]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.exec.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
man: fix link to systemd-networkd-wait-online.service in systemd-networkd.service(8)
[thirdparty/systemd.git] / man / systemd.exec.xml
CommitLineData
dd1eb43b
LP		 1<?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4
5<!--
6 This file is part of systemd.
7
8 Copyright 2010 Lennart Poettering
9
10 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
dd1eb43b
LP		 13 (at your option) any later version.
14
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 18 Lesser General Public License for more details.
dd1eb43b 19
5430f7f2 20 You should have received a copy of the GNU Lesser General Public License
dd1eb43b
LP		 21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22-->
23
24<refentry id="systemd.exec">
25 <refentryinfo>
26 <title>systemd.exec</title>
27 <productname>systemd</productname>
28
29 <authorgroup>
30 <author>
31 <contrib>Developer</contrib>
32 <firstname>Lennart</firstname>
33 <surname>Poettering</surname>
34 <email>lennart@poettering.net</email>
35 </author>
36 </authorgroup>
37 </refentryinfo>
38
39 <refmeta>
40 <refentrytitle>systemd.exec</refentrytitle>
41 <manvolnum>5</manvolnum>
42 </refmeta>
43
44 <refnamediv>
45 <refname>systemd.exec</refname>
34511ca7 46 <refpurpose>Execution environment configuration</refpurpose>
dd1eb43b
LP		 47 </refnamediv>
48
49 <refsynopsisdiv>
e670b166
ZJS		 50 <para><filename><replaceable>service</replaceable>.service</filename>,
51 <filename><replaceable>socket</replaceable>.socket</filename>,
52 <filename><replaceable>mount</replaceable>.mount</filename>,
53 <filename><replaceable>swap</replaceable>.swap</filename></para>
dd1eb43b
LP		 54 </refsynopsisdiv>
55
56 <refsect1>
57 <title>Description</title>
58
9a666408 59 <para>Unit configuration files for services, sockets,
43638332 60 mount points, and swap devices share a subset of
2292707d
LP		 61 configuration options which define the execution
62 environment of spawned processes.</para>
dd1eb43b
LP		 63
64 <para>This man page lists the configuration options
9a666408 65 shared by these four unit types. See
dd1eb43b
LP		 66 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
67 for the common options of all unit configuration
68 files, and
2292707d
LP		 69 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
70 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
d868475a 71 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
dd1eb43b
LP		 72 and
73 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
74 for more information on the specific unit
75 configuration files. The execution specific
76 configuration options are configured in the [Service],
16dad32e 77 [Socket], [Mount], or [Swap] sections, depending on the unit
dd1eb43b
LP		 78 type.</para>
79 </refsect1>
80
81 <refsect1>
82 <title>Options</title>
83
ccc9a4f9 84 <variablelist class='unit-directives'>
dd1eb43b
LP		 85
86 <varlistentry>
87 <term><varname>WorkingDirectory=</varname></term>
88
89 <listitem><para>Takes an absolute
90 directory path. Sets the working
e06c73cc 91 directory for executed processes. If
79640424 92 not set, defaults to the root directory
e06c73cc
LP		 93 when systemd is running as a system
94 instance and the respective user's
95 home directory if run as
96 user.</para></listitem>
dd1eb43b
LP		 97 </varlistentry>
98
99 <varlistentry>
100 <term><varname>RootDirectory=</varname></term>
101
102 <listitem><para>Takes an absolute
103 directory path. Sets the root
104 directory for executed processes, with
105 the
5aded369 106 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
79640424 107 system call. If this is used, it must
dd1eb43b
LP		 108 be ensured that the process and all
109 its auxiliary files are available in
110 the <function>chroot()</function>
111 jail.</para></listitem>
112 </varlistentry>
113
114 <varlistentry>
115 <term><varname>User=</varname></term>
116 <term><varname>Group=</varname></term>
117
118 <listitem><para>Sets the Unix user
16dad32e
AE		 119 or group that the processes are executed
120 as, respectively. Takes a single user or group
dd1eb43b 121 name or ID as argument. If no group is
16dad32e 122 set, the default group of the user is
dd1eb43b
LP		 123 chosen.</para></listitem>
124 </varlistentry>
125
126 <varlistentry>
127 <term><varname>SupplementaryGroups=</varname></term>
128
129 <listitem><para>Sets the supplementary
130 Unix groups the processes are executed
e9dd9f95 131 as. This takes a space-separated list
dd1eb43b
LP		 132 of group names or IDs. This option may
133 be specified more than once in which
134 case all listed groups are set as
74051b9b
LP		 135 supplementary groups. When the empty
136 string is assigned the list of
137 supplementary groups is reset, and all
138 assignments prior to this one will
139 have no effect. In any way, this
140 option does not override, but extends
141 the list of supplementary groups
142 configured in the system group
143 database for the
dd1eb43b
LP		 144 user.</para></listitem>
145 </varlistentry>
146
147 <varlistentry>
148 <term><varname>Nice=</varname></term>
149
150 <listitem><para>Sets the default nice
151 level (scheduling priority) for
152 executed processes. Takes an integer
153 between -20 (highest priority) and 19
154 (lowest priority). See
155 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
156 for details.</para></listitem>
157 </varlistentry>
158
159 <varlistentry>
dd6c17b1 160 <term><varname>OOMScoreAdjust=</varname></term>
dd1eb43b
LP		 161
162 <listitem><para>Sets the adjustment
163 level for the Out-Of-Memory killer for
164 executed processes. Takes an integer
dd6c17b1
LP		 165 between -1000 (to disable OOM killing
166 for this process) and 1000 (to make
dd1eb43b
LP		 167 killing of this process under memory
168 pressure very likely). See <ulink
6ed80a4e 169 url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
dd1eb43b
LP		 170 for details.</para></listitem>
171 </varlistentry>
172
173 <varlistentry>
174 <term><varname>IOSchedulingClass=</varname></term>
175
176 <listitem><para>Sets the IO scheduling
177 class for executed processes. Takes an
178 integer between 0 and 3 or one of the
179 strings <option>none</option>,
180 <option>realtime</option>,
181 <option>best-effort</option> or
182 <option>idle</option>. See
183 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
184 for details.</para></listitem>
185 </varlistentry>
186
187 <varlistentry>
188 <term><varname>IOSchedulingPriority=</varname></term>
189
190 <listitem><para>Sets the IO scheduling
191 priority for executed processes. Takes
192 an integer between 0 (highest
193 priority) and 7 (lowest priority). The
194 available priorities depend on the
195 selected IO scheduling class (see
196 above). See
197 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
198 for details.</para></listitem>
199 </varlistentry>
200
201 <varlistentry>
202 <term><varname>CPUSchedulingPolicy=</varname></term>
203
204 <listitem><para>Sets the CPU
205 scheduling policy for executed
206 processes. Takes one of
207 <option>other</option>,
208 <option>batch</option>,
209 <option>idle</option>,
210 <option>fifo</option> or
211 <option>rr</option>. See
212 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
213 for details.</para></listitem>
214 </varlistentry>
215
216 <varlistentry>
217 <term><varname>CPUSchedulingPriority=</varname></term>
218
219 <listitem><para>Sets the CPU
220 scheduling priority for executed
bb112710 221 processes. The available priority
dd1eb43b 222 range depends on the selected CPU
bb112710
HHPF		 223 scheduling policy (see above). For
224 real-time scheduling policies an
225 integer between 1 (lowest priority)
226 and 99 (highest priority) can be used.
227 See <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
228 for details.
229 </para></listitem>
dd1eb43b
LP		 230 </varlistentry>
231
232 <varlistentry>
233 <term><varname>CPUSchedulingResetOnFork=</varname></term>
234
235 <listitem><para>Takes a boolean
79640424 236 argument. If true, elevated CPU
dd1eb43b
LP		 237 scheduling priorities and policies
238 will be reset when the executed
239 processes fork, and can hence not leak
240 into child processes. See
241 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
242 for details. Defaults to false.</para></listitem>
243 </varlistentry>
244
245 <varlistentry>
246 <term><varname>CPUAffinity=</varname></term>
247
248 <listitem><para>Controls the CPU
249 affinity of the executed
96d4ce01 250 processes. Takes a space-separated
66f756d4 251 list of CPU indices. This option may
74051b9b
LP		 252 be specified more than once in which
253 case the specificed CPU affinity masks
254 are merged. If the empty string is
79640424 255 assigned, the mask is reset, all
74051b9b
LP		 256 assignments prior to this will have no
257 effect. See
dd1eb43b
LP		 258 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
259 for details.</para></listitem>
260 </varlistentry>
261
262 <varlistentry>
263 <term><varname>UMask=</varname></term>
264
265 <listitem><para>Controls the file mode
266 creation mask. Takes an access mode in
267 octal notation. See
268 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
269 for details. Defaults to
260d3708 270 0022.</para></listitem>
dd1eb43b
LP		 271 </varlistentry>
272
273 <varlistentry>
274 <term><varname>Environment=</varname></term>
275
276 <listitem><para>Sets environment
277 variables for executed
96d4ce01 278 processes. Takes a space-separated
dd1eb43b
LP		 279 list of variable assignments. This
280 option may be specified more than once
281 in which case all listed variables
282 will be set. If the same variable is
79640424 283 set twice, the later setting will
74051b9b
LP		 284 override the earlier setting. If the
285 empty string is assigned to this
79640424 286 option, the list of environment
74051b9b 287 variables is reset, all prior
0ae9c92a
FC		 288 assignments have no effect.
289 Variable expansion is not performed
97d0e5f8 290 inside the strings, however, specifier
79640424 291 expansion is possible. The $ character has
97d0e5f8 292 no special meaning.
0ae9c92a
FC		 293 If you need to assign a value containing spaces
294 to a variable, use double quotes (")
295 for the assignment.</para>
296
297 <para>Example:
c5b37953 298 <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
0ae9c92a 299 gives three variables <literal>VAR1</literal>,
c5b37953
ZJS		 300 <literal>VAR2</literal>, <literal>VAR3</literal>
301 with the values <literal>word1 word2</literal>,
302 <literal>word3</literal>, <literal>$word 5 6</literal>.
0ae9c92a
FC		 303 </para>
304
305 <para>
306 See
5aded369 307 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
0ae9c92a 308 for details about environment variables.</para></listitem>
dd1eb43b
LP		 309 </varlistentry>
310 <varlistentry>
311 <term><varname>EnvironmentFile=</varname></term>
312 <listitem><para>Similar to
313 <varname>Environment=</varname> but
314 reads the environment variables from a
315 text file. The text file should
e9dd9f95 316 contain new-line-separated variable
dd1eb43b
LP		 317 assignments. Empty lines and lines
318 starting with ; or # will be ignored,
565d91fd
MV		 319 which may be used for commenting. A line
320 ending with a backslash will be concatenated
321 with the following one, allowing multiline variable
322 definitions. The parser strips leading
323 and trailing whitespace from the values
7734f773 324 of assignments, unless you use
74051b9b
LP		 325 double quotes (").</para>
326
327 <para>The argument passed should be an
e9dd9f95 328 absolute filename or wildcard
74051b9b 329 expression, optionally prefixed with
05cc7267 330 <literal>-</literal>, which indicates
6b4991cf
JE		 331 that if the file does not exist, it
332 will not be read and no error or warning
05cc7267
ZJS		 333 message is logged. This option may be
334 specified more than once in which case
335 all specified files are read. If the
336 empty string is assigned to this
79640424 337 option, the list of file to read is
05cc7267
ZJS		 338 reset, all prior assignments have no
339 effect.</para>
74051b9b
LP		 340
341 <para>The files listed with this
f1779fd2 342 directive will be read shortly before
90582615 343 the process is executed (more
dca348bc 344 specifically, after all
90582615
LP		 345 processes from a previous unit state
346 terminated. This means you can
347 generate these files in one unit
348 state, and read it with this option in
349 the next). Settings from these files
350 override settings made with
f1779fd2
LP		 351 <varname>Environment=</varname>. If
352 the same variable is set twice from
79640424 353 these files, the files will be read in
f1779fd2
LP		 354 the order they are specified and the
355 later setting will override the
74051b9b 356 earlier setting.</para></listitem>
dd1eb43b
LP		 357 </varlistentry>
358
359 <varlistentry>
360 <term><varname>StandardInput=</varname></term>
361 <listitem><para>Controls where file
362 descriptor 0 (STDIN) of the executed
363 processes is connected to. Takes one
364 of <option>null</option>,
365 <option>tty</option>,
366 <option>tty-force</option>,
367 <option>tty-fail</option> or
79c1afc6
LP		 368 <option>socket</option>.</para>
369
370 <para>If <option>null</option> is
371 selected, standard input will be
372 connected to
dd1eb43b
LP		 373 <filename>/dev/null</filename>,
374 i.e. all read attempts by the process
79c1afc6
LP		 375 will result in immediate EOF.</para>
376
377 <para>If <option>tty</option> is
378 selected, standard input is connected
379 to a TTY (as configured by
dd1eb43b
LP		 380 <varname>TTYPath=</varname>, see
381 below) and the executed process
382 becomes the controlling process of the
383 terminal. If the terminal is already
79c1afc6
LP		 384 being controlled by another process,
385 the executed process waits until the
386 current controlling process releases
387 the terminal.</para>
388
389 <para><option>tty-force</option> is similar
390 to <option>tty</option>, but the
391 executed process is forcefully and
392 immediately made the controlling
dd1eb43b
LP		 393 process of the terminal, potentially
394 removing previous controlling
395 processes from the
79c1afc6
LP		 396 terminal.</para>
397
398 <para><option>tty-fail</option> is
dd1eb43b
LP		 399 similar to <option>tty</option> but if
400 the terminal already has a controlling
401 process start-up of the executed
79c1afc6
LP		 402 process fails.</para>
403
404 <para>The <option>socket</option>
405 option is only valid in
406 socket-activated services, and only
407 when the socket configuration file
408 (see
dd1eb43b
LP		 409 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
410 for details) specifies a single socket
79640424 411 only. If this option is set, standard
dd1eb43b
LP		 412 input will be connected to the socket
413 the service was activated from, which
414 is primarily useful for compatibility
415 with daemons designed for use with the
416 traditional
417 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
79c1afc6
LP		 418 daemon.</para>
419
420 <para>This setting defaults to
dd1eb43b
LP		 421 <option>null</option>.</para></listitem>
422 </varlistentry>
423 <varlistentry>
424 <term><varname>StandardOutput=</varname></term>
425 <listitem><para>Controls where file
426 descriptor 1 (STDOUT) of the executed
427 processes is connected to. Takes one
428 of <option>inherit</option>,
429 <option>null</option>,
430 <option>tty</option>,
79c1afc6 431 <option>journal</option>,
dd1eb43b 432 <option>syslog</option>,
28dbc1e8 433 <option>kmsg</option>,
79c1afc6 434 <option>journal+console</option>,
706343f4 435 <option>syslog+console</option>,
79c1afc6
LP		 436 <option>kmsg+console</option> or
437 <option>socket</option>.</para>
438
439 <para><option>inherit</option>
440 duplicates the file descriptor of
441 standard input for standard
442 output.</para>
443
444 <para><option>null</option> connects
445 standard output to
dd1eb43b
LP		 446 <filename>/dev/null</filename>,
447 i.e. everything written to it will be
79c1afc6
LP		 448 lost.</para>
449
450 <para><option>tty</option> connects
451 standard output to a tty (as
452 configured via
dd1eb43b
LP		 453 <varname>TTYPath=</varname>, see
454 below). If the TTY is used for output
79640424 455 only, the executed process will not
dd1eb43b
LP		 456 become the controlling process of the
457 terminal, and will not fail or wait
458 for other processes to release the
79c1afc6
LP		 459 terminal.</para>
460
461 <para><option>journal</option>
462 connects standard output with the
463 journal which is accessible via
464 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
465 Note that everything that is written
466 to syslog or kmsg (see below) is
467 implicitly stored in the journal as
468 well, the specific two options listed
469 below are hence supersets of this
470 one.</para>
471
472 <para><option>syslog</option> connects
473 standard output to the <citerefentry
474 project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
475 system syslog service, in addition to
476 the journal. Note that the journal
477 daemon is usually configured to
478 forward everything it receives to
479 syslog anyway, in which case this
480 option is no different from
481 <option>journal</option>.</para>
482
483 <para><option>kmsg</option> connects
484 standard output with the kernel log
485 buffer which is accessible via
486 <citerefentry
487 project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
488 in addition to the journal. The
489 journal daemon might be configured to
490 send all logs to kmsg anyway, in which
491 case this option is no different from
492 <option>journal</option>.</para>
493
494 <para><option>journal+console</option>,
495 <option>syslog+console</option> and
496 <option>kmsg+console</option> work in
497 a similar way as the three options
498 above but copy the output to the
499 system console as well.</para>
500
501 <para><option>socket</option> connects
502 standard output to a socket acquired
503 via socket activation. The semantics
504 are similar to the same option of
505 <varname>StandardInput=</varname>.</para>
506
507 <para>This setting defaults to the
508 value set with
de6c78f8
LP		 509 <option>DefaultStandardOutput=</option>
510 in
5f9cfd4c 511 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
de6c78f8 512 which defaults to
706343f4 513 <option>journal</option>.</para></listitem>
dd1eb43b
LP		 514 </varlistentry>
515 <varlistentry>
ad678a06 516 <term><varname>StandardError=</varname></term>
dd1eb43b 517 <listitem><para>Controls where file
b67f562c 518 descriptor 2 (STDERR) of the
6db27428
ZJS		 519 executed processes is connected to.
520 The available options are identical to
dd1eb43b 521 those of
ad678a06 522 <varname>StandardOutput=</varname>,
5471472d 523 with one exception: if set to
dd1eb43b
LP		 524 <option>inherit</option> the file
525 descriptor used for standard output is
526 duplicated for standard error. This
de6c78f8
LP		 527 setting defaults to the value set with
528 <option>DefaultStandardError=</option>
529 in
5f9cfd4c 530 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
de6c78f8 531 which defaults to
dd1eb43b
LP		 532 <option>inherit</option>.</para></listitem>
533 </varlistentry>
534 <varlistentry>
535 <term><varname>TTYPath=</varname></term>
536 <listitem><para>Sets the terminal
6db27428
ZJS		 537 device node to use if standard input, output,
538 or error are connected to a
dd1eb43b
LP		 539 TTY (see above). Defaults to
540 <filename>/dev/console</filename>.</para></listitem>
541 </varlistentry>
6ea832a2
LP		 542 <varlistentry>
543 <term><varname>TTYReset=</varname></term>
544 <listitem><para>Reset the terminal
545 device specified with
546 <varname>TTYPath=</varname> before and
547 after execution. Defaults to
548 <literal>no</literal>.</para></listitem>
549 </varlistentry>
550 <varlistentry>
551 <term><varname>TTYVHangup=</varname></term>
552 <listitem><para>Disconnect all clients
553 which have opened the terminal device
554 specified with
555 <varname>TTYPath=</varname>
556 before and after execution. Defaults
557 to
558 <literal>no</literal>.</para></listitem>
559 </varlistentry>
560 <varlistentry>
561 <term><varname>TTYVTDisallocate=</varname></term>
c5315881 562 <listitem><para>If the terminal
6ea832a2
LP		 563 device specified with
564 <varname>TTYPath=</varname> is a
79640424 565 virtual console terminal, try to
6ea832a2
LP		 566 deallocate the TTY before and after
567 execution. This ensures that the
568 screen and scrollback buffer is
569 cleared. Defaults to
570 <literal>no</literal>.</para></listitem>
571 </varlistentry>
dd1eb43b 572 <varlistentry>
48c4fad9 573 <term><varname>SyslogIdentifier=</varname></term>
dd1eb43b 574 <listitem><para>Sets the process name
2134b5ef
LP		 575 to prefix log lines sent to the
576 logging system or the kernel log
577 buffer with. If not set, defaults to
578 the process name of the executed
579 process. This option is only useful
580 when
dd1eb43b
LP		 581 <varname>StandardOutput=</varname> or
582 <varname>StandardError=</varname> are
2134b5ef
LP		 583 set to <option>syslog</option>,
584 <option>journal</option> or
585 <option>kmsg</option> (or to the same
586 settings in combination with
587 <option>+console</option>).</para></listitem>
dd1eb43b
LP		 588 </varlistentry>
589 <varlistentry>
590 <term><varname>SyslogFacility=</varname></term>
591 <listitem><para>Sets the syslog
592 facility to use when logging to
593 syslog. One of <option>kern</option>,
594 <option>user</option>,
595 <option>mail</option>,
596 <option>daemon</option>,
597 <option>auth</option>,
598 <option>syslog</option>,
599 <option>lpr</option>,
600 <option>news</option>,
601 <option>uucp</option>,
602 <option>cron</option>,
603 <option>authpriv</option>,
604 <option>ftp</option>,
605 <option>local0</option>,
606 <option>local1</option>,
607 <option>local2</option>,
608 <option>local3</option>,
609 <option>local4</option>,
610 <option>local5</option>,
611 <option>local6</option> or
612 <option>local7</option>. See
5aded369 613 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
dd1eb43b
LP		 614 for details. This option is only
615 useful when
616 <varname>StandardOutput=</varname> or
617 <varname>StandardError=</varname> are
618 set to <option>syslog</option>.
619 Defaults to
620 <option>daemon</option>.</para></listitem>
621 </varlistentry>
622 <varlistentry>
623 <term><varname>SyslogLevel=</varname></term>
624 <listitem><para>Default syslog level
625 to use when logging to syslog or the
626 kernel log buffer. One of
627 <option>emerg</option>,
628 <option>alert</option>,
629 <option>crit</option>,
630 <option>err</option>,
631 <option>warning</option>,
632 <option>notice</option>,
633 <option>info</option>,
634 <option>debug</option>. See
5aded369 635 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
dd1eb43b
LP		 636 for details. This option is only
637 useful when
638 <varname>StandardOutput=</varname> or
639 <varname>StandardError=</varname> are
640 set to <option>syslog</option> or
641 <option>kmsg</option>. Note that
642 individual lines output by the daemon
643 might be prefixed with a different log
644 level which can be used to override
645 the default log level specified
646 here. The interpretation of these
647 prefixes may be disabled with
74922904 648 <varname>SyslogLevelPrefix=</varname>,
dd1eb43b 649 see below. For details see
cb07866b 650 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
dd1eb43b
LP		 651
652 Defaults to
653 <option>info</option>.</para></listitem>
654 </varlistentry>
655
656 <varlistentry>
74922904 657 <term><varname>SyslogLevelPrefix=</varname></term>
dd1eb43b 658 <listitem><para>Takes a boolean
74922904 659 argument. If true and
dd1eb43b
LP		 660 <varname>StandardOutput=</varname> or
661 <varname>StandardError=</varname> are
df688b23
LP		 662 set to <option>syslog</option>,
663 <option>kmsg</option> or
664 <option>journal</option>, log lines
dd1eb43b
LP		 665 written by the executed process that
666 are prefixed with a log level will be
667 passed on to syslog with this log
668 level set but the prefix removed. If
74922904 669 set to false, the interpretation of
dd1eb43b
LP		 670 these prefixes is disabled and the
671 logged lines are passed on as-is. For
672 details about this prefixing see
cb07866b 673 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
74922904 674 Defaults to true.</para></listitem>
dd1eb43b
LP		 675 </varlistentry>
676
677 <varlistentry>
03fae018 678 <term><varname>TimerSlackNSec=</varname></term>
dd1eb43b
LP		 679 <listitem><para>Sets the timer slack
680 in nanoseconds for the executed
d88a251b
LP		 681 processes. The timer slack controls
682 the accuracy of wake-ups triggered by
03fae018 683 timers. See
dd1eb43b 684 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
03fae018
LP		 685 for more information. Note that in
686 contrast to most other time span
f8553ccb 687 definitions this parameter takes an
d88a251b
LP		 688 integer value in nano-seconds if no
689 unit is specified. The usual time
690 units are understood
691 too.</para></listitem>
dd1eb43b
LP		 692 </varlistentry>
693
694 <varlistentry>
695 <term><varname>LimitCPU=</varname></term>
696 <term><varname>LimitFSIZE=</varname></term>
697 <term><varname>LimitDATA=</varname></term>
698 <term><varname>LimitSTACK=</varname></term>
699 <term><varname>LimitCORE=</varname></term>
700 <term><varname>LimitRSS=</varname></term>
701 <term><varname>LimitNOFILE=</varname></term>
702 <term><varname>LimitAS=</varname></term>
703 <term><varname>LimitNPROC=</varname></term>
704 <term><varname>LimitMEMLOCK=</varname></term>
705 <term><varname>LimitLOCKS=</varname></term>
706 <term><varname>LimitSIGPENDING=</varname></term>
707 <term><varname>LimitMSGQUEUE=</varname></term>
708 <term><varname>LimitNICE=</varname></term>
709 <term><varname>LimitRTPRIO=</varname></term>
710 <term><varname>LimitRTTIME=</varname></term>
711 <listitem><para>These settings control
712 various resource limits for executed
713 processes. See
714 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
3d57c6ab
LP		 715 for details. Use the string
716 <varname>infinity</varname> to
717 configure no limit on a specific
718 resource.</para></listitem>
dd1eb43b
LP		 719 </varlistentry>
720
721 <varlistentry>
722 <term><varname>PAMName=</varname></term>
723 <listitem><para>Sets the PAM service
79640424 724 name to set up a session as. If set,
dd1eb43b
LP		 725 the executed process will be
726 registered as a PAM session under the
727 specified service name. This is only
728 useful in conjunction with the
729 <varname>User=</varname> setting. If
79640424 730 not set, no PAM session will be opened
dd1eb43b 731 for the executed processes. See
5aded369 732 <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
dd1eb43b
LP		 733 for details.</para></listitem>
734 </varlistentry>
735
dd1eb43b 736 <varlistentry>
260abb78
LP		 737 <term><varname>CapabilityBoundingSet=</varname></term>
738
739 <listitem><para>Controls which
740 capabilities to include in the
741 capability bounding set for the
742 executed process. See
5aded369 743 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
e9dd9f95
JSJ		 744 for details. Takes a whitespace-separated
745 list of capability names as read by
d91c34f2 746 <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
74d00578
ZJS		 747 e.g. <constant>CAP_SYS_ADMIN</constant>,
748 <constant>CAP_DAC_OVERRIDE</constant>,
749 <constant>CAP_SYS_PTRACE</constant>.
260abb78
LP		 750 Capabilities listed will be included
751 in the bounding set, all others are
752 removed. If the list of capabilities
79640424 753 is prefixed with <literal>~</literal>,
d91c34f2
LP		 754 all but the listed capabilities will
755 be included, the effect of the
756 assignment inverted. Note that this
757 option also affects the respective
758 capabilities in the effective,
759 permitted and inheritable capability
760 sets, on top of what
761 <varname>Capabilities=</varname>
79640424 762 does. If this option is not used, the
260abb78
LP		 763 capability bounding set is not
764 modified on process execution, hence
765 no limits on the capabilities of the
74051b9b
LP		 766 process are enforced. This option may
767 appear more than once in which case
d91c34f2
LP		 768 the bounding sets are merged. If the
769 empty string is assigned to this
79640424 770 option, the bounding set is reset to
d91c34f2
LP		 771 the empty capability set, and all
772 prior settings have no effect. If set
773 to <literal>~</literal> (without any
79640424 774 further argument), the bounding set is
d91c34f2
LP		 775 reset to the full set of available
776 capabilities, also undoing any
777 previous settings.</para></listitem>
dd1eb43b
LP		 778 </varlistentry>
779
780 <varlistentry>
781 <term><varname>SecureBits=</varname></term>
782 <listitem><para>Controls the secure
e060073a
ZJS		 783 bits set for the executed process.
784 Takes a space-separated combination of
785 options from the following list:
dd1eb43b
LP		 786 <option>keep-caps</option>,
787 <option>keep-caps-locked</option>,
788 <option>no-setuid-fixup</option>,
789 <option>no-setuid-fixup-locked</option>,
e060073a 790 <option>noroot</option>, and
74051b9b
LP		 791 <option>noroot-locked</option>. This
792 option may appear more than once in
e060073a
ZJS		 793 which case the secure bits are ORed.
794 If the empty string is assigned to
795 this option, the bits are reset to 0.
796 See <citerefentry
797 project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798 for details.</para></listitem>
dd1eb43b
LP		 799 </varlistentry>
800
801 <varlistentry>
260abb78 802 <term><varname>Capabilities=</varname></term>
dd1eb43b 803 <listitem><para>Controls the
5aded369 804 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
260abb78
LP		 805 set for the executed process. Take a
806 capability string describing the
807 effective, permitted and inherited
808 capability sets as documented in
809 <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
810 Note that these capability sets are
417116f2 811 usually influenced (and filtered) by the capabilities
260abb78
LP		 812 attached to the executed file. Due to
813 that
814 <varname>CapabilityBoundingSet=</varname>
e060073a 815 is probably a much more useful
260abb78 816 setting.</para></listitem>
dd1eb43b
LP		 817 </varlistentry>
818
dd1eb43b
LP		 819 <varlistentry>
820 <term><varname>ReadWriteDirectories=</varname></term>
821 <term><varname>ReadOnlyDirectories=</varname></term>
822 <term><varname>InaccessibleDirectories=</varname></term>
823
d6797c92
LP		 824 <listitem><para>Sets up a new file
825 system namespace for executed
dd1eb43b
LP		 826 processes. These options may be used
827 to limit access a process might have
12f25b6e 828 to the main file system
dd1eb43b 829 hierarchy. Each setting takes a
96d4ce01 830 space-separated list of absolute
dd1eb43b
LP		 831 directory paths. Directories listed in
832 <varname>ReadWriteDirectories=</varname>
833 are accessible from within the
834 namespace with the same access rights
835 as from outside. Directories listed in
836 <varname>ReadOnlyDirectories=</varname>
837 are accessible for reading only,
838 writing will be refused even if the
839 usual file access controls would
840 permit this. Directories listed in
841 <varname>InaccessibleDirectories=</varname>
74051b9b
LP		 842 will be made inaccessible for
843 processes inside the namespace. Note
844 that restricting access with these
845 options does not extend to submounts
d6797c92
LP		 846 of a directory that are created later
847 on. These options may be specified
74051b9b
LP		 848 more than once in which case all
849 directories listed will have limited
850 access from within the namespace. If
851 the empty string is assigned to this
d6797c92
LP		 852 option, the specific list is reset,
853 and all prior assignments have no
ea92ae33
MW		 854 effect.</para>
855 <para>Paths in
856 <varname>ReadOnlyDirectories=</varname>
857 and
858 <varname>InaccessibleDirectories=</varname>
859 may be prefixed with
860 <literal>-</literal>, in which case
6b4991cf 861 they will be ignored when they do not
907afa06
LP		 862 exist. Note that using this
863 setting will disconnect propagation of
864 mounts from the service to the host
865 (propagation in the opposite direction
866 continues to work). This means that
867 this setting may not be used for
868 services which shall be able to
869 install mount points in the main mount
870 namespace.</para></listitem>
dd1eb43b
LP		 871 </varlistentry>
872
873 <varlistentry>
874 <term><varname>PrivateTmp=</varname></term>
875
876 <listitem><para>Takes a boolean
79640424 877 argument. If true, sets up a new file
ff01d048 878 system namespace for the executed
652d0dd7
ZJS		 879 processes and mounts private
880 <filename>/tmp</filename> and
613b411c 881 <filename>/var/tmp</filename>
e0e009c0 882 directories inside it that is not
613b411c 883 shared by processes outside of the
dd1eb43b
LP		 884 namespace. This is useful to secure
885 access to temporary files of the
886 process, but makes sharing between
887 processes via
652d0dd7
ZJS		 888 <filename>/tmp</filename> or
889 <filename>/var/tmp</filename>
b8bde116 890 impossible. If this is enabled, all
907afa06
LP		 891 temporary files created by a service
892 in these directories will be removed
893 after the service is stopped. Defaults
894 to false. It is possible to run two or
895 more units within the same private
896 <filename>/tmp</filename> and
613b411c
LP		 897 <filename>/var/tmp</filename>
898 namespace by using the
899 <varname>JoinsNamespaceOf=</varname>
900 directive, see
901 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
907afa06
LP		 902 for details. Note that using this
903 setting will disconnect propagation of
904 mounts from the service to the host
905 (propagation in the opposite direction
906 continues to work). This means that
907 this setting may not be used for
908 services which shall be able to install
909 mount points in the main mount
910 namespace.</para></listitem>
911 </varlistentry>
912
913 <varlistentry>
914 <term><varname>PrivateDevices=</varname></term>
915
916 <listitem><para>Takes a boolean
917 argument. If true, sets up a new /dev
918 namespace for the executed processes
919 and only adds API pseudo devices such
920 as <filename>/dev/null</filename>,
921 <filename>/dev/zero</filename> or
922 <filename>/dev/random</filename> (as
923 well as the pseudo TTY subsystem) to
924 it, but no physical devices such as
925 <filename>/dev/sda</filename>. This is
926 useful to securely turn off physical
927 device access by the executed
928 process. Defaults to false. Enabling
929 this option will also remove
930 <constant>CAP_MKNOD</constant> from
931 the capability bounding set for the
932 unit (see above), and set
933 <varname>DevicePolicy=closed</varname>
934 (see
935 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
936 for details). Note that using this
937 setting will disconnect propagation of
938 mounts from the service to the host
939 (propagation in the opposite direction
940 continues to work). This means that
941 this setting may not be used for
942 services which shall be able to
943 install mount points in the main mount
944 namespace.</para></listitem>
ff01d048
LP		 945 </varlistentry>
946
947 <varlistentry>
948 <term><varname>PrivateNetwork=</varname></term>
949
950 <listitem><para>Takes a boolean
79640424 951 argument. If true, sets up a new
ff01d048
LP		 952 network namespace for the executed
953 processes and configures only the
954 loopback network device
955 <literal>lo</literal> inside it. No
956 other network devices will be
957 available to the executed process.
958 This is useful to securely turn off
959 network access by the executed
907afa06
LP		 960 process. Defaults to false. It is
961 possible to run two or more units
962 within the same private network
613b411c
LP		 963 namespace by using the
964 <varname>JoinsNamespaceOf=</varname>
965 directive, see
966 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
907afa06
LP		 967 for details. Note that this option
968 will disconnect all socket families
969 from the host, this includes
970 AF_NETLINK and AF_UNIX. The latter has
971 the effect that AF_UNIX sockets in the
972 abstract socket namespace will become
973 unavailable to the processes (however,
974 those located in the file system will
975 continue to be
976 accessible).</para></listitem>
7f112f50
LP		 977 </varlistentry>
978
417116f2 979 <varlistentry>
1b8689f9 980 <term><varname>ProtectSystem=</varname></term>
417116f2
LP		 981
982 <listitem><para>Takes a boolean
1b8689f9
LP		 983 argument or
984 <literal>full</literal>. If true,
985 mounts the <filename>/usr</filename>
5331194c 986 directory read-only for processes
1b8689f9 987 invoked by this unit. If set to
8d0e0ddd
JE		 988 <literal>full</literal>, the
989 <filename>/etc</filename> directory is mounted
1b8689f9
LP		 990 read-only, too. This setting ensures
991 that any modification of the vendor
992 supplied operating system (and
993 optionally its configuration) is
417116f2
LP		 994 prohibited for the service. It is
995 recommended to enable this setting for
996 all long-running services, unless they
997 are involved with system updates or
998 need to modify the operating system in
8d0e0ddd 999 other ways. Note however that
417116f2
LP		 1000 processes retaining the CAP_SYS_ADMIN
1001 capability can undo the effect of this
1002 setting. This setting is hence
1003 particularly useful for daemons which
1004 have this capability removed, for
1005 example with
1006 <varname>CapabilityBoundingSet=</varname>. Defaults
1007 to off.</para></listitem>
1008 </varlistentry>
1009
1010 <varlistentry>
1b8689f9 1011 <term><varname>ProtectHome=</varname></term>
417116f2
LP		 1012
1013 <listitem><para>Takes a boolean
1014 argument or
1015 <literal>read-only</literal>. If true,
1016 the directories
1017 <filename>/home</filename> and
1018 <filename>/run/user</filename> are
1019 made inaccessible and empty for
1020 processes invoked by this unit. If set
8d0e0ddd 1021 to <literal>read-only</literal>, the
8257df27 1022 two directories are made read-only
417116f2
LP		 1023 instead. It is recommended to enable
1024 this setting for all long-running
1025 services (in particular network-facing
1b8689f9 1026 ones), to ensure they cannot get access
417116f2
LP		 1027 to private user data, unless the
1028 services actually require access to
8d0e0ddd 1029 the user's private data. Note however
417116f2
LP		 1030 that processes retaining the
1031 CAP_SYS_ADMIN capability can undo the
1032 effect of this setting. This setting
1033 is hence particularly useful for
1034 daemons which have this capability
1035 removed, for example with
1036 <varname>CapabilityBoundingSet=</varname>. Defaults
1037 to off.</para></listitem>
1038 </varlistentry>
1039
dd1eb43b
LP		 1040 <varlistentry>
1041 <term><varname>MountFlags=</varname></term>
1042
1043 <listitem><para>Takes a mount
1044 propagation flag:
1045 <option>shared</option>,
1046 <option>slave</option> or
1047 <option>private</option>, which
c2c13f2d
LP		 1048 control whether mounts in the file
1049 system namespace set up for this
1050 unit's processes will receive or
1051 propagate mounts or unmounts. See
8050c221 1052 <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
c2c13f2d
LP		 1053 for details. Defaults to
1054 <option>shared</option>. Use
1055 <option>shared</option> to ensure that
1056 mounts and unmounts are propagated
1057 from the host to the container and
1058 vice versa. Use <option>slave</option>
1059 to run processes so that none of their
1060 mounts and unmounts will propagate to
1061 the host. Use <option>private</option>
1062 to also ensure that no mounts and
1063 unmounts from the host will propagate
1064 into the unit processes'
1065 namespace. Note that
1066 <option>slave</option> means that file
1067 systems mounted on the host might stay
06b643e7 1068 mounted continuously in the unit's
c2c13f2d
LP		 1069 namespace, and thus keep the device
1070 busy. Note that the file system
1071 namespace related options
1072 (<varname>PrivateTmp=</varname>,
1073 <varname>PrivateDevices=</varname>,
ef392da6
AB		 1074 <varname>ProtectSystem=</varname>,
1075 <varname>ProtectHome=</varname>,
c2c13f2d
LP		 1076 <varname>ReadOnlyDirectories=</varname>,
1077 <varname>InaccessibleDirectories=</varname>
1078 and
1079 <varname>ReadWriteDirectories=</varname>)
1080 require that mount and unmount
1081 propagation from the unit's file
1082 system namespace is disabled, and
1083 hence downgrade
1084 <option>shared</option> to
1085 <option>slave</option>.
1086 </para></listitem>
dd1eb43b
LP		 1087 </varlistentry>
1088
169c1bda
LP		 1089 <varlistentry>
1090 <term><varname>UtmpIdentifier=</varname></term>
1091
c5315881 1092 <listitem><para>Takes a four
169c1bda
LP		 1093 character identifier string for an
1094 utmp/wtmp entry for this service. This
1095 should only be set for services such
1096 as <command>getty</command>
1097 implementations where utmp/wtmp
1098 entries must be created and cleared
1099 before and after execution. If the
1100 configured string is longer than four
79640424 1101 characters, it is truncated and the
169c1bda
LP		 1102 terminal four characters are
1103 used. This setting interprets %I style
1104 string replacements. This setting is
1105 unset by default, i.e. no utmp/wtmp
1106 entries are created or cleaned up for
1107 this service.</para></listitem>
1108 </varlistentry>
1109
7b52a628
MS		 1110 <varlistentry>
1111 <term><varname>SELinuxContext=</varname></term>
1112
82adf6af
LP		 1113 <listitem><para>Set the SELinux
1114 security context of the executed
1115 process. If set, this will override
1116 the automated domain
1117 transition. However, the policy still
1118 needs to autorize the transition. This
1119 directive is ignored if SELinux is
1120 disabled. If prefixed by
1121 <literal>-</literal>, all errors will
1122 be ignored. See
7b52a628
MS		 1123 <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
1124 for details.</para></listitem>
1125 </varlistentry>
1126
eef65bf3
MS		 1127 <varlistentry>
1128 <term><varname>AppArmorProfile=</varname></term>
1129
dca348bc 1130 <listitem><para>Takes a profile name as argument.
eef65bf3
MS		 1131 The process executed by the unit will switch to
1132 this profile when started. Profiles must already
1133 be loaded in the kernel, or the unit will fail.
1134 This result in a non operation if AppArmor is not
1135 enabled. If prefixed by <literal>-</literal>, all errors
1136 will be ignored.
1137 </para></listitem>
1138 </varlistentry>
1139
2ca620c4
WC		 1140 <varlistentry>
1141 <term><varname>SmackProcessLabel=</varname></term>
1142
1143 <listitem><para>Takes a
1144 <option>SMACK64</option> security
1145 label as argument. The process
1146 executed by the unit will be started
1147 under this label and SMACK will decide
1148 whether the processes is allowed to
1149 run or not based on it. The process
1150 will continue to run under the label
1151 specified here unless the executable
1152 has its own
1153 <option>SMACK64EXEC</option> label, in
1154 which case the process will transition
1155 to run under that label. When not
1156 specified, the label that systemd is
1157 running under is used. This directive
1158 is ignored if SMACK is
1159 disabled.</para>
1160
1161 <para>The value may be prefixed by
1162 <literal>-</literal>, in which case
1163 all errors will be ignored. An empty
1164 value may be specified to unset
1165 previous assignments.</para>
1166 </listitem>
1167 </varlistentry>
1168
353e12c2
LP		 1169 <varlistentry>
1170 <term><varname>IgnoreSIGPIPE=</varname></term>
1171
1172 <listitem><para>Takes a boolean
05cc7267 1173 argument. If true, causes <constant>SIGPIPE</constant> to be
353e12c2 1174 ignored in the executed
e9dd9f95 1175 process. Defaults to true because
05cc7267 1176 <constant>SIGPIPE</constant> generally is useful only in
353e12c2
LP		 1177 shell pipelines.</para></listitem>
1178 </varlistentry>
1179
8351ceae
LP		 1180 <varlistentry>
1181 <term><varname>NoNewPrivileges=</varname></term>
1182
1183 <listitem><para>Takes a boolean
e9dd9f95 1184 argument. If true, ensures that the
8351ceae
LP		 1185 service process and all its children
1186 can never gain new privileges. This
1187 option is more powerful than the respective
1188 secure bits flags (see above), as it
1189 also prohibits UID changes of any
1190 kind. This is the simplest, most
1191 effective way to ensure that a process
1192 and its children can never elevate
1193 privileges again.</para></listitem>
1194 </varlistentry>
1195
1196 <varlistentry>
1197 <term><varname>SystemCallFilter=</varname></term>
1198
f513e420
LP		 1199 <listitem><para>Takes a
1200 space-separated list of system call
e9dd9f95 1201 names. If this setting is used, all
8351ceae 1202 system calls executed by the unit
17df7223 1203 processes except for the listed ones
8351ceae 1204 will result in immediate process
74d00578
ZJS		 1205 termination with the
1206 <constant>SIGSYS</constant> signal
8351ceae 1207 (whitelisting). If the first character
79640424 1208 of the list is <literal>~</literal>,
8351ceae
LP		 1209 the effect is inverted: only the
1210 listed system calls will result in
1211 immediate process termination
f513e420
LP		 1212 (blacklisting). If running in user
1213 mode and this option is used,
8351ceae 1214 <varname>NoNewPrivileges=yes</varname>
f513e420
LP		 1215 is implied. This feature makes use of the
1216 Secure Computing Mode 2 interfaces of
1217 the kernel ('seccomp filtering') and
1218 is useful for enforcing a minimal
8351ceae
LP		 1219 sandboxing environment. Note that the
1220 <function>execve</function>,
1221 <function>rt_sigreturn</function>,
1222 <function>sigreturn</function>,
1223 <function>exit_group</function>,
1224 <function>exit</function> system calls
6b4991cf 1225 are implicitly whitelisted and do not
74051b9b
LP		 1226 need to be listed explicitly. This
1227 option may be specified more than once
1228 in which case the filter masks are
1229 merged. If the empty string is
79640424 1230 assigned, the filter is reset, all
74051b9b 1231 prior assignments will have no
c0467cf3
RC		 1232 effect.</para>
1233
17df7223
LP		 1234 <para>If you specify both types of
1235 this option (i.e. whitelisting and
73e231ab 1236 blacklisting), the first encountered
17df7223
LP		 1237 will take precedence and will dictate
1238 the default action (termination or
1239 approval of a system call). Then the
1240 next occurrences of this option will
1241 add or delete the listed system calls
1242 from the set of the filtered system
1243 calls, depending of its type and the
66f756d4 1244 default action. (For example, if you have started
17df7223
LP		 1245 with a whitelisting of
1246 <function>read</function> and
73e231ab 1247 <function>write</function>, and right
17df7223
LP		 1248 after it add a blacklisting of
1249 <function>write</function>, then
1250 <function>write</function> will be
66f756d4 1251 removed from the set.)
c0467cf3 1252 </para></listitem>
8351ceae
LP		 1253 </varlistentry>
1254
17df7223
LP		 1255 <varlistentry>
1256 <term><varname>SystemCallErrorNumber=</varname></term>
1257
1258 <listitem><para>Takes an
1259 <literal>errno</literal> error number
1260 name to return when the system call
1261 filter configured with
1262 <varname>SystemCallFilter=</varname>
1263 is triggered, instead of terminating
1264 the process immediately. Takes an
1265 error name such as
ac45f971
LP		 1266 <constant>EPERM</constant>,
1267 <constant>EACCES</constant> or
1268 <constant>EUCLEAN</constant>. When this
17df7223 1269 setting is not used, or when the empty
73e231ab 1270 string is assigned, the process will be
17df7223
LP		 1271 terminated immediately when the filter
1272 is triggered.</para></listitem>
1273 </varlistentry>
1274
57183d11
LP		 1275 <varlistentry>
1276 <term><varname>SystemCallArchitectures=</varname></term>
1277
1278 <listitem><para>Takes a space
1279 separated list of architecture
1280 identifiers to include in the system
1281 call filter. The known architecture
1282 identifiers are
ac45f971
LP		 1283 <constant>x86</constant>,
1284 <constant>x86-64</constant>,
1285 <constant>x32</constant>,
f513e420
LP		 1286 <constant>arm</constant> as well as
1287 the special identifier
1288 <constant>native</constant>. Only
1289 system calls of the specified
1290 architectures will be permitted to
1291 processes of this unit. This is an
1292 effective way to disable compatibility
1293 with non-native architectures for
1294 processes, for example to prohibit
1295 execution of 32-bit x86 binaries on
1296 64-bit x86-64 systems. The special
ac45f971 1297 <constant>native</constant> identifier
57183d11
LP		 1298 implicitly maps to the native
1299 architecture of the system (or more
1300 strictly: to the architecture the
f513e420
LP		 1301 system manager is compiled for). If
1302 running in user mode and this option
1303 is used,
1304 <varname>NoNewPrivileges=yes</varname>
1305 is implied. Note that setting this
1306 option to a non-empty list implies
1307 that <constant>native</constant> is
1308 included too. By default, this option
1309 is set to the empty list, i.e. no
1310 architecture system call filtering is
e9642be2 1311 applied.</para></listitem>
57183d11
LP		 1312 </varlistentry>
1313
4298d0b5
LP		 1314 <varlistentry>
1315 <term><varname>RestrictAddressFamilies=</varname></term>
1316
1317 <listitem><para>Restricts the set of
1318 socket address families accessible to
1319 the processes of this unit. Takes a
1320 space-separated list of address family
1321 names to whitelist, such as
1322 <constant>AF_UNIX</constant>,
1323 <constant>AF_INET</constant> or
1324 <constant>AF_INET6</constant>. When
1325 prefixed with <constant>~</constant>
1326 the listed address families will be
1327 applied as blacklist, otherwise as
1328 whitelist. Note that this restricts
1329 access to the
1330 <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1331 system call only. Sockets passed into
1332 the process by other means (for
1333 example, by using socket activation
1334 with socket units, see
1335 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1336 are unaffected. Also, sockets created
1337 with <function>socketpair()</function>
1338 (which creates connected AF_UNIX
1339 sockets only) are unaffected. Note
1340 that this option has no effect on
70a44afe 1341 32-bit x86 and is ignored (but works
f513e420
LP		 1342 correctly on x86-64). If running in user
1343 mode and this option is used,
1344 <varname>NoNewPrivileges=yes</varname>
b8bde116 1345 is implied. By default, no
4298d0b5
LP		 1346 restriction applies, all address
1347 families are accessible to
1348 processes. If assigned the empty
b8bde116 1349 string, any previous list changes are
4298d0b5
LP		 1350 undone.</para>
1351
1352 <para>Use this option to limit
1353 exposure of processes to remote
1354 systems, in particular via exotic
1355 network protocols. Note that in most
b8bde116 1356 cases, the local
4298d0b5
LP		 1357 <constant>AF_UNIX</constant> address
1358 family should be included in the
1359 configured whitelist as it is
1360 frequently used for local
1361 communication, including for
1362 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1363 logging.</para></listitem>
1364 </varlistentry>
1365
ac45f971
LP		 1366 <varlistentry>
1367 <term><varname>Personality=</varname></term>
1368
1369 <listitem><para>Controls which
1370 kernel architecture
1371 <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
1372 shall report, when invoked by unit
1373 processes. Takes one of
1374 <constant>x86</constant> and
1375 <constant>x86-64</constant>. This is
70a44afe 1376 useful when running 32-bit services on
b8bde116 1377 a 64-bit host system. If not specified,
ac45f971
LP		 1378 the personality is left unmodified and
1379 thus reflects the personality of the
1380 host system's
1381 kernel.</para></listitem>
1382 </varlistentry>
4298d0b5 1383
e66cf1a3
LP		 1384 <varlistentry>
1385 <term><varname>RuntimeDirectory=</varname></term>
1386 <term><varname>RuntimeDirectoryMode=</varname></term>
1387
1388 <listitem><para>Takes a list of
b8bde116 1389 directory names. If set, one or more
e66cf1a3
LP		 1390 directories by the specified names
1391 will be created below
1392 <filename>/run</filename> (for system
1393 services) or below
1394 <varname>$XDG_RUNTIME_DIR</varname>
1395 (for user services) when the unit is
b8bde116 1396 started, and removed when the unit is
e66cf1a3
LP		 1397 stopped. The directories will have the
1398 access mode specified in
1399 <varname>RuntimeDirectoryMode=</varname>,
1400 and will be owned by the user and
1401 group specified in
1402 <varname>User=</varname> and
1403 <varname>Group=</varname>. Use this to
1404 manage one or more runtime directories
1405 of the unit and bind their lifetime to
1406 the daemon runtime. The specified
1407 directory names must be relative, and
1408 may not include a
1409 <literal>/</literal>, i.e. must refer
1410 to simple directories to create or
1411 remove. This is particularly useful
f1721625 1412 for unprivileged daemons that cannot
e66cf1a3
LP		 1413 create runtime directories in
1414 <filename>/run</filename> due to lack
1415 of privileges, and to make sure the
1416 runtime directory is cleaned up
1417 automatically after use. For runtime
1418 directories that require more complex
1419 or different configuration or lifetime
1420 guarantees, please consider using
1421 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
1422 </varlistentry>
1423
dd1eb43b
LP		 1424 </variablelist>
1425 </refsect1>
1426
43638332
ZJS		 1427 <refsect1>
1428 <title>Environment variables in spawned processes</title>
1429
1430 <para>Processes started by the system are executed in
1431 a clean environment in which select variables
1432 listed below are set. System processes started by systemd
1433 do not inherit variables from PID 1, but processes
1434 started by user systemd instances inherit all
1435 environment variables from the user systemd instance.
1436 </para>
1437
1438 <variablelist class='environment-variables'>
1439 <varlistentry>
1440 <term><varname>$PATH</varname></term>
1441
1442 <listitem><para>Colon-separated list
1443 of directiories to use when launching
1444 executables. Systemd uses a fixed
1445 value of
1446 <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>.
1447 </para></listitem>
1448 </varlistentry>
1449
1450 <varlistentry>
1451 <term><varname>$LANG</varname></term>
1452
1453 <listitem><para>Locale. Can be set in
1454 <citerefentry><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1455 or on the kernel command line (see
1456 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1457 and
1458 <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>).
1459 </para></listitem>
1460 </varlistentry>
1461
1462 <varlistentry>
1463 <term><varname>$USER</varname></term>
59fccd82 1464 <term><varname>$LOGNAME</varname></term>
43638332 1465 <term><varname>$HOME</varname></term>
59fccd82 1466 <term><varname>$SHELL</varname></term>
43638332 1467
59fccd82
ZJS		 1468 <listitem><para>User name (twice), home
1469 directory, and the login shell.
72f4d966 1470 The variables are set for the units that
43638332
ZJS		 1471 have <varname>User=</varname> set,
1472 which includes user
1473 <command>systemd</command> instances.
1474 See
1475 <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
1476 </para></listitem>
1477 </varlistentry>
1478
1479 <varlistentry>
1480 <term><varname>$XDG_RUNTIME_DIR</varname></term>
1481
1482 <listitem><para>The directory for volatile
1483 state. Set for the user <command>systemd</command>
1484 instance, and also in user sessions.
1485 See
1486 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1487 </para></listitem>
1488 </varlistentry>
1489
1490 <varlistentry>
1491 <term><varname>$XDG_SESSION_ID</varname></term>
1492 <term><varname>$XDG_SEAT</varname></term>
1493 <term><varname>$XDG_VTNR</varname></term>
1494
1495 <listitem><para>The identifier of the
72f4d966 1496 session, the seat name, and
43638332
ZJS		 1497 virtual terminal of the session. Set
1498 by
1499 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
1500 for login sessions.
1501 <varname>$XDG_SEAT</varname> and
72f4d966
JE		 1502 <varname>$XDG_VTNR</varname> will
1503 only be set when attached to a seat and a
43638332
ZJS		 1504 tty.</para></listitem>
1505 </varlistentry>
1506
b67f562c
LP		 1507 <varlistentry>
1508 <term><varname>$MAINPID</varname></term>
1509
1510 <listitem><para>The PID of the units
1511 main process if it is known. This is
1512 only set for control processes as
1513 invoked by
1514 <varname>ExecReload=</varname> and
1515 similar. </para></listitem>
1516 </varlistentry>
1517
43638332
ZJS		 1518 <varlistentry>
1519 <term><varname>$MANAGERPID</varname></term>
1520
1521 <listitem><para>The PID of the user
1522 <command>systemd</command> instance,
1523 set for processes spawned by it.
1524 </para></listitem>
1525 </varlistentry>
1526
1527 <varlistentry>
1528 <term><varname>$LISTEN_FDS</varname></term>
1529 <term><varname>$LISTEN_PID</varname></term>
1530
1531 <listitem><para>Information about file
1532 descriptors passed to a service for
1533 socket activation. See
1534 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
1535 </para></listitem>
1536 </varlistentry>
59fccd82
ZJS		 1537
1538 <varlistentry>
1539 <term><varname>$TERM</varname></term>
1540
1541 <listitem><para>Terminal type, set
1542 only for units connected to a terminal
1543 (<varname>StandardInput=tty</varname>,
1544 <varname>StandardOutput=tty</varname>,
1545 or
1546 <varname>StandardError=tty</varname>).
1547 See
5aded369 1548 <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
59fccd82
ZJS		 1549 </para></listitem>
1550 </varlistentry>
43638332
ZJS		 1551 </variablelist>
1552
1553 <para>Additional variables may be configured by the
1554 following means: for processes spawned in specific
1555 units, use the <varname>Environment=</varname> and
1556 <varname>EnvironmentFile=</varname> options above; to
1557 specify variables globally, use
1558 <varname>DefaultEnvironment=</varname> (see
1559 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1560 or the kernel option
1561 <varname>systemd.setenv=</varname> (see
1562 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Additional
1563 variables may also be set through PAM,
5aded369 1564 cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
43638332
ZJS		 1565 </refsect1>
1566
dd1eb43b
LP		 1567 <refsect1>
1568 <title>See Also</title>
1569 <para>
f3e219a2 1570 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
67826132 1571 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
169c4f65 1572 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
dd1eb43b
LP		 1573 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1574 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1575 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2292707d 1576 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
4819ff03 1577 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
9cc2c8b7 1578 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
3fde5f30 1579 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
43638332 1580 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
e66cf1a3 1581 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
5aded369 1582 <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>
dd1eb43b
LP		 1583 </para>
1584 </refsect1>
1585
1586</refentry>
Unnamed repository; edit this file 'description' to name the repository.