d3a52
ZJS		 1407 system call only. Sockets passed into the process by other
1408 means (for example, by using socket activation with socket
1409 units, see
1410 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1411 are unaffected. Also, sockets created with
1412 <function>socketpair()</function> (which creates connected
1413 AF_UNIX sockets only) are unaffected. Note that this option
1414 has no effect on 32-bit x86 and is ignored (but works
19c0b0b9
RC		 1415 correctly on x86-64). If running in user mode, or in system
1416 mode, but without the <constant>CAP_SYS_ADMIN</constant>
008dce38 1417 capability (e.g. setting <varname>User=nobody</varname>),
19c0b0b9 1418 <varname>NoNewPrivileges=yes</varname> is implied. By
798d3a52
ZJS		 1419 default, no restriction applies, all address families are
1420 accessible to processes. If assigned the empty string, any
1421 previous list changes are undone.</para>
1422
1423 <para>Use this option to limit exposure of processes to remote
1424 systems, in particular via exotic network protocols. Note that
1425 in most cases, the local <constant>AF_UNIX</constant> address
1426 family should be included in the configured whitelist as it is
1427 frequently used for local communication, including for
1428 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
43eb109a 1429 logging. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
798d3a52
ZJS		 1430 </varlistentry>
1431
1432 <varlistentry>
1433 <term><varname>Personality=</varname></term>
1434
7882632d
LP		 1435 <listitem><para>Controls which kernel architecture <citerefentry
1436 project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> shall report,
1437 when invoked by unit processes. Takes one of the architecture identifiers <constant>x86</constant>,
1438 <constant>x86-64</constant>, <constant>ppc</constant>, <constant>ppc-le</constant>, <constant>ppc64</constant>,
1439 <constant>ppc64-le</constant>, <constant>s390</constant> or <constant>s390x</constant>. Which personality
1440 architectures are supported depends on the system architecture. Usually the 64bit versions of the various
1441 system architectures support their immediate 32bit personality architecture counterpart, but no others. For
1442 example, <constant>x86-64</constant> systems support the <constant>x86-64</constant> and
1443 <constant>x86</constant> personalities but no others. The personality feature is useful when running 32-bit
1444 services on a 64-bit host system. If not specified, the personality is left unmodified and thus reflects the
1445 personality of the host system's kernel.</para></listitem>
798d3a52
ZJS		 1446 </varlistentry>
1447
1448 <varlistentry>
1449 <term><varname>RuntimeDirectory=</varname></term>
1450 <term><varname>RuntimeDirectoryMode=</varname></term>
1451
1452 <listitem><para>Takes a list of directory names. If set, one
1453 or more directories by the specified names will be created
1454 below <filename>/run</filename> (for system services) or below
1455 <varname>$XDG_RUNTIME_DIR</varname> (for user services) when
1456 the unit is started, and removed when the unit is stopped. The
1457 directories will have the access mode specified in
1458 <varname>RuntimeDirectoryMode=</varname>, and will be owned by
1459 the user and group specified in <varname>User=</varname> and
1460 <varname>Group=</varname>. Use this to manage one or more
1461 runtime directories of the unit and bind their lifetime to the
1462 daemon runtime. The specified directory names must be
1463 relative, and may not include a <literal>/</literal>, i.e.
1464 must refer to simple directories to create or remove. This is
1465 particularly useful for unprivileged daemons that cannot
1466 create runtime directories in <filename>/run</filename> due to
1467 lack of privileges, and to make sure the runtime directory is
1468 cleaned up automatically after use. For runtime directories
1469 that require more complex or different configuration or
1470 lifetime guarantees, please consider using
1471 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
1472 </varlistentry>
1473
f3e43635
TM		 1474 <varlistentry>
1475 <term><varname>MemoryDenyWriteExecute=</varname></term>
1476
1477 <listitem><para>Takes a boolean argument. If set, attempts to create memory mappings that are writable and
1478 executable at the same time, or to change existing memory mappings to become executable are prohibited.
1479 Specifically, a system call filter is added that rejects
1480 <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1481 system calls with both <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set
1482 and <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1483 system calls with <constant>PROT_EXEC</constant> set. Note that this option is incompatible with programs
1484 that generate program code dynamically at runtime, such as JIT execution engines, or programs compiled making
1485 use of the code "trampoline" feature of various C compilers. This option improves service security, as it makes
1486 harder for software exploits to change running code dynamically.
1487 </para></listitem>
1488 </varlistentry>
1489
f4170c67
LP		 1490 <varlistentry>
1491 <term><varname>RestrictRealtime=</varname></term>
1492
1493 <listitem><para>Takes a boolean argument. If set, any attempts to enable realtime scheduling in a process of
1494 the unit are refused. This restricts access to realtime task scheduling policies such as
1495 <constant>SCHED_FIFO</constant>, <constant>SCHED_RR</constant> or <constant>SCHED_DEADLINE</constant>. See
0a07667d 1496 <citerefentry project='man-pages'><refentrytitle>sched</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details about
f4170c67
LP		 1497 these scheduling policies. Realtime scheduling policies may be used to monopolize CPU time for longer periods
1498 of time, and may hence be used to lock up or otherwise trigger Denial-of-Service situations on the system. It
1499 is hence recommended to restrict access to realtime scheduling to the few programs that actually require
1500 them. Defaults to off.</para></listitem>
1501 </varlistentry>
1502
798d3a52
ZJS		 1503 </variablelist>
1504 </refsect1>
1505
1506 <refsect1>
1507 <title>Environment variables in spawned processes</title>
1508
1509 <para>Processes started by the system are executed in a clean
1510 environment in which select variables listed below are set. System
1511 processes started by systemd do not inherit variables from PID 1,
1512 but processes started by user systemd instances inherit all
1513 environment variables from the user systemd instance.
1514 </para>
1515
1516 <variablelist class='environment-variables'>
1517 <varlistentry>
1518 <term><varname>$PATH</varname></term>
1519
1520 <listitem><para>Colon-separated list of directories to use
1521 when launching executables. Systemd uses a fixed value of
1522 <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>.
1523 </para></listitem>
1524 </varlistentry>
1525
1526 <varlistentry>
1527 <term><varname>$LANG</varname></term>
1528
1529 <listitem><para>Locale. Can be set in
3ba3a79d 1530 <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
798d3a52
ZJS		 1531 or on the kernel command line (see
1532 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1533 and
1534 <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>).
1535 </para></listitem>
1536 </varlistentry>
1537
1538 <varlistentry>
1539 <term><varname>$USER</varname></term>
1540 <term><varname>$LOGNAME</varname></term>
1541 <term><varname>$HOME</varname></term>
1542 <term><varname>$SHELL</varname></term>
1543
1544 <listitem><para>User name (twice), home directory, and the
1545 login shell. The variables are set for the units that have
1546 <varname>User=</varname> set, which includes user
1547 <command>systemd</command> instances. See
3ba3a79d 1548 <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
798d3a52
ZJS		 1549 </para></listitem>
1550 </varlistentry>
1551
1552 <varlistentry>
1553 <term><varname>$XDG_RUNTIME_DIR</varname></term>
1554
1555 <listitem><para>The directory for volatile state. Set for the
1556 user <command>systemd</command> instance, and also in user
1557 sessions. See
1558 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1559 </para></listitem>
1560 </varlistentry>
1561
1562 <varlistentry>
1563 <term><varname>$XDG_SESSION_ID</varname></term>
1564 <term><varname>$XDG_SEAT</varname></term>
1565 <term><varname>$XDG_VTNR</varname></term>
1566
1567 <listitem><para>The identifier of the session, the seat name,
1568 and virtual terminal of the session. Set by
1569 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
1570 for login sessions. <varname>$XDG_SEAT</varname> and
1571 <varname>$XDG_VTNR</varname> will only be set when attached to
1572 a seat and a tty.</para></listitem>
1573 </varlistentry>
1574
1575 <varlistentry>
1576 <term><varname>$MAINPID</varname></term>
1577
1578 <listitem><para>The PID of the units main process if it is
1579 known. This is only set for control processes as invoked by
1580 <varname>ExecReload=</varname> and similar. </para></listitem>
1581 </varlistentry>
1582
1583 <varlistentry>
1584 <term><varname>$MANAGERPID</varname></term>
1585
1586 <listitem><para>The PID of the user <command>systemd</command>
1587 instance, set for processes spawned by it. </para></listitem>
1588 </varlistentry>
1589
1590 <varlistentry>
1591 <term><varname>$LISTEN_FDS</varname></term>
1592 <term><varname>$LISTEN_PID</varname></term>
5c019cf2 1593 <term><varname>$LISTEN_FDNAMES</varname></term>
798d3a52
ZJS		 1594
1595 <listitem><para>Information about file descriptors passed to a
1596 service for socket activation. See
1597 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1598 </para></listitem>
1599 </varlistentry>
1600
5c019cf2
EV		 1601 <varlistentry>
1602 <term><varname>$NOTIFY_SOCKET</varname></term>
1603
1604 <listitem><para>The socket
1605 <function>sd_notify()</function> talks to. See
1606 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1607 </para></listitem>
1608 </varlistentry>
1609
1610 <varlistentry>
1611 <term><varname>$WATCHDOG_PID</varname></term>
1612 <term><varname>$WATCHDOG_USEC</varname></term>
1613
1614 <listitem><para>Information about watchdog keep-alive notifications. See
1615 <citerefentry><refentrytitle>sd_watchdog_enabled</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1616 </para></listitem>
1617 </varlistentry>
1618
798d3a52
ZJS		 1619 <varlistentry>
1620 <term><varname>$TERM</varname></term>
1621
1622 <listitem><para>Terminal type, set only for units connected to
1623 a terminal (<varname>StandardInput=tty</varname>,
1624 <varname>StandardOutput=tty</varname>, or
1625 <varname>StandardError=tty</varname>). See
1626 <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
1627 </para></listitem>
1628 </varlistentry>
7bce046b
LP		 1629
1630 <varlistentry>
1631 <term><varname>$JOURNAL_STREAM</varname></term>
1632
1633 <listitem><para>If the standard output or standard error output of the executed processes are connected to the
1634 journal (for example, by setting <varname>StandardError=journal</varname>) <varname>$JOURNAL_STREAM</varname>
1635 contains the device and inode numbers of the connection file descriptor, formatted in decimal, separated by a
1636 colon (<literal>:</literal>). This permits invoked processes to safely detect whether their standard output or
1637 standard error output are connected to the journal. The device and inode numbers of the file descriptors should
1638 be compared with the values set in the environment variable to determine whether the process output is still
1639 connected to the journal. Note that it is generally not sufficient to only check whether
1640 <varname>$JOURNAL_STREAM</varname> is set at all as services might invoke external processes replacing their
1641 standard output or standard error output, without unsetting the environment variable.</para>
1642
1643 <para>This environment variable is primarily useful to allow services to optionally upgrade their used log
1644 protocol to the native journal protocol (using
1645 <citerefentry><refentrytitle>sd_journal_print</refentrytitle><manvolnum>3</manvolnum></citerefentry> and other
1646 functions) if their standard output or standard error output is connected to the journal anyway, thus enabling
1647 delivery of structured metadata along with logged messages.</para></listitem>
1648 </varlistentry>
136dc4c4
LP		 1649
1650 <varlistentry>
1651 <term><varname>$SERVICE_RESULT</varname></term>
1652
1653 <listitem><para>Only defined for the service unit type, this environment variable is passed to all
1654 <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname> processes, and encodes the service
1655 "result". Currently, the following values are defined: <literal>timeout</literal> (in case of an operation
1656 timeout), <literal>exit-code</literal> (if a service process exited with a non-zero exit code; see
1657 <varname>$EXIT_STATUS</varname> below for the actual exit status returned), <literal>signal</literal> (if a
1658 service process was terminated abnormally by a signal; see <varname>$EXIT_STATUS</varname> below for the actual
1659 signal used for the termination), <literal>core-dump</literal> (if a service process terminated abnormally and
1660 dumped core), <literal>watchdog</literal> (if the watchdog keep-alive ping was enabled for the service but it
1661 missed the deadline), or <literal>resources</literal> (a catch-all condition in case a system operation
1662 failed).</para>
1663
1664 <para>This environment variable is useful to monitor failure or successful termination of a service. Even
1665 though this variable is available in both <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname>, it
1666 is usually a better choice to place monitoring tools in the latter, as the former is only invoked for services
1667 that managed to start up correctly, and the latter covers both services that failed during their start-up and
1668 those which failed during their runtime.</para></listitem>
1669 </varlistentry>
1670
1671 <varlistentry>
1672 <term><varname>$EXIT_CODE</varname></term>
1673 <term><varname>$EXIT_STATUS</varname></term>
1674
1675 <listitem><para>Only defined for the service unit type, these environment variables are passed to all
1676 <varname>ExecStop=</varname>, <varname>ExecStopPost=</varname> processes and contain exit status/code
1677 information of the main process of the service. For the precise definition of the exit code and status, see
1678 <citerefentry><refentrytitle>wait</refentrytitle><manvolnum>2</manvolnum></citerefentry>. <varname>$EXIT_CODE</varname>
1679 is one of <literal>exited</literal>, <literal>killed</literal>,
1680 <literal>dumped</literal>. <varname>$EXIT_STATUS</varname> contains the numeric exit code formatted as string
1681 if <varname>$EXIT_CODE</varname> is <literal>exited</literal>, and the signal name in all other cases. Note
1682 that these environment variables are only set if the service manager succeeded to start and identify the main
e64e1bfd
ZJS		 1683 process of the service.</para>
1684
1685 <table>
1686 <title>Summary of possible service result variable values</title>
1687 <tgroup cols='3'>
1688 <colspec colname='result' />
1689 <colspec colname='status' />
1690 <colspec colname='code' />
1691 <thead>
1692 <row>
1693 <entry><varname>$SERVICE_RESULT</varname></entry>
1694 <entry><varname>$EXIT_STATUS</varname></entry>
1695 <entry><varname>$EXIT_CODE</varname></entry>
1696 </row>
1697 </thead>
1698
1699 <tbody>
29df65f9
ZJS		 1700 <row>
1701 <entry morerows="1" valign="top"><literal>timeout</literal></entry>
1702 <entry valign="top"><literal>killed</literal></entry>
1703 <entry><literal>TERM</literal><sbr/><literal>KILL</literal></entry>
1704 </row>
1705
1706 <row>
1707 <entry valign="top"><literal>exited</literal></entry>
1708 <entry><literal>0</literal><sbr/><literal>1</literal><sbr/><literal>2</literal><sbr/><literal
1709 >3</literal><sbr/>…<sbr/><literal>255</literal></entry>
1710 </row>
1711
e64e1bfd
ZJS		 1712 <row>
1713 <entry valign="top"><literal>exit-code</literal></entry>
1714 <entry valign="top"><literal>exited</literal></entry>
1715 <entry><literal>0</literal><sbr/><literal>1</literal><sbr/><literal>2</literal><sbr/><literal
1716 >3</literal><sbr/>…<sbr/><literal>255</literal></entry>
1717 </row>
1718
1719 <row>
1720 <entry valign="top"><literal>signal</literal></entry>
1721 <entry valign="top"><literal>killed</literal></entry>
1722 <entry><literal>HUP</literal><sbr/><literal>INT</literal><sbr/><literal>KILL</literal><sbr/>…</entry>
1723 </row>
1724
1725 <row>
1726 <entry valign="top"><literal>core-dump</literal></entry>
1727 <entry valign="top"><literal>dumped</literal></entry>
1728 <entry><literal>ABRT</literal><sbr/><literal>SEGV</literal><sbr/><literal>QUIT</literal><sbr/>…</entry>
1729 </row>
136dc4c4 1730
e64e1bfd
ZJS		 1731 <row>
1732 <entry morerows="2" valign="top"><literal>watchdog</literal></entry>
1733 <entry><literal>dumped</literal></entry>
1734 <entry><literal>ABRT</literal></entry>
1735 </row>
1736 <row>
1737 <entry><literal>killed</literal></entry>
1738 <entry><literal>TERM</literal><sbr/><literal>KILL</literal></entry>
1739 </row>
1740 <row>
1741 <entry><literal>exited</literal></entry>
1742 <entry><literal>0</literal><sbr/><literal>1</literal><sbr/><literal>2</literal><sbr/><literal
1743 >3</literal><sbr/>…<sbr/><literal>255</literal></entry>
1744 </row>
1745
1746 <row>
1747 <entry><literal>resources</literal></entry>
1748 <entry>any of the above</entry>
1749 <entry>any of the above</entry>
1750 </row>
29df65f9
ZJS		 1751
1752 <row>
1753 <entry namest="results" nameend="code">Note: the process may be also terminated by a signal not sent by systemd. In particular the process may send an arbitrary signal to itself in a handler for any of the non-maskable signals. Nevertheless, in the <literal>timeout</literal> and <literal>watchdog</literal> rows above only the signals that systemd sends have been included.</entry>
1754 </row>
e64e1bfd
ZJS		 1755 </tbody>
1756 </tgroup>
1757 </table>
1758
1759 </listitem>
1760 </varlistentry>
798d3a52
ZJS		 1761 </variablelist>
1762
1763 <para>Additional variables may be configured by the following
1764 means: for processes spawned in specific units, use the
5c019cf2
EV		 1765 <varname>Environment=</varname>, <varname>EnvironmentFile=</varname>
1766 and <varname>PassEnvironment=</varname> options above; to specify
798d3a52
ZJS		 1767 variables globally, use <varname>DefaultEnvironment=</varname>
1768 (see
1769 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1770 or the kernel option <varname>systemd.setenv=</varname> (see
1771 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
1772 Additional variables may also be set through PAM,
1773 cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
1774 </refsect1>
1775
1776 <refsect1>
1777 <title>See Also</title>
1778 <para>
1779 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1780 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1781 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1782 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1783 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1784 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1785 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1786 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1787 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1788 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
a4c18002 1789 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
798d3a52
ZJS		 1790 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
1791 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1792 <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1793 </para>
1794 </refsect1>
dd1eb43b 1795
e64e1bfd 1796
dd1eb43b 1797</refentry>
Unnamed repository; edit this file 'description' to name the repository.