]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.exec.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
man: update documents for RuntimeDirectory= and friends
[thirdparty/systemd.git] / man / systemd.exec.xml
CommitLineData
023a4f67 1<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
dd1eb43b 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
12b42c76 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
dd1eb43b
LP		 4
5<!--
6 This file is part of systemd.
7
8 Copyright 2010 Lennart Poettering
9
10 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
dd1eb43b
LP		 13 (at your option) any later version.
14
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 18 Lesser General Public License for more details.
dd1eb43b 19
5430f7f2 20 You should have received a copy of the GNU Lesser General Public License
dd1eb43b
LP		 21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22-->
23
24<refentry id="systemd.exec">
798d3a52
ZJS		 25 <refentryinfo>
26 <title>systemd.exec</title>
27 <productname>systemd</productname>
28
29 <authorgroup>
30 <author>
31 <contrib>Developer</contrib>
32 <firstname>Lennart</firstname>
33 <surname>Poettering</surname>
34 <email>lennart@poettering.net</email>
35 </author>
36 </authorgroup>
37 </refentryinfo>
38
39 <refmeta>
40 <refentrytitle>systemd.exec</refentrytitle>
41 <manvolnum>5</manvolnum>
42 </refmeta>
43
44 <refnamediv>
45 <refname>systemd.exec</refname>
46 <refpurpose>Execution environment configuration</refpurpose>
47 </refnamediv>
48
49 <refsynopsisdiv>
50 <para><filename><replaceable>service</replaceable>.service</filename>,
51 <filename><replaceable>socket</replaceable>.socket</filename>,
52 <filename><replaceable>mount</replaceable>.mount</filename>,
53 <filename><replaceable>swap</replaceable>.swap</filename></para>
54 </refsynopsisdiv>
55
56 <refsect1>
57 <title>Description</title>
58
59 <para>Unit configuration files for services, sockets, mount
60 points, and swap devices share a subset of configuration options
61 which define the execution environment of spawned
62 processes.</para>
63
64 <para>This man page lists the configuration options shared by
65 these four unit types. See
66 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
67 for the common options of all unit configuration files, and
68 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
69 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
70 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
71 and
72 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
73 for more information on the specific unit configuration files. The
74 execution specific configuration options are configured in the
75 [Service], [Socket], [Mount], or [Swap] sections, depending on the
76 unit type.</para>
74b47bbd 77
c7458f93 78 <para>In addition, options which control resources through Linux Control Groups (cgroups) are listed in
74b47bbd
ZJS		 79 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
80 Those options complement options listed here.</para>
798d3a52
ZJS		 81 </refsect1>
82
c129bd5d 83 <refsect1>
45f09f93
JL		 84 <title>Implicit Dependencies</title>
85
86 <para>A few execution parameters result in additional, automatic dependencies to be added:</para>
87
88 <itemizedlist>
89 <listitem><para>Units with <varname>WorkingDirectory=</varname>, <varname>RootDirectory=</varname>, <varname>RootImage=</varname>,
90 <varname>RuntimeDirectory=</varname>, <varname>StateDirectory=</varname>, <varname>CacheDirectory=</varname>,
91 <varname>LogsDirectory=</varname> or <varname>ConfigurationDirectory=</varname> set automatically gain dependencies
92 of type <varname>Requires=</varname> and <varname>After=</varname> on all mount units required to access the specified paths.
93 This is equivalent to having them listed explicitly in <varname>RequiresMountsFor=</varname>.</para></listitem>
94
95 <listitem><para>Similar, units with <varname>PrivateTmp=</varname> enabled automatically get mount unit dependencies for all
96 mounts required to access <filename>/tmp</filename> and <filename>/var/tmp</filename>. They will also gain an
97 automatic <varname>After=</varname> dependency on
98 <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para></listitem>
99
100 <listitem><para>Units whose standard output or error output is connected to <option>journal</option>, <option>syslog</option>
101 or <option>kmsg</option> (or their combinations with console output, see below) automatically acquire dependencies
102 of type <varname>After=</varname> on <filename>systemd-journald.socket</filename>.</para></listitem>
103 </itemizedlist>
c129bd5d
LP		 104 </refsect1>
105
45f09f93
JL		 106 <!-- We don't have any default dependency here. -->
107
798d3a52
ZJS		 108 <refsect1>
109 <title>Options</title>
110
111 <variablelist class='unit-directives'>
112
113 <varlistentry>
114 <term><varname>WorkingDirectory=</varname></term>
115
d251207d
LP		 116 <listitem><para>Takes a directory path relative to the service's root directory specified by
117 <varname>RootDirectory=</varname>, or the special value <literal>~</literal>. Sets the working directory for
118 executed processes. If set to <literal>~</literal>, the home directory of the user specified in
119 <varname>User=</varname> is used. If not set, defaults to the root directory when systemd is running as a
120 system instance and the respective user's home directory if run as user. If the setting is prefixed with the
121 <literal>-</literal> character, a missing working directory is not considered fatal. If
915e6d16
LP		 122 <varname>RootDirectory=</varname>/<varname>RootImage=</varname> is not set, then
123 <varname>WorkingDirectory=</varname> is relative to the root of the system running the service manager. Note
124 that setting this parameter might result in additional dependencies to be added to the unit (see
125 above).</para></listitem>
798d3a52
ZJS		 126 </varlistentry>
127
128 <varlistentry>
129 <term><varname>RootDirectory=</varname></term>
130
d251207d
LP		 131 <listitem><para>Takes a directory path relative to the host's root directory (i.e. the root of the system
132 running the service manager). Sets the root directory for executed processes, with the <citerefentry
133 project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> system
134 call. If this is used, it must be ensured that the process binary and all its auxiliary files are available in
135 the <function>chroot()</function> jail. Note that setting this parameter might result in additional
136 dependencies to be added to the unit (see above).</para>
137
5d997827
LP		 138 <para>The <varname>MountAPIVFS=</varname> and <varname>PrivateUsers=</varname> settings are particularly useful
139 in conjunction with <varname>RootDirectory=</varname>. For details, see below.</para></listitem>
140 </varlistentry>
141
915e6d16
LP		 142 <varlistentry>
143 <term><varname>RootImage=</varname></term>
144 <listitem><para>Takes a path to a block device node or regular file as argument. This call is similar to
6cf5a964 145 <varname>RootDirectory=</varname> however mounts a file system hierarchy from a block device node or loopback
915e6d16
LP		 146 file instead of a directory. The device node or file system image file needs to contain a file system without a
147 partition table, or a file system within an MBR/MS-DOS or GPT partition table with only a single
148 Linux-compatible partition, or a set of file systems within a GPT partition table that follows the <ulink
28a0ad81 149 url="https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable Partitions
915e6d16
LP		 150 Specification</ulink>.</para></listitem>
151 </varlistentry>
152
5d997827
LP		 153 <varlistentry>
154 <term><varname>MountAPIVFS=</varname></term>
155
156 <listitem><para>Takes a boolean argument. If on, a private mount namespace for the unit's processes is created
ef3116b5
ZJS		 157 and the API file systems <filename>/proc</filename>, <filename>/sys</filename>, and <filename>/dev</filename>
158 are mounted inside of it, unless they are already mounted. Note that this option has no effect unless used in
159 conjunction with <varname>RootDirectory=</varname>/<varname>RootImage=</varname> as these three mounts are
160 generally mounted in the host anyway, and unless the root directory is changed, the private mount namespace
161 will be a 1:1 copy of the host's, and include these three mounts. Note that the <filename>/dev</filename> file
162 system of the host is bind mounted if this option is used without <varname>PrivateDevices=</varname>. To run
163 the service with a private, minimal version of <filename>/dev/</filename>, combine this option with
5d997827 164 <varname>PrivateDevices=</varname>.</para></listitem>
798d3a52
ZJS		 165 </varlistentry>
166
167 <varlistentry>
168 <term><varname>User=</varname></term>
169 <term><varname>Group=</varname></term>
170
29206d46 171 <listitem><para>Set the UNIX user or group that the processes are executed as, respectively. Takes a single
565dab8e 172 user or group name, or a numeric ID as argument. For system services (services run by the system service manager,
47da760e
LP		 173 i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of
174 <command>systemd --user</command>), the default is <literal>root</literal>, but <varname>User=</varname> may be
175 used to specify a different user. For user services of any other user, switching user identity is not
176 permitted, hence the only valid setting is the same user the user's service manager is running as. If no group
177 is set, the default group of the user is used. This setting does not affect commands whose command line is
565dab8e
LP		 178 prefixed with <literal>+</literal>.</para>
179
180 <para>Note that restrictions on the user/group name syntax are enforced: the specified name must consist only
181 of the characters a-z, A-Z, 0-9, <literal>_</literal> and <literal>-</literal>, except for the first character
182 which must be one of a-z, A-Z or <literal>_</literal> (i.e. numbers and <literal>-</literal> are not permitted
183 as first character). The user/group name must have at least one character, and at most 31. These restrictions
184 are enforced in order to avoid ambiguities and to ensure user/group names and unit files remain portable among
185 Linux systems.</para>
186
187 <para>When used in conjunction with <varname>DynamicUser=</varname> the user/group name specified is
188 dynamically allocated at the time the service is started, and released at the time the service is stopped —
189 unless it is already allocated statically (see below). If <varname>DynamicUser=</varname> is not used the
190 specified user and group must have been created statically in the user database no later than the moment the
191 service is started, for example using the
192 <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> facility, which
193 is applied at boot or package install time.</para></listitem>
29206d46
LP		 194 </varlistentry>
195
196 <varlistentry>
197 <term><varname>DynamicUser=</varname></term>
198
199 <listitem><para>Takes a boolean parameter. If set, a UNIX user and group pair is allocated dynamically when the
200 unit is started, and released as soon as it is stopped. The user and group will not be added to
201 <filename>/etc/passwd</filename> or <filename>/etc/group</filename>, but are managed transiently during
202 runtime. The <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
203 glibc NSS module provides integration of these dynamic users/groups into the system's user and group
204 databases. The user and group name to use may be configured via <varname>User=</varname> and
205 <varname>Group=</varname> (see above). If these options are not used and dynamic user/group allocation is
206 enabled for a unit, the name of the dynamic user/group is implicitly derived from the unit name. If the unit
207 name without the type suffix qualifies as valid user name it is used directly, otherwise a name incorporating a
208 hash of it is used. If a statically allocated user or group of the configured name already exists, it is used
3bd493dc
YW		 209 and no dynamic user/group is allocated. Note that if <varname>User=</varname> is specified and the static group
210 with the name exists, then it is required that the static user with the name already exists. Similarly,
211 if <varname>Group=</varname> is specified and the static user with the name exists, then it is required that
212 the static group with the name already exists. Dynamic users/groups are allocated from the UID/GID range
29206d46
LP		 213 61184…65519. It is recommended to avoid this range for regular system or login users. At any point in time
214 each UID/GID from this range is only assigned to zero or one dynamically allocated users/groups in
215 use. However, UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running
216 as part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by these
217 users/groups around, as a different unit might get the same UID/GID assigned later on, and thus gain access to
63bb64a0 218 these files or directories. If <varname>DynamicUser=</varname> is enabled, <varname>RemoveIPC=</varname>,
00d9ef85
LP		 219 <varname>PrivateTmp=</varname> are implied. This ensures that the lifetime of IPC objects and temporary files
220 created by the executed processes is bound to the runtime of the service, and hence the lifetime of the dynamic
221 user/group. Since <filename>/tmp</filename> and <filename>/var/tmp</filename> are usually the only
222 world-writable directories on a system this ensures that a unit making use of dynamic user/group allocation
63bb64a0
LP		 223 cannot leave files around after unit termination. Moreover <varname>ProtectSystem=strict</varname> and
224 <varname>ProtectHome=read-only</varname> are implied, thus prohibiting the service to write to arbitrary file
225 system locations. In order to allow the service to write to certain directories, they have to be whitelisted
4a628360
LP		 226 using <varname>ReadWritePaths=</varname>, but care must be taken so that UID/GID recycling doesn't create
227 security issues involving files created by the service. Use <varname>RuntimeDirectory=</varname> (see below) in
228 order to assign a writable runtime directory to a service, owned by the dynamic user/group and removed
229 automatically when the unit is terminated. Use <varname>StateDirectory=</varname>,
230 <varname>CacheDirectory=</varname> and <varname>LogsDirectory=</varname> in order to assign a set of writable
231 directories for specific purposes to the service in a way that they are protected from vulnerabilities due to
232 UID reuse (see below). Defaults to off.</para></listitem>
798d3a52
ZJS		 233 </varlistentry>
234
235 <varlistentry>
236 <term><varname>SupplementaryGroups=</varname></term>
237
238 <listitem><para>Sets the supplementary Unix groups the
239 processes are executed as. This takes a space-separated list
240 of group names or IDs. This option may be specified more than
b938cb90
JE		 241 once, in which case all listed groups are set as supplementary
242 groups. When the empty string is assigned, the list of
798d3a52
ZJS		 243 supplementary groups is reset, and all assignments prior to
244 this one will have no effect. In any way, this option does not
245 override, but extends the list of supplementary groups
246 configured in the system group database for the
43eb109a 247 user. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
798d3a52
ZJS		 248 </varlistentry>
249
00d9ef85
LP		 250 <varlistentry>
251 <term><varname>RemoveIPC=</varname></term>
252
253 <listitem><para>Takes a boolean parameter. If set, all System V and POSIX IPC objects owned by the user and
254 group the processes of this unit are run as are removed when the unit is stopped. This setting only has an
255 effect if at least one of <varname>User=</varname>, <varname>Group=</varname> and
256 <varname>DynamicUser=</varname> are used. It has no effect on IPC objects owned by the root user. Specifically,
257 this removes System V semaphores, as well as System V and POSIX shared memory segments and message queues. If
258 multiple units use the same user or group the IPC objects are removed when the last of these units is
259 stopped. This setting is implied if <varname>DynamicUser=</varname> is set.</para></listitem>
260 </varlistentry>
261
798d3a52
ZJS		 262 <varlistentry>
263 <term><varname>Nice=</varname></term>
264
265 <listitem><para>Sets the default nice level (scheduling
266 priority) for executed processes. Takes an integer between -20
267 (highest priority) and 19 (lowest priority). See
268 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
269 for details.</para></listitem>
270 </varlistentry>
271
272 <varlistentry>
273 <term><varname>OOMScoreAdjust=</varname></term>
274
275 <listitem><para>Sets the adjustment level for the
276 Out-Of-Memory killer for executed processes. Takes an integer
277 between -1000 (to disable OOM killing for this process) and
278 1000 (to make killing of this process under memory pressure
279 very likely). See <ulink
280 url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
281 for details.</para></listitem>
282 </varlistentry>
283
284 <varlistentry>
285 <term><varname>IOSchedulingClass=</varname></term>
286
b938cb90 287 <listitem><para>Sets the I/O scheduling class for executed
798d3a52
ZJS		 288 processes. Takes an integer between 0 and 3 or one of the
289 strings <option>none</option>, <option>realtime</option>,
290 <option>best-effort</option> or <option>idle</option>. See
291 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
292 for details.</para></listitem>
293 </varlistentry>
294
295 <varlistentry>
296 <term><varname>IOSchedulingPriority=</varname></term>
297
b938cb90 298 <listitem><para>Sets the I/O scheduling priority for executed
798d3a52
ZJS		 299 processes. Takes an integer between 0 (highest priority) and 7
300 (lowest priority). The available priorities depend on the
b938cb90 301 selected I/O scheduling class (see above). See
798d3a52
ZJS		 302 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
303 for details.</para></listitem>
304 </varlistentry>
305
306 <varlistentry>
307 <term><varname>CPUSchedulingPolicy=</varname></term>
308
309 <listitem><para>Sets the CPU scheduling policy for executed
310 processes. Takes one of
311 <option>other</option>,
312 <option>batch</option>,
313 <option>idle</option>,
314 <option>fifo</option> or
315 <option>rr</option>. See
316 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
317 for details.</para></listitem>
318 </varlistentry>
319
320 <varlistentry>
321 <term><varname>CPUSchedulingPriority=</varname></term>
322
323 <listitem><para>Sets the CPU scheduling priority for executed
324 processes. The available priority range depends on the
325 selected CPU scheduling policy (see above). For real-time
326 scheduling policies an integer between 1 (lowest priority) and
327 99 (highest priority) can be used. See
328 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
329 for details. </para></listitem>
330 </varlistentry>
331
332 <varlistentry>
333 <term><varname>CPUSchedulingResetOnFork=</varname></term>
334
335 <listitem><para>Takes a boolean argument. If true, elevated
336 CPU scheduling priorities and policies will be reset when the
337 executed processes fork, and can hence not leak into child
338 processes. See
339 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
340 for details. Defaults to false.</para></listitem>
341 </varlistentry>
342
343 <varlistentry>
344 <term><varname>CPUAffinity=</varname></term>
345
346 <listitem><para>Controls the CPU affinity of the executed
71b1c27a
FB		 347 processes. Takes a list of CPU indices or ranges separated by
348 either whitespace or commas. CPU ranges are specified by the
349 lower and upper CPU indices separated by a dash.
b938cb90 350 This option may be specified more than once, in which case the
798d3a52
ZJS		 351 specified CPU affinity masks are merged. If the empty string
352 is assigned, the mask is reset, all assignments prior to this
353 will have no effect. See
354 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
355 for details.</para></listitem>
356 </varlistentry>
357
358 <varlistentry>
359 <term><varname>UMask=</varname></term>
360
361 <listitem><para>Controls the file mode creation mask. Takes an
362 access mode in octal notation. See
363 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
364 for details. Defaults to 0022.</para></listitem>
365 </varlistentry>
366
367 <varlistentry>
368 <term><varname>Environment=</varname></term>
369
370 <listitem><para>Sets environment variables for executed
371 processes. Takes a space-separated list of variable
b938cb90 372 assignments. This option may be specified more than once, in
798d3a52
ZJS		 373 which case all listed variables will be set. If the same
374 variable is set twice, the later setting will override the
375 earlier setting. If the empty string is assigned to this
376 option, the list of environment variables is reset, all prior
377 assignments have no effect. Variable expansion is not
378 performed inside the strings, however, specifier expansion is
379 possible. The $ character has no special meaning. If you need
b8e485fa 380 to assign a value containing spaces or the equals sign to a variable, use double
798d3a52
ZJS		 381 quotes (") for the assignment.</para>
382
383 <para>Example:
384 <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"</programlisting>
385 gives three variables <literal>VAR1</literal>,
386 <literal>VAR2</literal>, <literal>VAR3</literal>
387 with the values <literal>word1 word2</literal>,
388 <literal>word3</literal>, <literal>$word 5 6</literal>.
389 </para>
390
391 <para>
392 See
393 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
394 for details about environment variables.</para></listitem>
395 </varlistentry>
396 <varlistentry>
397 <term><varname>EnvironmentFile=</varname></term>
398 <listitem><para>Similar to <varname>Environment=</varname> but
399 reads the environment variables from a text file. The text
400 file should contain new-line-separated variable assignments.
8f0d2981
RM		 401 Empty lines, lines without an <literal>=</literal> separator,
402 or lines starting with ; or # will be ignored,
798d3a52
ZJS		 403 which may be used for commenting. A line ending with a
404 backslash will be concatenated with the following one,
405 allowing multiline variable definitions. The parser strips
406 leading and trailing whitespace from the values of
407 assignments, unless you use double quotes (").</para>
408
409 <para>The argument passed should be an absolute filename or
410 wildcard expression, optionally prefixed with
411 <literal>-</literal>, which indicates that if the file does
412 not exist, it will not be read and no error or warning message
413 is logged. This option may be specified more than once in
414 which case all specified files are read. If the empty string
415 is assigned to this option, the list of file to read is reset,
416 all prior assignments have no effect.</para>
417
418 <para>The files listed with this directive will be read
419 shortly before the process is executed (more specifically,
420 after all processes from a previous unit state terminated.
421 This means you can generate these files in one unit state, and
f407824d
DH		 422 read it with this option in the next).</para>
423
424 <para>Settings from these
798d3a52
ZJS		 425 files override settings made with
426 <varname>Environment=</varname>. If the same variable is set
427 twice from these files, the files will be read in the order
428 they are specified and the later setting will override the
429 earlier setting.</para></listitem>
430 </varlistentry>
431
b4c14404
FB		 432 <varlistentry>
433 <term><varname>PassEnvironment=</varname></term>
434
00819cc1
LP		 435 <listitem><para>Pass environment variables set for the system service manager to executed processes. Takes a
436 space-separated list of variable names. This option may be specified more than once, in which case all listed
437 variables will be passed. If the empty string is assigned to this option, the list of environment variables to
438 pass is reset, all prior assignments have no effect. Variables specified that are not set for the system
439 manager will not be passed and will be silently ignored. Note that this option is only relevant for the system
440 service manager, as system services by default do not automatically inherit any environment variables set for
441 the service manager itself. However, in case of the user service manager all environment variables are passed
442 to the executed processes anyway, hence this option is without effect for the user service manager.</para>
443
444 <para>Variables set for invoked processes due to this setting are subject to being overridden by those
445 configured with <varname>Environment=</varname> or <varname>EnvironmentFile=</varname>.</para>
b4c14404
FB		 446
447 <para>Example:
448 <programlisting>PassEnvironment=VAR1 VAR2 VAR3</programlisting>
449 passes three variables <literal>VAR1</literal>,
450 <literal>VAR2</literal>, <literal>VAR3</literal>
451 with the values set for those variables in PID1.</para>
452
453 <para>
454 See
455 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
456 for details about environment variables.</para></listitem>
457 </varlistentry>
458
00819cc1
LP		 459 <varlistentry>
460 <term><varname>UnsetEnvironment=</varname></term>
461
462 <listitem><para>Explicitly unset environment variable assignments that would normally be passed from the
463 service manager to invoked processes of this unit. Takes a space-separated list of variable names or variable
464 assignments. This option may be specified more than once, in which case all listed variables/assignments will
465 be unset. If the empty string is assigned to this option, the list of environment variables/assignments to
466 unset is reset. If a variable assignment is specified (that is: a variable name, followed by
467 <literal>=</literal>, followed by its value), then any environment variable matching this precise assignment is
468 removed. If a variable name is specified (that is a variable name without any following <literal>=</literal> or
469 value), then any assignment matching the variable name, regardless of its value is removed. Note that the
470 effect of <varname>UnsetEnvironment=</varname> is applied as final step when the environment list passed to
471 executed processes is compiled. That means it may undo assignments from any configuration source, including
472 assignments made through <varname>Environment=</varname> or <varname>EnvironmentFile=</varname>, inherited from
473 the system manager's global set of environment variables, inherited via <varname>PassEnvironment=</varname>,
474 set by the service manager itself (such as <varname>$NOTIFY_SOCKET</varname> and such), or set by a PAM module
475 (in case <varname>PAMName=</varname> is used).</para>
476
477 <para>
478 See
479 <citerefentry project='man-pages'><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
480 for details about environment variables.</para></listitem>
481 </varlistentry>
482
798d3a52
ZJS		 483 <varlistentry>
484 <term><varname>StandardInput=</varname></term>
485 <listitem><para>Controls where file descriptor 0 (STDIN) of
486 the executed processes is connected to. Takes one of
487 <option>null</option>,
488 <option>tty</option>,
489 <option>tty-force</option>,
52c239d7
LB		 490 <option>tty-fail</option>,
491 <option>socket</option> or
492 <option>fd</option>.</para>
798d3a52
ZJS		 493
494 <para>If <option>null</option> is selected, standard input
495 will be connected to <filename>/dev/null</filename>, i.e. all
496 read attempts by the process will result in immediate
497 EOF.</para>
498
499 <para>If <option>tty</option> is selected, standard input is
500 connected to a TTY (as configured by
501 <varname>TTYPath=</varname>, see below) and the executed
502 process becomes the controlling process of the terminal. If
503 the terminal is already being controlled by another process,
504 the executed process waits until the current controlling
505 process releases the terminal.</para>
506
507 <para><option>tty-force</option> is similar to
508 <option>tty</option>, but the executed process is forcefully
509 and immediately made the controlling process of the terminal,
510 potentially removing previous controlling processes from the
511 terminal.</para>
512
513 <para><option>tty-fail</option> is similar to
514 <option>tty</option> but if the terminal already has a
515 controlling process start-up of the executed process
516 fails.</para>
517
518 <para>The <option>socket</option> option is only valid in
519 socket-activated services, and only when the socket
520 configuration file (see
521 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
522 for details) specifies a single socket only. If this option is
523 set, standard input will be connected to the socket the
524 service was activated from, which is primarily useful for
525 compatibility with daemons designed for use with the
526 traditional
b5c7d097 527 <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52
ZJS		 528 daemon.</para>
529
52c239d7
LB		 530 <para>The <option>fd</option> option connects
531 the input stream to a single file descriptor provided by a socket unit.
532 A custom named file descriptor can be specified as part of this option,
533 after a <literal>:</literal> (e.g. <literal>fd:<replaceable>foobar</replaceable></literal>).
534 If no name is specified, <literal>stdin</literal> is assumed
535 (i.e. <literal>fd</literal> is equivalent to <literal>fd:stdin</literal>).
536 At least one socket unit defining such name must be explicitly provided via the
537 <varname>Sockets=</varname> option, and file descriptor name may differ
538 from the name of its containing socket unit.
539 If multiple matches are found, the first one will be used.
540 See <varname>FileDescriptorName=</varname> in
541 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
542 for more details about named descriptors and ordering.</para>
543
798d3a52
ZJS		 544 <para>This setting defaults to
545 <option>null</option>.</para></listitem>
546 </varlistentry>
c129bd5d 547
798d3a52
ZJS		 548 <varlistentry>
549 <term><varname>StandardOutput=</varname></term>
550 <listitem><para>Controls where file descriptor 1 (STDOUT) of
551 the executed processes is connected to. Takes one of
552 <option>inherit</option>,
553 <option>null</option>,
554 <option>tty</option>,
555 <option>journal</option>,
556 <option>syslog</option>,
557 <option>kmsg</option>,
558 <option>journal+console</option>,
559 <option>syslog+console</option>,
52c239d7
LB		 560 <option>kmsg+console</option>,
561 <option>socket</option> or
562 <option>fd</option>.</para>
798d3a52
ZJS		 563
564 <para><option>inherit</option> duplicates the file descriptor
565 of standard input for standard output.</para>
566
567 <para><option>null</option> connects standard output to
568 <filename>/dev/null</filename>, i.e. everything written to it
569 will be lost.</para>
570
571 <para><option>tty</option> connects standard output to a tty
572 (as configured via <varname>TTYPath=</varname>, see below). If
573 the TTY is used for output only, the executed process will not
574 become the controlling process of the terminal, and will not
575 fail or wait for other processes to release the
576 terminal.</para>
577
578 <para><option>journal</option> connects standard output with
579 the journal which is accessible via
580 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
581 Note that everything that is written to syslog or kmsg (see
582 below) is implicitly stored in the journal as well, the
583 specific two options listed below are hence supersets of this
584 one.</para>
585
586 <para><option>syslog</option> connects standard output to the
587 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
588 system syslog service, in addition to the journal. Note that
589 the journal daemon is usually configured to forward everything
590 it receives to syslog anyway, in which case this option is no
591 different from <option>journal</option>.</para>
592
593 <para><option>kmsg</option> connects standard output with the
594 kernel log buffer which is accessible via
595 <citerefentry project='man-pages'><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
596 in addition to the journal. The journal daemon might be
597 configured to send all logs to kmsg anyway, in which case this
598 option is no different from <option>journal</option>.</para>
599
600 <para><option>journal+console</option>,
601 <option>syslog+console</option> and
602 <option>kmsg+console</option> work in a similar way as the
603 three options above but copy the output to the system console
604 as well.</para>
605
606 <para><option>socket</option> connects standard output to a
607 socket acquired via socket activation. The semantics are
608 similar to the same option of
609 <varname>StandardInput=</varname>.</para>
610
52c239d7
LB		 611 <para>The <option>fd</option> option connects
612 the output stream to a single file descriptor provided by a socket unit.
613 A custom named file descriptor can be specified as part of this option,
614 after a <literal>:</literal> (e.g. <literal>fd:<replaceable>foobar</replaceable></literal>).
615 If no name is specified, <literal>stdout</literal> is assumed
616 (i.e. <literal>fd</literal> is equivalent to <literal>fd:stdout</literal>).
617 At least one socket unit defining such name must be explicitly provided via the
618 <varname>Sockets=</varname> option, and file descriptor name may differ
619 from the name of its containing socket unit.
620 If multiple matches are found, the first one will be used.
621 See <varname>FileDescriptorName=</varname> in
622 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
623 for more details about named descriptors and ordering.</para>
624
dfe85b38
LP		 625 <para>If the standard output (or error output, see below) of a unit is connected to the journal, syslog or the
626 kernel log buffer, the unit will implicitly gain a dependency of type <varname>After=</varname> on
45f09f93 627 <filename>systemd-journald.socket</filename> (also see the "Implicit Dependencies" section above).</para>
28c75e25 628
798d3a52
ZJS		 629 <para>This setting defaults to the value set with
630 <option>DefaultStandardOutput=</option> in
631 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
c129bd5d
LP		 632 which defaults to <option>journal</option>. Note that setting
633 this parameter might result in additional dependencies to be
634 added to the unit (see above).</para></listitem>
798d3a52 635 </varlistentry>
c129bd5d 636
798d3a52
ZJS		 637 <varlistentry>
638 <term><varname>StandardError=</varname></term>
639 <listitem><para>Controls where file descriptor 2 (STDERR) of
640 the executed processes is connected to. The available options
641 are identical to those of <varname>StandardOutput=</varname>,
52c239d7 642 with some exceptions: if set to <option>inherit</option> the
798d3a52 643 file descriptor used for standard output is duplicated for
52c239d7
LB		 644 standard error, while <option>fd</option> operates on the error
645 stream and will look by default for a descriptor named
646 <literal>stderr</literal>.</para>
647
648 <para>This setting defaults to the value set with
798d3a52
ZJS		 649 <option>DefaultStandardError=</option> in
650 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
c129bd5d
LP		 651 which defaults to <option>inherit</option>. Note that setting
652 this parameter might result in additional dependencies to be
653 added to the unit (see above).</para></listitem>
798d3a52 654 </varlistentry>
c129bd5d 655
798d3a52
ZJS		 656 <varlistentry>
657 <term><varname>TTYPath=</varname></term>
658 <listitem><para>Sets the terminal device node to use if
659 standard input, output, or error are connected to a TTY (see
660 above). Defaults to
661 <filename>/dev/console</filename>.</para></listitem>
662 </varlistentry>
663 <varlistentry>
664 <term><varname>TTYReset=</varname></term>
665 <listitem><para>Reset the terminal device specified with
666 <varname>TTYPath=</varname> before and after execution.
667 Defaults to <literal>no</literal>.</para></listitem>
668 </varlistentry>
669 <varlistentry>
670 <term><varname>TTYVHangup=</varname></term>
671 <listitem><para>Disconnect all clients which have opened the
672 terminal device specified with <varname>TTYPath=</varname>
673 before and after execution. Defaults to
674 <literal>no</literal>.</para></listitem>
675 </varlistentry>
676 <varlistentry>
677 <term><varname>TTYVTDisallocate=</varname></term>
678 <listitem><para>If the terminal device specified with
679 <varname>TTYPath=</varname> is a virtual console terminal, try
680 to deallocate the TTY before and after execution. This ensures
681 that the screen and scrollback buffer is cleared. Defaults to
682 <literal>no</literal>.</para></listitem>
683 </varlistentry>
684 <varlistentry>
685 <term><varname>SyslogIdentifier=</varname></term>
686 <listitem><para>Sets the process name to prefix log lines sent
687 to the logging system or the kernel log buffer with. If not
688 set, defaults to the process name of the executed process.
689 This option is only useful when
690 <varname>StandardOutput=</varname> or
691 <varname>StandardError=</varname> are set to
692 <option>syslog</option>, <option>journal</option> or
693 <option>kmsg</option> (or to the same settings in combination
694 with <option>+console</option>).</para></listitem>
695 </varlistentry>
696 <varlistentry>
697 <term><varname>SyslogFacility=</varname></term>
698 <listitem><para>Sets the syslog facility to use when logging
699 to syslog. One of <option>kern</option>,
700 <option>user</option>, <option>mail</option>,
701 <option>daemon</option>, <option>auth</option>,
702 <option>syslog</option>, <option>lpr</option>,
703 <option>news</option>, <option>uucp</option>,
704 <option>cron</option>, <option>authpriv</option>,
705 <option>ftp</option>, <option>local0</option>,
706 <option>local1</option>, <option>local2</option>,
707 <option>local3</option>, <option>local4</option>,
708 <option>local5</option>, <option>local6</option> or
709 <option>local7</option>. See
710 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
711 for details. This option is only useful when
712 <varname>StandardOutput=</varname> or
713 <varname>StandardError=</varname> are set to
714 <option>syslog</option>. Defaults to
715 <option>daemon</option>.</para></listitem>
716 </varlistentry>
717 <varlistentry>
718 <term><varname>SyslogLevel=</varname></term>
a8eaaee7 719 <listitem><para>The default syslog level to use when logging to
798d3a52
ZJS		 720 syslog or the kernel log buffer. One of
721 <option>emerg</option>,
722 <option>alert</option>,
723 <option>crit</option>,
724 <option>err</option>,
725 <option>warning</option>,
726 <option>notice</option>,
727 <option>info</option>,
728 <option>debug</option>. See
729 <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
730 for details. This option is only useful when
731 <varname>StandardOutput=</varname> or
732 <varname>StandardError=</varname> are set to
733 <option>syslog</option> or <option>kmsg</option>. Note that
734 individual lines output by the daemon might be prefixed with a
735 different log level which can be used to override the default
736 log level specified here. The interpretation of these prefixes
737 may be disabled with <varname>SyslogLevelPrefix=</varname>,
b938cb90 738 see below. For details, see
798d3a52
ZJS		 739 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
740
741 Defaults to
742 <option>info</option>.</para></listitem>
743 </varlistentry>
744
745 <varlistentry>
746 <term><varname>SyslogLevelPrefix=</varname></term>
747 <listitem><para>Takes a boolean argument. If true and
748 <varname>StandardOutput=</varname> or
749 <varname>StandardError=</varname> are set to
750 <option>syslog</option>, <option>kmsg</option> or
751 <option>journal</option>, log lines written by the executed
752 process that are prefixed with a log level will be passed on
753 to syslog with this log level set but the prefix removed. If
754 set to false, the interpretation of these prefixes is disabled
755 and the logged lines are passed on as-is. For details about
756 this prefixing see
757 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
758 Defaults to true.</para></listitem>
759 </varlistentry>
760
761 <varlistentry>
762 <term><varname>TimerSlackNSec=</varname></term>
763 <listitem><para>Sets the timer slack in nanoseconds for the
764 executed processes. The timer slack controls the accuracy of
765 wake-ups triggered by timers. See
766 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
767 for more information. Note that in contrast to most other time
768 span definitions this parameter takes an integer value in
769 nano-seconds if no unit is specified. The usual time units are
770 understood too.</para></listitem>
771 </varlistentry>
772
773 <varlistentry>
774 <term><varname>LimitCPU=</varname></term>
775 <term><varname>LimitFSIZE=</varname></term>
776 <term><varname>LimitDATA=</varname></term>
777 <term><varname>LimitSTACK=</varname></term>
778 <term><varname>LimitCORE=</varname></term>
779 <term><varname>LimitRSS=</varname></term>
780 <term><varname>LimitNOFILE=</varname></term>
781 <term><varname>LimitAS=</varname></term>
782 <term><varname>LimitNPROC=</varname></term>
783 <term><varname>LimitMEMLOCK=</varname></term>
784 <term><varname>LimitLOCKS=</varname></term>
785 <term><varname>LimitSIGPENDING=</varname></term>
786 <term><varname>LimitMSGQUEUE=</varname></term>
787 <term><varname>LimitNICE=</varname></term>
788 <term><varname>LimitRTPRIO=</varname></term>
789 <term><varname>LimitRTTIME=</varname></term>
29857001
LP		 790 <listitem><para>Set soft and hard limits on various resources for executed processes. See
791 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details on
792 the resource limit concept. Resource limits may be specified in two formats: either as single value to set a
793 specific soft and hard limit to the same value, or as colon-separated pair <option>soft:hard</option> to set
794 both limits individually (e.g. <literal>LimitAS=4G:16G</literal>). Use the string <varname>infinity</varname>
795 to configure no limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base
796 1024) may be used for resource limits measured in bytes (e.g. LimitAS=16G). For the limits referring to time
797 values, the usual time units ms, s, min, h and so on may be used (see
798 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
799 details). Note that if no time unit is specified for <varname>LimitCPU=</varname> the default unit of seconds
800 is implied, while for <varname>LimitRTTIME=</varname> the default unit of microseconds is implied. Also, note
801 that the effective granularity of the limits might influence their enforcement. For example, time limits
802 specified for <varname>LimitCPU=</varname> will be rounded up implicitly to multiples of 1s. For
803 <varname>LimitNICE=</varname> the value may be specified in two syntaxes: if prefixed with <literal>+</literal>
804 or <literal>-</literal>, the value is understood as regular Linux nice value in the range -20..19. If not
805 prefixed like this the value is understood as raw resource limit parameter in the range 0..40 (with 0 being
806 equivalent to 1).</para>
a4c18002
LP		 807
808 <para>Note that most process resource limits configured with
809 these options are per-process, and processes may fork in order
810 to acquire a new set of resources that are accounted
811 independently of the original process, and may thus escape
812 limits set. Also note that <varname>LimitRSS=</varname> is not
813 implemented on Linux, and setting it has no effect. Often it
814 is advisable to prefer the resource controls listed in
815 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
816 over these per-process limits, as they apply to services as a
817 whole, may be altered dynamically at runtime, and are
818 generally more expressive. For example,
819 <varname>MemoryLimit=</varname> is a more powerful (and
820 working) replacement for <varname>LimitRSS=</varname>.</para>
798d3a52 821
f4c9356d
LP		 822 <para>For system units these resource limits may be chosen freely. For user units however (i.e. units run by a
823 per-user instance of
824 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>), these limits are
825 bound by (possibly more restrictive) per-user limits enforced by the OS.</para>
826
827 <para>Resource limits not configured explicitly for a unit default to the value configured in the various
828 <varname>DefaultLimitCPU=</varname>, <varname>DefaultLimitFSIZE=</varname>, … options available in
829 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and –
830 if not configured there – the kernel or per-user defaults, as defined by the OS (the latter only for user
831 services, see above).</para>
832
798d3a52 833 <table>
f4c9356d 834 <title>Resource limit directives, their equivalent <command>ulimit</command> shell commands and the unit used</title>
798d3a52 835
a4c18002 836 <tgroup cols='3'>
798d3a52
ZJS		 837 <colspec colname='directive' />
838 <colspec colname='equivalent' />
a4c18002 839 <colspec colname='unit' />
798d3a52
ZJS		 840 <thead>
841 <row>
842 <entry>Directive</entry>
f4c9356d 843 <entry><command>ulimit</command> equivalent</entry>
a4c18002 844 <entry>Unit</entry>
798d3a52
ZJS		 845 </row>
846 </thead>
847 <tbody>
848 <row>
a4c18002 849 <entry>LimitCPU=</entry>
798d3a52 850 <entry>ulimit -t</entry>
a4c18002 851 <entry>Seconds</entry>
798d3a52
ZJS		 852 </row>
853 <row>
a4c18002 854 <entry>LimitFSIZE=</entry>
798d3a52 855 <entry>ulimit -f</entry>
a4c18002 856 <entry>Bytes</entry>
798d3a52
ZJS		 857 </row>
858 <row>
a4c18002 859 <entry>LimitDATA=</entry>
798d3a52 860 <entry>ulimit -d</entry>
a4c18002 861 <entry>Bytes</entry>
798d3a52
ZJS		 862 </row>
863 <row>
a4c18002 864 <entry>LimitSTACK=</entry>
798d3a52 865 <entry>ulimit -s</entry>
a4c18002 866 <entry>Bytes</entry>
798d3a52
ZJS		 867 </row>
868 <row>
a4c18002 869 <entry>LimitCORE=</entry>
798d3a52 870 <entry>ulimit -c</entry>
a4c18002 871 <entry>Bytes</entry>
798d3a52
ZJS		 872 </row>
873 <row>
a4c18002 874 <entry>LimitRSS=</entry>
798d3a52 875 <entry>ulimit -m</entry>
a4c18002 876 <entry>Bytes</entry>
798d3a52
ZJS		 877 </row>
878 <row>
a4c18002 879 <entry>LimitNOFILE=</entry>
798d3a52 880 <entry>ulimit -n</entry>
a4c18002 881 <entry>Number of File Descriptors</entry>
798d3a52
ZJS		 882 </row>
883 <row>
a4c18002 884 <entry>LimitAS=</entry>
798d3a52 885 <entry>ulimit -v</entry>
a4c18002 886 <entry>Bytes</entry>
798d3a52
ZJS		 887 </row>
888 <row>
a4c18002 889 <entry>LimitNPROC=</entry>
798d3a52 890 <entry>ulimit -u</entry>
a4c18002 891 <entry>Number of Processes</entry>
798d3a52
ZJS		 892 </row>
893 <row>
a4c18002 894 <entry>LimitMEMLOCK=</entry>
798d3a52 895 <entry>ulimit -l</entry>
a4c18002 896 <entry>Bytes</entry>
798d3a52
ZJS		 897 </row>
898 <row>
a4c18002 899 <entry>LimitLOCKS=</entry>
798d3a52 900 <entry>ulimit -x</entry>
a4c18002 901 <entry>Number of Locks</entry>
798d3a52
ZJS		 902 </row>
903 <row>
a4c18002 904 <entry>LimitSIGPENDING=</entry>
798d3a52 905 <entry>ulimit -i</entry>
a4c18002 906 <entry>Number of Queued Signals</entry>
798d3a52
ZJS		 907 </row>
908 <row>
a4c18002 909 <entry>LimitMSGQUEUE=</entry>
798d3a52 910 <entry>ulimit -q</entry>
a4c18002 911 <entry>Bytes</entry>
798d3a52
ZJS		 912 </row>
913 <row>
a4c18002 914 <entry>LimitNICE=</entry>
798d3a52 915 <entry>ulimit -e</entry>
a4c18002 916 <entry>Nice Level</entry>
798d3a52
ZJS		 917 </row>
918 <row>
a4c18002 919 <entry>LimitRTPRIO=</entry>
798d3a52 920 <entry>ulimit -r</entry>
a4c18002 921 <entry>Realtime Priority</entry>
798d3a52
ZJS		 922 </row>
923 <row>
a4c18002 924 <entry>LimitRTTIME=</entry>
798d3a52 925 <entry>No equivalent</entry>
a4c18002 926 <entry>Microseconds</entry>
798d3a52
ZJS		 927 </row>
928 </tbody>
929 </tgroup>
a4c18002 930 </table></listitem>
798d3a52
ZJS		 931 </varlistentry>
932
933 <varlistentry>
934 <term><varname>PAMName=</varname></term>
9eb484fa
LP		 935 <listitem><para>Sets the PAM service name to set up a session as. If set, the executed process will be
936 registered as a PAM session under the specified service name. This is only useful in conjunction with the
937 <varname>User=</varname> setting, and is otherwise ignored. If not set, no PAM session will be opened for the
938 executed processes. See <citerefentry
939 project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
940 details.</para>
941
942 <para>Note that for each unit making use of this option a PAM session handler process will be maintained as
943 part of the unit and stays around as long as the unit is active, to ensure that appropriate actions can be
944 taken when the unit and hence the PAM session terminates. This process is named <literal>(sd-pam)</literal> and
5aaeeffb
LP		 945 is an immediate child process of the unit's main process.</para>
946
947 <para>Note that when this option is used for a unit it is very likely (depending on PAM configuration) that the
948 main unit process will be migrated to its own session scope unit when it is activated. This process will hence
949 be associated with two units: the unit it was originally started from (and for which
950 <varname>PAMName=</varname> was configured), and the session scope unit. Any child processes of that process
951 will however be associated with the session scope unit only. This has implications when used in combination
952 with <varname>NotifyAccess=</varname><option>all</option>, as these child processes will not be able to affect
953 changes in the original unit through notification messages. These messages will be considered belonging to the
954 session scope unit and not the original unit. It is hence not recommended to use <varname>PAMName=</varname> in
955 combination with <varname>NotifyAccess=</varname><option>all</option>.</para>
956 </listitem>
798d3a52
ZJS		 957 </varlistentry>
958
959 <varlistentry>
960 <term><varname>CapabilityBoundingSet=</varname></term>
961
479050b3
LP		 962 <listitem><para>Controls which capabilities to include in the capability bounding set for the executed
963 process. See <citerefentry
964 project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
b2656f1b
LP		 965 details. Takes a whitespace-separated list of capability names, e.g. <constant>CAP_SYS_ADMIN</constant>,
966 <constant>CAP_DAC_OVERRIDE</constant>, <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be
967 included in the bounding set, all others are removed. If the list of capabilities is prefixed with
968 <literal>~</literal>, all but the listed capabilities will be included, the effect of the assignment
969 inverted. Note that this option also affects the respective capabilities in the effective, permitted and
970 inheritable capability sets. If this option is not used, the capability bounding set is not modified on process
971 execution, hence no limits on the capabilities of the process are enforced. This option may appear more than
de7070b4
YW		 972 once, in which case the bounding sets are merged by <constant>AND</constant>, or by <constant>OR</constant>
973 if the lines are prefixed with <literal>~</literal> (see below). If the empty string is assigned
974 to this option, the bounding set is reset to the empty capability set, and all prior settings have no effect.
975 If set to <literal>~</literal> (without any further argument), the bounding set is reset to the full set of available
b2656f1b 976 capabilities, also undoing any previous settings. This does not affect commands prefixed with
de7070b4
YW		 977 <literal>+</literal>.</para>
978
979 <para>Example: if a unit has the following,
980 <programlisting>CapabilityBoundingSet=CAP_A CAP_B
981CapabilityBoundingSet=CAP_B CAP_C</programlisting>
982 then <constant>CAP_A</constant>, <constant>CAP_B</constant>, and <constant>CAP_C</constant> are set.
983 If the second line is prefixed with <literal>~</literal>, e.g.,
984 <programlisting>CapabilityBoundingSet=CAP_A CAP_B
985CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
986 then, only <constant>CAP_A</constant> is set.</para></listitem>
798d3a52
ZJS		 987 </varlistentry>
988
ece87975
IP		 989 <varlistentry>
990 <term><varname>AmbientCapabilities=</varname></term>
991
b2656f1b
LP		 992 <listitem><para>Controls which capabilities to include in the ambient capability set for the executed
993 process. Takes a whitespace-separated list of capability names, e.g. <constant>CAP_SYS_ADMIN</constant>,
994 <constant>CAP_DAC_OVERRIDE</constant>, <constant>CAP_SYS_PTRACE</constant>. This option may appear more than
de7070b4
YW		 995 once in which case the ambient capability sets are merged (see the above examples in
996 <varname>CapabilityBoundingSet=</varname>). If the list of capabilities is prefixed with
b2656f1b
LP		 997 <literal>~</literal>, all but the listed capabilities will be included, the effect of the assignment
998 inverted. If the empty string is assigned to this option, the ambient capability set is reset to the empty
999 capability set, and all prior settings have no effect. If set to <literal>~</literal> (without any further
1000 argument), the ambient capability set is reset to the full set of available capabilities, also undoing any
1001 previous settings. Note that adding capabilities to ambient capability set adds them to the process's inherited
1002 capability set. </para><para> Ambient capability sets are useful if you want to execute a process as a
1003 non-privileged user but still want to give it some capabilities. Note that in this case option
1004 <constant>keep-caps</constant> is automatically added to <varname>SecureBits=</varname> to retain the
1005 capabilities over the user change. <varname>AmbientCapabilities=</varname> does not affect commands prefixed
1006 with <literal>+</literal>.</para></listitem>
ece87975
IP		 1007 </varlistentry>
1008
798d3a52
ZJS		 1009 <varlistentry>
1010 <term><varname>SecureBits=</varname></term>
1011 <listitem><para>Controls the secure bits set for the executed
1012 process. Takes a space-separated combination of options from
1013 the following list:
1014 <option>keep-caps</option>,
1015 <option>keep-caps-locked</option>,
1016 <option>no-setuid-fixup</option>,
1017 <option>no-setuid-fixup-locked</option>,
1018 <option>noroot</option>, and
1019 <option>noroot-locked</option>.
b938cb90 1020 This option may appear more than once, in which case the secure
798d3a52 1021 bits are ORed. If the empty string is assigned to this option,
43eb109a 1022 the bits are reset to 0. This does not affect commands prefixed with <literal>+</literal>.
cf677fe6 1023 See <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 1024 for details.</para></listitem>
1025 </varlistentry>
1026
798d3a52 1027 <varlistentry>
2a624c36
AP		 1028 <term><varname>ReadWritePaths=</varname></term>
1029 <term><varname>ReadOnlyPaths=</varname></term>
1030 <term><varname>InaccessiblePaths=</varname></term>
798d3a52 1031
effbd6d2
LP		 1032 <listitem><para>Sets up a new file system namespace for executed processes. These options may be used to limit
1033 access a process might have to the file system hierarchy. Each setting takes a space-separated list of paths
1034 relative to the host's root directory (i.e. the system running the service manager). Note that if paths
1035 contain symlinks, they are resolved relative to the root directory set with
915e6d16 1036 <varname>RootDirectory=</varname>/<varname>RootImage=</varname>.</para>
effbd6d2
LP		 1037
1038 <para>Paths listed in <varname>ReadWritePaths=</varname> are accessible from within the namespace with the same
1039 access modes as from outside of it. Paths listed in <varname>ReadOnlyPaths=</varname> are accessible for
1040 reading only, writing will be refused even if the usual file access controls would permit this. Nest
1041 <varname>ReadWritePaths=</varname> inside of <varname>ReadOnlyPaths=</varname> in order to provide writable
1042 subdirectories within read-only directories. Use <varname>ReadWritePaths=</varname> in order to whitelist
1043 specific paths for write access if <varname>ProtectSystem=strict</varname> is used. Paths listed in
1044 <varname>InaccessiblePaths=</varname> will be made inaccessible for processes inside the namespace (along with
1045 everything below them in the file system hierarchy).</para>
1046
1047 <para>Note that restricting access with these options does not extend to submounts of a directory that are
1048 created later on. Non-directory paths may be specified as well. These options may be specified more than once,
1049 in which case all paths listed will have limited access from within the namespace. If the empty string is
1050 assigned to this option, the specific list is reset, and all prior assignments have no effect.</para>
1051
e778185b 1052 <para>Paths in <varname>ReadWritePaths=</varname>, <varname>ReadOnlyPaths=</varname> and
5327c910
LP		 1053 <varname>InaccessiblePaths=</varname> may be prefixed with <literal>-</literal>, in which case they will be
1054 ignored when they do not exist. If prefixed with <literal>+</literal> the paths are taken relative to the root
915e6d16
LP		 1055 directory of the unit, as configured with <varname>RootDirectory=</varname>/<varname>RootImage=</varname>,
1056 instead of relative to the root directory of the host (see above). When combining <literal>-</literal> and
1057 <literal>+</literal> on the same path make sure to specify <literal>-</literal> first, and <literal>+</literal>
1058 second.</para>
5327c910
LP		 1059
1060 <para>Note that using this setting will disconnect propagation of mounts from the service to the host
1061 (propagation in the opposite direction continues to work). This means that this setting may not be used for
1062 services which shall be able to install mount points in the main mount namespace. Note that the effect of these
1063 settings may be undone by privileged processes. In order to set up an effective sandboxed environment for a
1064 unit it is thus recommended to combine these settings with either
1065 <varname>CapabilityBoundingSet=~CAP_SYS_ADMIN</varname> or
1066 <varname>SystemCallFilter=~@mount</varname>.</para></listitem>
798d3a52
ZJS		 1067 </varlistentry>
1068
d2d6c096
LP		 1069 <varlistentry>
1070 <term><varname>BindPaths=</varname></term>
1071 <term><varname>BindReadOnlyPaths=</varname></term>
1072
1073 <listitem><para>Configures unit-specific bind mounts. A bind mount makes a particular file or directory
1074 available at an additional place in the unit's view of the file system. Any bind mounts created with this
1075 option are specific to the unit, and are not visible in the host's mount table. This option expects a
1076 whitespace separated list of bind mount definitions. Each definition consists of a colon-separated triple of
1077 source path, destination path and option string, where the latter two are optional. If only a source path is
1078 specified the source and destination is taken to be the same. The option string may be either
1079 <literal>rbind</literal> or <literal>norbind</literal> for configuring a recursive or non-recursive bind
98063016 1080 mount. If the destination path is omitted, the option string must be omitted too.</para>
d2d6c096
LP		 1081
1082 <para><varname>BindPaths=</varname> creates regular writable bind mounts (unless the source file system mount
1083 is already marked read-only), while <varname>BindReadOnlyPaths=</varname> creates read-only bind mounts. These
1084 settings may be used more than once, each usage appends to the unit's list of bind mounts. If the empty string
1085 is assigned to either of these two options the entire list of bind mounts defined prior to this is reset. Note
1086 that in this case both read-only and regular bind mounts are reset, regardless which of the two settings is
1087 used.</para>
1088
915e6d16
LP		 1089 <para>This option is particularly useful when <varname>RootDirectory=</varname>/<varname>RootImage=</varname>
1090 is used. In this case the source path refers to a path on the host file system, while the destination path
1091 refers to a path below the root directory of the unit.</para></listitem>
d2d6c096
LP		 1092 </varlistentry>
1093
798d3a52
ZJS		 1094 <varlistentry>
1095 <term><varname>PrivateTmp=</varname></term>
1096
00d9ef85
LP		 1097 <listitem><para>Takes a boolean argument. If true, sets up a new file system namespace for the executed
1098 processes and mounts private <filename>/tmp</filename> and <filename>/var/tmp</filename> directories inside it
1099 that is not shared by processes outside of the namespace. This is useful to secure access to temporary files of
1100 the process, but makes sharing between processes via <filename>/tmp</filename> or <filename>/var/tmp</filename>
1101 impossible. If this is enabled, all temporary files created by a service in these directories will be removed
1102 after the service is stopped. Defaults to false. It is possible to run two or more units within the same
1103 private <filename>/tmp</filename> and <filename>/var/tmp</filename> namespace by using the
798d3a52 1104 <varname>JoinsNamespaceOf=</varname> directive, see
00d9ef85 1105 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
effbd6d2
LP		 1106 details. This setting is implied if <varname>DynamicUser=</varname> is set. For this setting the same
1107 restrictions regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and
d71f0505
LP		 1108 related calls, see above. Enabling this setting has the side effect of adding <varname>Requires=</varname> and
1109 <varname>After=</varname> dependencies on all mount units necessary to access <filename>/tmp</filename> and
1110 <filename>/var/tmp</filename>. Moreover an implicitly <varname>After=</varname> ordering on
1111 <citerefentry><refentrytitle>systemd-tmpfiles-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
b0238568
ZJS		 1112 is added.</para>
1113
1114 <para>Note that the implementation of this setting might be impossible (for example if mount namespaces
1115 are not available), and the unit should be written in a way that does not solely rely on this setting for
1116 security.</para></listitem>
798d3a52
ZJS		 1117 </varlistentry>
1118
1119 <varlistentry>
1120 <term><varname>PrivateDevices=</varname></term>
1121
b0238568
ZJS		 1122 <listitem><para>Takes a boolean argument. If true, sets up a new <filename>/dev</filename> mount for the
1123 executed processes and only adds API pseudo devices such as <filename>/dev/null</filename>,
1124 <filename>/dev/zero</filename> or
effbd6d2 1125 <filename>/dev/random</filename> (as well as the pseudo TTY subsystem) to it, but no physical devices such as
9221aec8
DH		 1126 <filename>/dev/sda</filename>, system memory <filename>/dev/mem</filename>, system ports
1127 <filename>/dev/port</filename> and others. This is useful to securely turn off physical device access by the
8f81a5f6
DH		 1128 executed process. Defaults to false. Enabling this option will install a system call filter to block low-level
1129 I/O system calls that are grouped in the <varname>@raw-io</varname> set, will also remove
2cd0a735
DH		 1130 <constant>CAP_MKNOD</constant> and <constant>CAP_SYS_RAWIO</constant> from the capability bounding set for
1131 the unit (see above), and set <varname>DevicePolicy=closed</varname> (see
798d3a52 1132 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
effbd6d2
LP		 1133 for details). Note that using this setting will disconnect propagation of mounts from the service to the host
1134 (propagation in the opposite direction continues to work). This means that this setting may not be used for
b0238568
ZJS		 1135 services which shall be able to install mount points in the main mount namespace. The new <filename>/dev</filename>
1136 will be mounted read-only and 'noexec'. The latter may break old programs which try to set up executable memory by
effbd6d2 1137 using <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> of
2d35b79c
YW		 1138 <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. For this setting the same restrictions
1139 regarding mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above.
a7db8614 1140 If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
2d35b79c 1141 capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied.
b0238568
ZJS		 1142 </para>
1143
1144 <para>Note that the implementation of this setting might be impossible (for example if mount namespaces
1145 are not available), and the unit should be written in a way that does not solely rely on this setting for
1146 security.</para></listitem>
798d3a52
ZJS		 1147 </varlistentry>
1148
1149 <varlistentry>
1150 <term><varname>PrivateNetwork=</varname></term>
1151
1152 <listitem><para>Takes a boolean argument. If true, sets up a
1153 new network namespace for the executed processes and
1154 configures only the loopback network device
1155 <literal>lo</literal> inside it. No other network devices will
1156 be available to the executed process. This is useful to
b0238568 1157 turn off network access by the executed process.
798d3a52
ZJS		 1158 Defaults to false. It is possible to run two or more units
1159 within the same private network namespace by using the
1160 <varname>JoinsNamespaceOf=</varname> directive, see
1161 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1162 for details. Note that this option will disconnect all socket
1163 families from the host, this includes AF_NETLINK and AF_UNIX.
1164 The latter has the effect that AF_UNIX sockets in the abstract
1165 socket namespace will become unavailable to the processes
1166 (however, those located in the file system will continue to be
b0238568
ZJS		 1167 accessible).</para>
1168
1169 <para>Note that the implementation of this setting might be impossible (for example if network namespaces
1170 are not available), and the unit should be written in a way that does not solely rely on this setting for
1171 security.</para></listitem>
798d3a52
ZJS		 1172 </varlistentry>
1173
1174 <varlistentry>
d251207d
LP		 1175 <term><varname>PrivateUsers=</varname></term>
1176
1177 <listitem><para>Takes a boolean argument. If true, sets up a new user namespace for the executed processes and
1178 configures a minimal user and group mapping, that maps the <literal>root</literal> user and group as well as
1179 the unit's own user and group to themselves and everything else to the <literal>nobody</literal> user and
1180 group. This is useful to securely detach the user and group databases used by the unit from the rest of the
1181 system, and thus to create an effective sandbox environment. All files, directories, processes, IPC objects and
2dd67817 1182 other resources owned by users/groups not equaling <literal>root</literal> or the unit's own will stay visible
d251207d
LP		 1183 from within the unit but appear owned by the <literal>nobody</literal> user and group. If this mode is enabled,
1184 all unit processes are run without privileges in the host user namespace (regardless if the unit's own
1185 user/group is <literal>root</literal> or not). Specifically this means that the process will have zero process
1186 capabilities on the host's user namespace, but full capabilities within the service's user namespace. Settings
1187 such as <varname>CapabilityBoundingSet=</varname> will affect only the latter, and there's no way to acquire
1188 additional capabilities in the host's user namespace. Defaults to off.</para>
1189
915e6d16
LP		 1190 <para>This setting is particularly useful in conjunction with
1191 <varname>RootDirectory=</varname>/<varname>RootImage=</varname>, as the need to synchronize the user and group
1192 databases in the root directory and on the host is reduced, as the only users and groups who need to be matched
b0238568
ZJS		 1193 are <literal>root</literal>, <literal>nobody</literal> and the unit's own user and group.</para>
1194
1195 <para>Note that the implementation of this setting might be impossible (for example if user namespaces
1196 are not available), and the unit should be written in a way that does not solely rely on this setting for
1197 security.</para></listitem>
d251207d
LP		 1198 </varlistentry>
1199
798d3a52
ZJS		 1200 <varlistentry>
1201 <term><varname>ProtectSystem=</varname></term>
1202
3f815163
LP		 1203 <listitem><para>Takes a boolean argument or the special values <literal>full</literal> or
1204 <literal>strict</literal>. If true, mounts the <filename>/usr</filename> and <filename>/boot</filename>
1205 directories read-only for processes invoked by this unit. If set to <literal>full</literal>, the
1206 <filename>/etc</filename> directory is mounted read-only, too. If set to <literal>strict</literal> the entire
1207 file system hierarchy is mounted read-only, except for the API file system subtrees <filename>/dev</filename>,
1208 <filename>/proc</filename> and <filename>/sys</filename> (protect these directories using
1209 <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
1210 <varname>ProtectControlGroups=</varname>). This setting ensures that any modification of the vendor-supplied
1211 operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is
1212 recommended to enable this setting for all long-running services, unless they are involved with system updates
1213 or need to modify the operating system in other ways. If this option is used,
effbd6d2
LP		 1214 <varname>ReadWritePaths=</varname> may be used to exclude specific directories from being made read-only. This
1215 setting is implied if <varname>DynamicUser=</varname> is set. For this setting the same restrictions regarding
1216 mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and related calls, see
1217 above. Defaults to off.</para></listitem>
798d3a52
ZJS		 1218 </varlistentry>
1219
1220 <varlistentry>
1221 <term><varname>ProtectHome=</varname></term>
1222
effbd6d2
LP		 1223 <listitem><para>Takes a boolean argument or <literal>read-only</literal>. If true, the directories
1224 <filename>/home</filename>, <filename>/root</filename> and <filename>/run/user</filename> are made inaccessible
1225 and empty for processes invoked by this unit. If set to <literal>read-only</literal>, the three directories are
1226 made read-only instead. It is recommended to enable this setting for all long-running services (in particular
1227 network-facing ones), to ensure they cannot get access to private user data, unless the services actually
1228 require access to the user's private data. This setting is implied if <varname>DynamicUser=</varname> is
1229 set. For this setting the same restrictions regarding mount propagation and privileges apply as for
1230 <varname>ReadOnlyPaths=</varname> and related calls, see above.</para></listitem>
59eeb84b
LP		 1231 </varlistentry>
1232
1233 <varlistentry>
1234 <term><varname>ProtectKernelTunables=</varname></term>
1235
1236 <listitem><para>Takes a boolean argument. If true, kernel variables accessible through
49accde7
DH		 1237 <filename>/proc/sys</filename>, <filename>/sys</filename>, <filename>/proc/sysrq-trigger</filename>,
1238 <filename>/proc/latency_stats</filename>, <filename>/proc/acpi</filename>,
1239 <filename>/proc/timer_stats</filename>, <filename>/proc/fs</filename> and <filename>/proc/irq</filename> will
525872bf
LP		 1240 be made read-only to all processes of the unit. Usually, tunable kernel variables should be initialized only at
1241 boot-time, for example with the
1242 <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> mechanism. Few
1243 services need to write to these at runtime; it is hence recommended to turn this on for most services. For this
1244 setting the same restrictions regarding mount propagation and privileges apply as for
1245 <varname>ReadOnlyPaths=</varname> and related calls, see above. Defaults to off. If turned on and if running
1246 in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. services
1247 for which <varname>User=</varname> is set), <varname>NoNewPrivileges=yes</varname> is implied. Note that this
1248 option does not prevent indirect changes to kernel tunables effected by IPC calls to other processes. However,
1249 <varname>InaccessiblePaths=</varname> may be used to make relevant IPC file system objects inaccessible. If
1250 <varname>ProtectKernelTunables=</varname> is set, <varname>MountAPIVFS=yes</varname> is
1251 implied.</para></listitem>
59eeb84b
LP		 1252 </varlistentry>
1253
85265556
DH		 1254 <varlistentry>
1255 <term><varname>ProtectKernelModules=</varname></term>
1256
1257 <listitem><para>Takes a boolean argument. If true, explicit module loading will
1258 be denied. This allows to turn off module load and unload operations on modular
1259 kernels. It is recommended to turn this on for most services that do not need special
1260 file systems or extra kernel modules to work. Default to off. Enabling this option
1261 removes <constant>CAP_SYS_MODULE</constant> from the capability bounding set for
1262 the unit, and installs a system call filter to block module system calls,
1263 also <filename>/usr/lib/modules</filename> is made inaccessible. For this
1264 setting the same restrictions regarding mount propagation and privileges
1265 apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above.
1266 Note that limited automatic module loading due to user configuration or kernel
1267 mapping tables might still happen as side effect of requested user operations,
1268 both privileged and unprivileged. To disable module auto-load feature please see
1269 <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1270 <constant>kernel.modules_disabled</constant> mechanism and
1271 <filename>/proc/sys/kernel/modules_disabled</filename> documentation.
1272 If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
1273 capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
1274 is implied.
1275 </para></listitem>
1276 </varlistentry>
1277
59eeb84b
LP		 1278 <varlistentry>
1279 <term><varname>ProtectControlGroups=</varname></term>
1280
effbd6d2
LP		 1281 <listitem><para>Takes a boolean argument. If true, the Linux Control Groups (<citerefentry
1282 project='man-pages'><refentrytitle>cgroups</refentrytitle><manvolnum>7</manvolnum></citerefentry>) hierarchies
1283 accessible through <filename>/sys/fs/cgroup</filename> will be made read-only to all processes of the
1284 unit. Except for container managers no services should require write access to the control groups hierarchies;
1285 it is hence recommended to turn this on for most services. For this setting the same restrictions regarding
1286 mount propagation and privileges apply as for <varname>ReadOnlyPaths=</varname> and related calls, see
525872bf
LP		 1287 above. Defaults to off. If <varname>ProtectControlGroups=</varname> is set, <varname>MountAPIVFS=yes</varname> is
1288 implied.</para></listitem>
798d3a52
ZJS		 1289 </varlistentry>
1290
1291 <varlistentry>
1292 <term><varname>MountFlags=</varname></term>
1293
effbd6d2
LP		 1294 <listitem><para>Takes a mount propagation flag: <option>shared</option>, <option>slave</option> or
1295 <option>private</option>, which control whether mounts in the file system namespace set up for this unit's
7141028d 1296 processes will receive or propagate mounts and unmounts. See <citerefentry
effbd6d2
LP		 1297 project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
1298 details. Defaults to <option>shared</option>. Use <option>shared</option> to ensure that mounts and unmounts
fa2a3966
IK		 1299 are propagated from systemd's namespace to the service's namespace and vice versa. Use <option>slave</option>
1300 to run processes so that none of their mounts and unmounts will propagate to the host. Use <option>private</option>
374e6922 1301 to also ensure that no mounts and unmounts from the host will propagate into the unit processes' namespace.
4b957756
IK		 1302 If this is set to <option>slave</option> or <option>private</option>, any mounts created by spawned processes
1303 will be unmounted after the completion of the current command line of <varname>ExecStartPre=</varname>,
1304 <varname>ExecStartPost=</varname>, <varname>ExecStart=</varname>,
1305 and <varname>ExecStopPost=</varname>. Note that
effbd6d2
LP		 1306 <option>slave</option> means that file systems mounted on the host might stay mounted continuously in the
1307 unit's namespace, and thus keep the device busy. Note that the file system namespace related options
1308 (<varname>PrivateTmp=</varname>, <varname>PrivateDevices=</varname>, <varname>ProtectSystem=</varname>,
1309 <varname>ProtectHome=</varname>, <varname>ProtectKernelTunables=</varname>,
1310 <varname>ProtectControlGroups=</varname>, <varname>ReadOnlyPaths=</varname>,
1311 <varname>InaccessiblePaths=</varname>, <varname>ReadWritePaths=</varname>) require that mount and unmount
1312 propagation from the unit's file system namespace is disabled, and hence downgrade <option>shared</option> to
798d3a52
ZJS		 1313 <option>slave</option>. </para></listitem>
1314 </varlistentry>
1315
1316 <varlistentry>
1317 <term><varname>UtmpIdentifier=</varname></term>
1318
1319 <listitem><para>Takes a four character identifier string for
023a4f67
LP		 1320 an <citerefentry
1321 project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>
1322 and wtmp entry for this service. This should only be
1323 set for services such as <command>getty</command>
1324 implementations (such as <citerefentry
1325 project='die-net'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
798d3a52 1326 where utmp/wtmp entries must be created and cleared before and
023a4f67
LP		 1327 after execution, or for services that shall be executed as if
1328 they were run by a <command>getty</command> process (see
1329 below). If the configured string is longer than four
798d3a52
ZJS		 1330 characters, it is truncated and the terminal four characters
1331 are used. This setting interprets %I style string
1332 replacements. This setting is unset by default, i.e. no
1333 utmp/wtmp entries are created or cleaned up for this
1334 service.</para></listitem>
1335 </varlistentry>
1336
023a4f67
LP		 1337 <varlistentry>
1338 <term><varname>UtmpMode=</varname></term>
1339
1340 <listitem><para>Takes one of <literal>init</literal>,
1341 <literal>login</literal> or <literal>user</literal>. If
1342 <varname>UtmpIdentifier=</varname> is set, controls which
1343 type of <citerefentry
1344 project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>/wtmp
1345 entries for this service are generated. This setting has no
1346 effect unless <varname>UtmpIdentifier=</varname> is set
1347 too. If <literal>init</literal> is set, only an
1348 <constant>INIT_PROCESS</constant> entry is generated and the
6cd16034
LP		 1349 invoked process must implement a
1350 <command>getty</command>-compatible utmp/wtmp logic. If
1351 <literal>login</literal> is set, first an
a8eaaee7 1352 <constant>INIT_PROCESS</constant> entry, followed by a
6cd16034 1353 <constant>LOGIN_PROCESS</constant> entry is generated. In
b938cb90 1354 this case, the invoked process must implement a <citerefentry
023a4f67
LP		 1355 project='die-net'><refentrytitle>login</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible
1356 utmp/wtmp logic. If <literal>user</literal> is set, first an
1357 <constant>INIT_PROCESS</constant> entry, then a
a8eaaee7 1358 <constant>LOGIN_PROCESS</constant> entry and finally a
023a4f67 1359 <constant>USER_PROCESS</constant> entry is generated. In this
b938cb90 1360 case, the invoked process may be any process that is suitable
023a4f67
LP		 1361 to be run as session leader. Defaults to
1362 <literal>init</literal>.</para></listitem>
1363 </varlistentry>
1364
798d3a52
ZJS		 1365 <varlistentry>
1366 <term><varname>SELinuxContext=</varname></term>
1367
1368 <listitem><para>Set the SELinux security context of the
1369 executed process. If set, this will override the automated
1370 domain transition. However, the policy still needs to
1371 authorize the transition. This directive is ignored if SELinux
1372 is disabled. If prefixed by <literal>-</literal>, all errors
43eb109a 1373 will be ignored. This does not affect commands prefixed with <literal>+</literal>.
cf677fe6 1374 See <citerefentry project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
798d3a52
ZJS		 1375 for details.</para></listitem>
1376 </varlistentry>
1377
1378 <varlistentry>
1379 <term><varname>AppArmorProfile=</varname></term>
1380
1381 <listitem><para>Takes a profile name as argument. The process
1382 executed by the unit will switch to this profile when started.
1383 Profiles must already be loaded in the kernel, or the unit
1384 will fail. This result in a non operation if AppArmor is not
1385 enabled. If prefixed by <literal>-</literal>, all errors will
43eb109a 1386 be ignored. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
798d3a52
ZJS		 1387 </varlistentry>
1388
1389 <varlistentry>
1390 <term><varname>SmackProcessLabel=</varname></term>
1391
1392 <listitem><para>Takes a <option>SMACK64</option> security
1393 label as argument. The process executed by the unit will be
1394 started under this label and SMACK will decide whether the
b938cb90 1395 process is allowed to run or not, based on it. The process
798d3a52
ZJS		 1396 will continue to run under the label specified here unless the
1397 executable has its own <option>SMACK64EXEC</option> label, in
1398 which case the process will transition to run under that
1399 label. When not specified, the label that systemd is running
1400 under is used. This directive is ignored if SMACK is
1401 disabled.</para>
1402
1403 <para>The value may be prefixed by <literal>-</literal>, in
1404 which case all errors will be ignored. An empty value may be
cf677fe6 1405 specified to unset previous assignments. This does not affect
43eb109a 1406 commands prefixed with <literal>+</literal>.</para>
798d3a52
ZJS		 1407 </listitem>
1408 </varlistentry>
1409
1410 <varlistentry>
1411 <term><varname>IgnoreSIGPIPE=</varname></term>
1412
1413 <listitem><para>Takes a boolean argument. If true, causes
1414 <constant>SIGPIPE</constant> to be ignored in the executed
1415 process. Defaults to true because <constant>SIGPIPE</constant>
1416 generally is useful only in shell pipelines.</para></listitem>
1417 </varlistentry>
1418
1419 <varlistentry>
1420 <term><varname>NoNewPrivileges=</varname></term>
1421
add00535
LP		 1422 <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its children can
1423 never gain new privileges through <function>execve()</function> (e.g. via setuid or setgid bits, or filesystem
1424 capabilities). This is the simplest and most effective way to ensure that a process and its children can never
a7db8614 1425 elevate privileges again. Defaults to false, but certain settings force
add00535
LP		 1426 <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting. This is the case when
1427 <varname>SystemCallFilter=</varname>, <varname>SystemCallArchitectures=</varname>,
1428 <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>,
1429 <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
1430 <varname>ProtectKernelModules=</varname>, <varname>MemoryDenyWriteExecute=</varname>, or
1431 <varname>RestrictRealtime=</varname> are specified.</para></listitem>
798d3a52
ZJS		 1432 </varlistentry>
1433
1434 <varlistentry>
1435 <term><varname>SystemCallFilter=</varname></term>
1436
c79aff9a
LP		 1437 <listitem><para>Takes a space-separated list of system call names. If this setting is used, all system calls
1438 executed by the unit processes except for the listed ones will result in immediate process termination with the
1439 <constant>SIGSYS</constant> signal (whitelisting). If the first character of the list is <literal>~</literal>,
1440 the effect is inverted: only the listed system calls will result in immediate process termination
1441 (blacklisting). If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
1442 capability (e.g. setting <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is
1443 implied. This feature makes use of the Secure Computing Mode 2 interfaces of the kernel ('seccomp filtering')
1444 and is useful for enforcing a minimal sandboxing environment. Note that the <function>execve</function>,
1445 <function>exit</function>, <function>exit_group</function>, <function>getrlimit</function>,
1446 <function>rt_sigreturn</function>, <function>sigreturn</function> system calls and the system calls for
1447 querying time and sleeping are implicitly whitelisted and do not need to be listed explicitly. This option may
1448 be specified more than once, in which case the filter masks are merged. If the empty string is assigned, the
1449 filter is reset, all prior assignments will have no effect. This does not affect commands prefixed with
1450 <literal>+</literal>.</para>
798d3a52 1451
0b8fab97
LP		 1452 <para>Note that on systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off
1453 alternative ABIs for services, so that they cannot be used to circumvent the restrictions of this
1454 option. Specifically, it is recommended to combine this option with
1455 <varname>SystemCallArchitectures=native</varname> or similar.</para>
1456
2ca8dc15
LP		 1457 <para>Note that strict system call filters may impact execution and error handling code paths of the service
1458 invocation. Specifically, access to the <function>execve</function> system call is required for the execution
1459 of the service binary — if it is blocked service invocation will necessarily fail. Also, if execution of the
1460 service binary fails for some reason (for example: missing service executable), the error handling logic might
1461 require access to an additional set of system calls in order to process and log this failure correctly. It
1462 might be necessary to temporarily disable system call filters in order to simplify debugging of such
1463 failures.</para>
1464
798d3a52
ZJS		 1465 <para>If you specify both types of this option (i.e.
1466 whitelisting and blacklisting), the first encountered will
1467 take precedence and will dictate the default action
1468 (termination or approval of a system call). Then the next
1469 occurrences of this option will add or delete the listed
1470 system calls from the set of the filtered system calls,
1471 depending of its type and the default action. (For example, if
1472 you have started with a whitelisting of
1473 <function>read</function> and <function>write</function>, and
1474 right after it add a blacklisting of
1475 <function>write</function>, then <function>write</function>
201c1cc2
TM		 1476 will be removed from the set.)</para>
1477
1478 <para>As the number of possible system
1479 calls is large, predefined sets of system calls are provided.
1480 A set starts with <literal>@</literal> character, followed by
1481 name of the set.
1482
1483 <table>
1484 <title>Currently predefined system call sets</title>
1485
1486 <tgroup cols='2'>
1487 <colspec colname='set' />
1488 <colspec colname='description' />
1489 <thead>
1490 <row>
1491 <entry>Set</entry>
1492 <entry>Description</entry>
1493 </row>
1494 </thead>
1495 <tbody>
44898c53
LP		 1496 <row>
1497 <entry>@aio</entry>
1498 <entry>Asynchronous I/O (<citerefentry project='man-pages'><refentrytitle>io_setup</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>io_submit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
1499 </row>
133ddbbe
LP		 1500 <row>
1501 <entry>@basic-io</entry>
1502 <entry>System calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (<citerefentry project='man-pages'><refentrytitle>read</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>write</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
1503 </row>
44898c53
LP		 1504 <row>
1505 <entry>@chown</entry>
1506 <entry>Changing file ownership (<citerefentry project='man-pages'><refentrytitle>chown</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>fchownat</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
1507 </row>
201c1cc2
TM		 1508 <row>
1509 <entry>@clock</entry>
1f9ac68b
LP		 1510 <entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
1511 </row>
1512 <row>
1513 <entry>@cpu-emulation</entry>
1514 <entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
1515 </row>
1516 <row>
1517 <entry>@debug</entry>
1518 <entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2 1519 </row>
1a1b13c9
LP		 1520 <row>
1521 <entry>@file-system</entry>
1522 <entry>File system operations: opening, creating files and directories for read and write, renaming and removing them, reading file properties, or creating hard and symbolic links.</entry>
1523 </row>
201c1cc2
TM		 1524 <row>
1525 <entry>@io-event</entry>
1f9ac68b 1526 <entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2
TM		 1527 </row>
1528 <row>
1529 <entry>@ipc</entry>
cd5bfd7e 1530 <entry>Pipes, SysV IPC, POSIX Message Queues and other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
1f9ac68b
LP		 1531 </row>
1532 <row>
1533 <entry>@keyring</entry>
1534 <entry>Kernel keyring access (<citerefentry project='man-pages'><refentrytitle>keyctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2 1535 </row>
cd0ddf6f
LP		 1536 <row>
1537 <entry>@memlock</entry>
1538 <entry>Locking of memory into RAM (<citerefentry project='man-pages'><refentrytitle>mlock</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>mlockall</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
1539 </row>
201c1cc2
TM		 1540 <row>
1541 <entry>@module</entry>
d5efc18b 1542 <entry>Loading and unloading of kernel modules (<citerefentry project='man-pages'><refentrytitle>init_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>delete_module</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
201c1cc2
TM		 1543 </row>
1544 <row>
1545 <entry>@mount</entry>
d5efc18b 1546 <entry>Mounting and unmounting of file systems (<citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
201c1cc2
TM		 1547 </row>
1548 <row>
1549 <entry>@network-io</entry>
1f9ac68b 1550 <entry>Socket I/O (including local AF_UNIX): <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry>
201c1cc2
TM		 1551 </row>
1552 <row>
1553 <entry>@obsolete</entry>
1f9ac68b 1554 <entry>Unusual, obsolete or unimplemented (<citerefentry project='man-pages'><refentrytitle>create_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>gtty</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
201c1cc2
TM		 1555 </row>
1556 <row>
1557 <entry>@privileged</entry>
1f9ac68b 1558 <entry>All system calls which need super-user capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
201c1cc2
TM		 1559 </row>
1560 <row>
1561 <entry>@process</entry>
d5efc18b 1562 <entry>Process control, execution, namespaceing operations (<citerefentry project='man-pages'><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>kill</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>, …</entry>
201c1cc2
TM		 1563 </row>
1564 <row>
1565 <entry>@raw-io</entry>
aa6b9cec 1566 <entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …)</entry>
201c1cc2 1567 </row>
bd2ab3f4
LP		 1568 <row>
1569 <entry>@reboot</entry>
1570 <entry>System calls for rebooting and reboot preparation (<citerefentry project='man-pages'><refentrytitle>reboot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>kexec()</function>, …)</entry>
1571 </row>
133ddbbe
LP		 1572 <row>
1573 <entry>@resources</entry>
1574 <entry>System calls for changing resource limits, memory and scheduling parameters (<citerefentry project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
1575 </row>
6eaaeee9
LP		 1576 <row>
1577 <entry>@setuid</entry>
1578 <entry>System calls for changing user ID and group ID credentials, (<citerefentry project='man-pages'><refentrytitle>setuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setgid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>setresuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
1579 </row>
cd0ddf6f
LP		 1580 <row>
1581 <entry>@signal</entry>
1582 <entry>System calls for manipulating and handling process signals (<citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>sigprocmask</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
1583 </row>
bd2ab3f4
LP		 1584 <row>
1585 <entry>@swap</entry>
1586 <entry>System calls for enabling/disabling swap devices (<citerefentry project='man-pages'><refentrytitle>swapon</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>swapoff</refentrytitle><manvolnum>2</manvolnum></citerefentry>)</entry>
1587 </row>
44898c53
LP		 1588 <row>
1589 <entry>@sync</entry>
1590 <entry>Synchronizing files and memory to disk: (<citerefentry project='man-pages'><refentrytitle>fsync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>msync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
1591 </row>
cd0ddf6f
LP		 1592 <row>
1593 <entry>@timer</entry>
1594 <entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
1595 </row>
201c1cc2
TM		 1596 </tbody>
1597 </tgroup>
1598 </table>
1599
869feb33
ZJS		 1600 Note, that as new system calls are added to the kernel, additional system calls might be
1601 added to the groups above. Contents of the sets may also change between systemd
1602 versions. In addition, the list of system calls depends on the kernel version and
1603 architecture for which systemd was compiled. Use
1604 <command>systemd-analyze syscall-filter</command> to list the actual list of system calls in
1605 each filter.
1606 </para>
effbd6d2
LP		 1607
1608 <para>It is recommended to combine the file system namespacing related options with
1609 <varname>SystemCallFilter=~@mount</varname>, in order to prohibit the unit's processes to undo the
1610 mappings. Specifically these are the options <varname>PrivateTmp=</varname>,
1611 <varname>PrivateDevices=</varname>, <varname>ProtectSystem=</varname>, <varname>ProtectHome=</varname>,
1612 <varname>ProtectKernelTunables=</varname>, <varname>ProtectControlGroups=</varname>,
1613 <varname>ReadOnlyPaths=</varname>, <varname>InaccessiblePaths=</varname> and
1614 <varname>ReadWritePaths=</varname>.</para></listitem>
798d3a52
ZJS		 1615 </varlistentry>
1616
1617 <varlistentry>
1618 <term><varname>SystemCallErrorNumber=</varname></term>
1619
1620 <listitem><para>Takes an <literal>errno</literal> error number
1621 name to return when the system call filter configured with
1622 <varname>SystemCallFilter=</varname> is triggered, instead of
1623 terminating the process immediately. Takes an error name such
1624 as <constant>EPERM</constant>, <constant>EACCES</constant> or
1625 <constant>EUCLEAN</constant>. When this setting is not used,
1626 or when the empty string is assigned, the process will be
1627 terminated immediately when the filter is
1628 triggered.</para></listitem>
1629 </varlistentry>
1630
1631 <varlistentry>
1632 <term><varname>SystemCallArchitectures=</varname></term>
1633
0b8fab97
LP		 1634 <listitem><para>Takes a space-separated list of architecture identifiers to include in the system call
1635 filter. The known architecture identifiers are the same as for <varname>ConditionArchitecture=</varname>
1636 described in <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1637 as well as <constant>x32</constant>, <constant>mips64-n32</constant>, <constant>mips64-le-n32</constant>, and
1638 the special identifier <constant>native</constant>. Only system calls of the specified architectures will be
1639 permitted to processes of this unit. This is an effective way to disable compatibility with non-native
1640 architectures for processes, for example to prohibit execution of 32-bit x86 binaries on 64-bit x86-64
1641 systems. The special <constant>native</constant> identifier implicitly maps to the native architecture of the
1642 system (or more strictly: to the architecture the system manager is compiled for). If running in user mode, or
1643 in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting
1644 <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is implied. Note that setting this
1645 option to a non-empty list implies that <constant>native</constant> is included too. By default, this option is
1646 set to the empty list, i.e. no system call architecture filtering is applied.</para>
1647
1648 <para>Note that system call filtering is not equally effective on all architectures. For example, on x86
1649 filtering of network socket-related calls is not possible, due to ABI limitations — a limitation that x86-64
1650 does not have, however. On systems supporting multiple ABIs at the same time — such as x86/x86-64 — it is hence
1651 recommended to limit the set of permitted system call architectures so that secondary ABIs may not be used to
1652 circumvent the restrictions applied to the native ABI of the system. In particular, setting
c29ebc1a 1653 <varname>SystemCallArchitectures=native</varname> is a good choice for disabling non-native ABIs.</para>
0b8fab97
LP		 1654
1655 <para>System call architectures may also be restricted system-wide via the
1656 <varname>SystemCallArchitectures=</varname> option in the global configuration. See
1657 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
1658 details.</para></listitem>
798d3a52
ZJS		 1659 </varlistentry>
1660
1661 <varlistentry>
1662 <term><varname>RestrictAddressFamilies=</varname></term>
1663
142bd808
LP		 1664 <listitem><para>Restricts the set of socket address families accessible to the processes of this unit. Takes a
1665 space-separated list of address family names to whitelist, such as <constant>AF_UNIX</constant>,
1666 <constant>AF_INET</constant> or <constant>AF_INET6</constant>. When prefixed with <constant>~</constant> the
1667 listed address families will be applied as blacklist, otherwise as whitelist. Note that this restricts access
1668 to the <citerefentry
1669 project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call
1670 only. Sockets passed into the process by other means (for example, by using socket activation with socket
1671 units, see <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
1672 are unaffected. Also, sockets created with <function>socketpair()</function> (which creates connected AF_UNIX
1673 sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x, mips, mips-le,
0b8fab97
LP		 1674 ppc, ppc-le, pcc64, ppc64-le and is ignored (but works correctly on other ABIs, including x86-64). Note that on
1675 systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off alternative ABIs for
1676 services, so that they cannot be used to circumvent the restrictions of this option. Specifically, it is
1677 recommended to combine this option with <varname>SystemCallArchitectures=native</varname> or similar. If
142bd808
LP		 1678 running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability
1679 (e.g. setting <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is implied. By default,
1680 no restrictions apply, all address families are accessible to processes. If assigned the empty string, any
1681 previous address familiy restriction changes are undone. This setting does not affect commands prefixed with
1682 <literal>+</literal>.</para>
1683
1684 <para>Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive
1685 network protocols, such as <constant>AF_PACKET</constant>. Note that in most cases, the local
1686 <constant>AF_UNIX</constant> address family should be included in the configured whitelist as it is frequently
1687 used for local communication, including for
798d3a52 1688 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
142bd808 1689 logging.</para></listitem>
798d3a52
ZJS		 1690 </varlistentry>
1691
add00535
LP		 1692 <varlistentry>
1693 <term><varname>RestrictNamespaces=</varname></term>
1694
1695 <listitem><para>Restricts access to Linux namespace functionality for the processes of this unit. For details
1696 about Linux namespaces, see
98e9d710 1697 <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>. Either takes a
add00535
LP		 1698 boolean argument, or a space-separated list of namespace type identifiers. If false (the default), no
1699 restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is
1700 prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of
1701 any combination of: <constant>cgroup</constant>, <constant>ipc</constant>, <constant>net</constant>,
1702 <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant> and <constant>uts</constant>. Any
1703 namespace type listed is made accessible to the unit's processes, access to namespace types not listed is
ceabfb88 1704 prohibited (whitelisting). By prepending the list with a single tilde character (<literal>~</literal>) the
add00535
LP		 1705 effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are
1706 permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied,
1707 which is equivalent to false. Internally, this setting limits access to the
1708 <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
1709 <citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
1710 <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking
1711 the specified flags parameters into account. Note that — if this option is used — in addition to restricting
1712 creation and switching of the specified types of namespaces (or all of them, if true) access to the
ae9d60ce 1713 <function>setns()</function> system call with a zero flags parameter is prohibited. This setting is only
a3645cc6
JC		 1714 supported on x86, x86-64, mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32, ppc64, ppc64-le,
1715 s390 and s390x, and enforces no restrictions on other architectures. If running in user
ae9d60ce
LP		 1716 mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting
1717 <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied. </para></listitem>
add00535
LP		 1718 </varlistentry>
1719
798d3a52
ZJS		 1720 <varlistentry>
1721 <term><varname>Personality=</varname></term>
1722
7882632d
LP		 1723 <listitem><para>Controls which kernel architecture <citerefentry
1724 project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> shall report,
1725 when invoked by unit processes. Takes one of the architecture identifiers <constant>x86</constant>,
1726 <constant>x86-64</constant>, <constant>ppc</constant>, <constant>ppc-le</constant>, <constant>ppc64</constant>,
1727 <constant>ppc64-le</constant>, <constant>s390</constant> or <constant>s390x</constant>. Which personality
1728 architectures are supported depends on the system architecture. Usually the 64bit versions of the various
1729 system architectures support their immediate 32bit personality architecture counterpart, but no others. For
1730 example, <constant>x86-64</constant> systems support the <constant>x86-64</constant> and
1731 <constant>x86</constant> personalities but no others. The personality feature is useful when running 32-bit
1732 services on a 64-bit host system. If not specified, the personality is left unmodified and thus reflects the
1733 personality of the host system's kernel.</para></listitem>
798d3a52
ZJS		 1734 </varlistentry>
1735
1736 <varlistentry>
78e864e5
TM		 1737 <term><varname>LockPersonality=</varname></term>
1738
e8d85bc0 1739 <listitem><para>Takes a boolean argument. If set, locks down the <citerefentry
78e864e5
TM		 1740 project='man-pages'><refentrytitle>personality</refentrytitle><manvolnum>2</manvolnum></citerefentry> system
1741 call so that the kernel execution domain may not be changed from the default or the personality selected with
1742 <varname>Personality=</varname> directive. This may be useful to improve security, because odd personality
1743 emulations may be poorly tested and source of vulnerabilities. If running in user mode, or in system mode, but
1744 without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>),
1745 <varname>NoNewPrivileges=yes</varname> is implied.</para></listitem>
1746 </varlistentry>
1747
b1edf445
LP		 1748 <varlistentry>
1749 <term><varname>KeyringMode=</varname></term>
1750
1751 <listitem><para>Controls how the kernel session keyring is set up for the service (see <citerefentry
1752 project='man-pages'><refentrytitle>session-keyring</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
1753 details on the session keyring). Takes one of <option>inherit</option>, <option>private</option>,
1754 <option>shared</option>. If set to <option>inherit</option> no special keyring setup is done, and the kernel's
1755 default behaviour is applied. If <option>private</option> is used a new session keyring is allocated when a
1756 service process is invoked, and it is not linked up with any user keyring. This is the recommended setting for
1757 system services, as this ensures that multiple services running under the same system user ID (in particular
1758 the root user) do not share their key material among each other. If <option>shared</option> is used a new
1759 session keyring is allocated as for <option>private</option>, but the user keyring of the user configured with
1760 <varname>User=</varname> is linked into it, so that keys assigned to the user may be requested by the unit's
1761 processes. In this modes multiple units running processes under the same user ID may share key material. Unless
1762 <option>inherit</option> is selected the unique invocation ID for the unit (see below) is added as a protected
1763 key by the name <literal>invocation_id</literal> to the newly created session keyring. Defaults to
1764 <option>private</option> for the system service manager and to <option>inherit</option> for the user service
1765 manager.</para></listitem>
78e864e5
TM		 1766 </varlistentry>
1767
1768 <varlistentry>
798d3a52 1769 <term><varname>RuntimeDirectory=</varname></term>
4a628360
LP		 1770 <term><varname>StateDirectory=</varname></term>
1771 <term><varname>CacheDirectory=</varname></term>
1772 <term><varname>LogsDirectory=</varname></term>
1773 <term><varname>ConfigurationDirectory=</varname></term>
798d3a52 1774
4a628360
LP		 1775 <listitem><para>These options take a whitespace-separated list of directory names. The specified directory
1776 names must be relative, and may not include <literal>.</literal> or <literal>..</literal>. If set, one or more
1777 directories by the specified names will be created (including their parents) below <filename>/run</filename>
1778 (or <varname>$XDG_RUNTIME_DIR</varname> for user services), <filename>/var/lib</filename> (or
1779 <varname>$XDG_CONFIG_HOME</varname> for user services), <filename>/var/cache</filename> (or
1780 <varname>$XDG_CACHE_HOME</varname> for user services), <filename>/var/log</filename> (or
1781 <varname>$XDG_CONFIG_HOME</varname><filename>/log</filename> for user services), or <filename>/etc</filename>
1782 (or <varname>$XDG_CONFIG_HOME</varname> for user services), respectively, when the unit is started.</para>
1783
1784 <para>In case of <varname>RuntimeDirectory=</varname> the lowest subdirectories are removed when the unit is
1785 stopped. It is possible to preserve the specified directories in this case if
1786 <varname>RuntimeDirectoryPreserve=</varname> is configured to <option>restart</option> or <option>yes</option>
1787 (see below). The directories specified with <varname>StateDirectory=</varname>,
1788 <varname>CacheDirectory=</varname>, <varname>LogsDirectory=</varname>,
1789 <varname>ConfigurationDirectory=</varname> are not removed when the unit is stopped.</para>
1790
1791 <para>Except in case of <varname>ConfigurationDirectory=</varname>, the innermost specified directories will be
1792 owned by the user and group specified in <varname>User=</varname> and <varname>Group=</varname>. If the
1793 specified directories already exist and their owning user or group do not match the configured ones, all files
1794 and directories below the specified directories as well as the directories themselves will have their file
1795 ownership recursively changed to match what is configured. As an optimization, if the specified directories are
1796 already owned by the right user and group, files and directories below of them are left as-is, even if they do
1797 not match what is requested. The innermost specified directories will have their access mode adjusted to the
1798 what is specified in <varname>RuntimeDirectoryMode=</varname>, <varname>StateDirectoryMode=</varname>,
1799 <varname>CacheDirectoryMode=</varname>, <varname>LogsDirectoryMode=</varname> and
1800 <varname>ConfigurationDirectoryMode=</varname>.</para>
1801
fdfcb946 1802 <para>These options imply <varname>BindPaths=</varname> for the specified paths. When combined with
4a628360 1803 <varname>RootDirectory=</varname> or <varname>RootImage=</varname> these paths always reside on the host and
fdfcb946
YW		 1804 are mounted from there into the unit's file system namespace.</para>
1805
1806 <para>If <varname>DynamicUser=</varname> is used in conjunction with <varname>StateDirectory=</varname>,
1807 <varname>CacheDirectory=</varname> and <varname>LogsDirectory=</varname> is slightly altered: the directories
1808 are created below <filename>/var/lib/private</filename>, <filename>/var/cache/private</filename> and
4a628360
LP		 1809 <filename>/var/log/private</filename>, respectively, which are host directories made inaccessible to
1810 unprivileged users, which ensures that access to these directories cannot be gained through dynamic user ID
1811 recycling. Symbolic links are created to hide this difference in behaviour. Both from perspective of the host
1812 and from inside the unit, the relevant directories hence always appear directly below
fdfcb946 1813 <filename>/var/lib</filename>, <filename>/var/cache</filename> and <filename>/var/log</filename>.</para>
4a628360
LP		 1814
1815 <para>Use <varname>RuntimeDirectory=</varname> to manage one or more runtime directories for the unit and bind
1816 their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
23a7448e 1817 runtime directories in <filename>/run</filename> due to lack of privileges, and to make sure the runtime
4a628360
LP		 1818 directory is cleaned up automatically after use. For runtime directories that require more complex or different
1819 configuration or lifetime guarantees, please consider using
23a7448e
YW		 1820 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
1821
1822 <para>Example: if a system service unit has the following,
1823 <programlisting>RuntimeDirectory=foo/bar baz</programlisting>
1824 the service manager creates <filename>/run/foo</filename> (if it does not exist), <filename>/run/foo/bar</filename>,
1825 and <filename>/run/baz</filename>. The directories <filename>/run/foo/bar</filename> and <filename>/run/baz</filename>
1826 except <filename>/run/foo</filename> are owned by the user and group specified in <varname>User=</varname> and
1827 <varname>Group=</varname>, and removed when the service is stopped.
1828 </para></listitem>
3536f49e 1829
3536f49e
YW		 1830 </varlistentry>
1831
189cd8c2
ZJS		 1832 <varlistentry>
1833 <term><varname>RuntimeDirectoryMode=</varname></term>
3536f49e
YW		 1834 <term><varname>StateDirectoryMode=</varname></term>
1835 <term><varname>CacheDirectoryMode=</varname></term>
1836 <term><varname>LogsDirectoryMode=</varname></term>
1837 <term><varname>ConfigurationDirectoryMode=</varname></term>
189cd8c2
ZJS		 1838
1839 <listitem><para>Specifies the access mode of the directories specified in
3536f49e
YW		 1840 <varname>RuntimeDirectory=</varname>, <varname>StateDirectory=</varname>, <varname>CacheDirectory=</varname>,
1841 <varname>LogsDirectory=</varname>, or <varname>ConfigurationDirectory=</varname>, respectively, as an octal number.
1842 Defaults to <constant>0755</constant>. See "Permissions" in
23a7448e
YW		 1843 <citerefentry project='man-pages'><refentrytitle>path_resolution</refentrytitle><manvolnum>7</manvolnum></citerefentry>
1844 for a discussion of the meaning of permission bits.
189cd8c2
ZJS		 1845 </para></listitem>
1846 </varlistentry>
1847
53f47dfc
YW		 1848 <varlistentry>
1849 <term><varname>RuntimeDirectoryPreserve=</varname></term>
1850
1851 <listitem><para>Takes a boolean argument or <option>restart</option>.
1852 If set to <option>no</option> (the default), the directories specified in <varname>RuntimeDirectory=</varname>
1853 are always removed when the service stops. If set to <option>restart</option> the directories are preserved
1854 when the service is both automatically and manually restarted. Here, the automatic restart means the operation
1855 specified in <varname>Restart=</varname>, and manual restart means the one triggered by
1856 <command>systemctl restart foo.service</command>. If set to <option>yes</option>, then the directories are not
1857 removed when the service is stopped. Note that since the runtime directory <filename>/run</filename> is a mount
1858 point of <literal>tmpfs</literal>, then for system services the directories specified in
1859 <varname>RuntimeDirectory=</varname> are removed when the system is rebooted.
189cd8c2
ZJS		 1860 </para></listitem>
1861 </varlistentry>
1862
f3e43635
TM		 1863 <varlistentry>
1864 <term><varname>MemoryDenyWriteExecute=</varname></term>
1865
1866 <listitem><para>Takes a boolean argument. If set, attempts to create memory mappings that are writable and
8a50cf69
LP		 1867 executable at the same time, or to change existing memory mappings to become executable, or mapping shared
1868 memory segments as executable are prohibited. Specifically, a system call filter is added that rejects
1869 <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with both
1870 <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set,
1871 <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
1872 <constant>PROT_EXEC</constant> set and
1873 <citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
03c3c520
ZJS		 1874 <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs and libraries that
1875 generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code
8a50cf69
LP		 1876 "trampoline" feature of various C compilers. This option improves service security, as it makes harder for
1877 software exploits to change running code dynamically. Note that this feature is fully available on x86-64, and
0b8fab97
LP		 1878 partially on x86. Specifically, the <function>shmat()</function> protection is not available on x86. Note that
1879 on systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off alternative ABIs for
1880 services, so that they cannot be used to circumvent the restrictions of this option. Specifically, it is
1881 recommended to combine this option with <varname>SystemCallArchitectures=native</varname> or similar. If
1882 running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability
3536f49e 1883 (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied.</para></listitem>
f3e43635
TM		 1884 </varlistentry>
1885
f4170c67
LP		 1886 <varlistentry>
1887 <term><varname>RestrictRealtime=</varname></term>
1888
1889 <listitem><para>Takes a boolean argument. If set, any attempts to enable realtime scheduling in a process of
1890 the unit are refused. This restricts access to realtime task scheduling policies such as
1891 <constant>SCHED_FIFO</constant>, <constant>SCHED_RR</constant> or <constant>SCHED_DEADLINE</constant>. See
0a07667d 1892 <citerefentry project='man-pages'><refentrytitle>sched</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details about
a7db8614
DH		 1893 these scheduling policies. If running in user mode, or in system mode, but
1894 without the <constant>CAP_SYS_ADMIN</constant> capability
1895 (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
1896 is implied. Realtime scheduling policies may be used to monopolize CPU time for longer periods
f4170c67
LP		 1897 of time, and may hence be used to lock up or otherwise trigger Denial-of-Service situations on the system. It
1898 is hence recommended to restrict access to realtime scheduling to the few programs that actually require
1899 them. Defaults to off.</para></listitem>
1900 </varlistentry>
1901
798d3a52
ZJS		 1902 </variablelist>
1903 </refsect1>
1904
1905 <refsect1>
1906 <title>Environment variables in spawned processes</title>
1907
00819cc1
LP		 1908 <para>Processes started by the service manager are executed with an environment variable block assembled from
1909 multiple sources. Processes started by the system service manager generally do not inherit environment variables
1910 set for the service manager itself (but this may be altered via <varname>PassEnvironment=</varname>), but processes
1911 started by the user service manager instances generally do inherit all environment variables set for the service
1912 manager itself.</para>
1913
1914 <para>For each invoked process the list of environment variables set is compiled from the following sources:</para>
1915
1916 <itemizedlist>
1917 <listitem><para>Variables globally configured for the service manager, using the
1918 <varname>DefaultEnvironment=</varname> setting in
1919 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, the kernel command line option <varname>systemd.setenv=</varname> (see
1920 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>) or via
1921 <command>systemctl set-environment</command> (see <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para></listitem>
1922
1923 <listitem><para>Variables defined by the service manager itself (see the list below)</para></listitem>
1924
1925 <listitem><para>Variables set in the service manager's own environment variable block (subject to <varname>PassEnvironment=</varname> for the system service manager)</para></listitem>
1926
1927 <listitem><para>Variables set via <varname>Environment=</varname> in the unit file</para></listitem>
1928
1929 <listitem><para>Variables read from files specified via <varname>EnvironmentFiles=</varname> in the unit file</para></listitem>
1930
1931 <listitem><para>Variables set by any PAM modules in case <varname>PAMName=</varname> is in effect, cf. <citerefentry project='man-pages'><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry></para></listitem>
1932 </itemizedlist>
1933
1934 <para>If the same environment variables are set by multiple of these sources, the later source — according to the
1935 order of the list above — wins. Note that as final step all variables listed in
1936 <varname>UnsetEnvironment=</varname> are removed again from the compiled environment variable list, immediately
1937 before it is passed to the executed process.</para>
1938
1939 <para>The following select environment variables are set by the service manager itself for each invoked process:</para>
798d3a52
ZJS		 1940
1941 <variablelist class='environment-variables'>
1942 <varlistentry>
1943 <term><varname>$PATH</varname></term>
1944
1945 <listitem><para>Colon-separated list of directories to use
1946 when launching executables. Systemd uses a fixed value of
1947 <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>.
1948 </para></listitem>
1949 </varlistentry>
1950
1951 <varlistentry>
1952 <term><varname>$LANG</varname></term>
1953
1954 <listitem><para>Locale. Can be set in
3ba3a79d 1955 <citerefentry project='man-pages'><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
798d3a52
ZJS		 1956 or on the kernel command line (see
1957 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1958 and
1959 <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>).
1960 </para></listitem>
1961 </varlistentry>
1962
1963 <varlistentry>
1964 <term><varname>$USER</varname></term>
1965 <term><varname>$LOGNAME</varname></term>
1966 <term><varname>$HOME</varname></term>
1967 <term><varname>$SHELL</varname></term>
1968
1969 <listitem><para>User name (twice), home directory, and the
23deef88
LP		 1970 login shell. The variables are set for the units that have
1971 <varname>User=</varname> set, which includes user
1972 <command>systemd</command> instances. See
3ba3a79d 1973 <citerefentry project='die-net'><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
798d3a52
ZJS		 1974 </para></listitem>
1975 </varlistentry>
1976
4b58153d
LP		 1977 <varlistentry>
1978 <term><varname>$INVOCATION_ID</varname></term>
1979
1980 <listitem><para>Contains a randomized, unique 128bit ID identifying each runtime cycle of the unit, formatted
1981 as 32 character hexadecimal string. A new ID is assigned each time the unit changes from an inactive state into
1982 an activating or active state, and may be used to identify this specific runtime cycle, in particular in data
1983 stored offline, such as the journal. The same ID is passed to all processes run as part of the
1984 unit.</para></listitem>
1985 </varlistentry>
1986
798d3a52
ZJS		 1987 <varlistentry>
1988 <term><varname>$XDG_RUNTIME_DIR</varname></term>
1989
1990 <listitem><para>The directory for volatile state. Set for the
1991 user <command>systemd</command> instance, and also in user
1992 sessions. See
1993 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
1994 </para></listitem>
1995 </varlistentry>
1996
1997 <varlistentry>
1998 <term><varname>$XDG_SESSION_ID</varname></term>
1999 <term><varname>$XDG_SEAT</varname></term>
2000 <term><varname>$XDG_VTNR</varname></term>
2001
2002 <listitem><para>The identifier of the session, the seat name,
2003 and virtual terminal of the session. Set by
2004 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
2005 for login sessions. <varname>$XDG_SEAT</varname> and
2006 <varname>$XDG_VTNR</varname> will only be set when attached to
2007 a seat and a tty.</para></listitem>
2008 </varlistentry>
2009
2010 <varlistentry>
2011 <term><varname>$MAINPID</varname></term>
2012
2dd67817 2013 <listitem><para>The PID of the unit's main process if it is
798d3a52
ZJS		 2014 known. This is only set for control processes as invoked by
2015 <varname>ExecReload=</varname> and similar. </para></listitem>
2016 </varlistentry>
2017
2018 <varlistentry>
2019 <term><varname>$MANAGERPID</varname></term>
2020
2021 <listitem><para>The PID of the user <command>systemd</command>
2022 instance, set for processes spawned by it. </para></listitem>
2023 </varlistentry>
2024
2025 <varlistentry>
2026 <term><varname>$LISTEN_FDS</varname></term>
2027 <term><varname>$LISTEN_PID</varname></term>
5c019cf2 2028 <term><varname>$LISTEN_FDNAMES</varname></term>
798d3a52
ZJS		 2029
2030 <listitem><para>Information about file descriptors passed to a
2031 service for socket activation. See
2032 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
2033 </para></listitem>
2034 </varlistentry>
2035
5c019cf2
EV		 2036 <varlistentry>
2037 <term><varname>$NOTIFY_SOCKET</varname></term>
2038
2039 <listitem><para>The socket
2040 <function>sd_notify()</function> talks to. See
2041 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
2042 </para></listitem>
2043 </varlistentry>
2044
2045 <varlistentry>
2046 <term><varname>$WATCHDOG_PID</varname></term>
2047 <term><varname>$WATCHDOG_USEC</varname></term>
2048
2049 <listitem><para>Information about watchdog keep-alive notifications. See
2050 <citerefentry><refentrytitle>sd_watchdog_enabled</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
2051 </para></listitem>
2052 </varlistentry>
2053
798d3a52
ZJS		 2054 <varlistentry>
2055 <term><varname>$TERM</varname></term>
2056
2057 <listitem><para>Terminal type, set only for units connected to
2058 a terminal (<varname>StandardInput=tty</varname>,
2059 <varname>StandardOutput=tty</varname>, or
2060 <varname>StandardError=tty</varname>). See
2061 <citerefentry project='man-pages'><refentrytitle>termcap</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
2062 </para></listitem>
2063 </varlistentry>
7bce046b
LP		 2064
2065 <varlistentry>
2066 <term><varname>$JOURNAL_STREAM</varname></term>
2067
2068 <listitem><para>If the standard output or standard error output of the executed processes are connected to the
2069 journal (for example, by setting <varname>StandardError=journal</varname>) <varname>$JOURNAL_STREAM</varname>
2070 contains the device and inode numbers of the connection file descriptor, formatted in decimal, separated by a
2071 colon (<literal>:</literal>). This permits invoked processes to safely detect whether their standard output or
2072 standard error output are connected to the journal. The device and inode numbers of the file descriptors should
2073 be compared with the values set in the environment variable to determine whether the process output is still
2074 connected to the journal. Note that it is generally not sufficient to only check whether
2075 <varname>$JOURNAL_STREAM</varname> is set at all as services might invoke external processes replacing their
2076 standard output or standard error output, without unsetting the environment variable.</para>
2077
ab2116b1
LP		 2078 <para>If both standard output and standard error of the executed processes are connected to the journal via a
2079 stream socket, this environment variable will contain information about the standard error stream, as that's
2080 usually the preferred destination for log data. (Note that typically the same stream is used for both standard
2081 output and standard error, hence very likely the environment variable contains device and inode information
2082 matching both stream file descriptors.)</para>
2083
7bce046b
LP		 2084 <para>This environment variable is primarily useful to allow services to optionally upgrade their used log
2085 protocol to the native journal protocol (using
2086 <citerefentry><refentrytitle>sd_journal_print</refentrytitle><manvolnum>3</manvolnum></citerefentry> and other
2087 functions) if their standard output or standard error output is connected to the journal anyway, thus enabling
2088 delivery of structured metadata along with logged messages.</para></listitem>
2089 </varlistentry>
136dc4c4
LP		 2090
2091 <varlistentry>
2092 <term><varname>$SERVICE_RESULT</varname></term>
2093
2094 <listitem><para>Only defined for the service unit type, this environment variable is passed to all
2095 <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname> processes, and encodes the service
38a7c3c0
LP		 2096 "result". Currently, the following values are defined:</para>
2097
2098 <table>
2099 <title>Defined <varname>$SERVICE_RESULT</varname> values</title>
2100 <tgroup cols='2'>
2101 <colspec colname='result'/>
2102 <colspec colname='meaning'/>
2103 <thead>
2104 <row>
2105 <entry>Value</entry>
2106 <entry>Meaning</entry>
2107 </row>
2108 </thead>
2109
2110 <tbody>
2111 <row>
2112 <entry><literal>success</literal></entry>
e124ccdf 2113 <entry>The service ran successfully and exited cleanly.</entry>
38a7c3c0
LP		 2114 </row>
2115 <row>
2116 <entry><literal>protocol</literal></entry>
e124ccdf 2117 <entry>A protocol violation occurred: the service did not take the steps required by its unit configuration (specifically what is configured in its <varname>Type=</varname> setting).</entry>
38a7c3c0
LP		 2118 </row>
2119 <row>
2120 <entry><literal>timeout</literal></entry>
e124ccdf 2121 <entry>One of the steps timed out.</entry>
38a7c3c0
LP		 2122 </row>
2123 <row>
2124 <entry><literal>exit-code</literal></entry>
e124ccdf 2125 <entry>Service process exited with a non-zero exit code; see <varname>$EXIT_CODE</varname> below for the actual exit code returned.</entry>
38a7c3c0
LP		 2126 </row>
2127 <row>
2128 <entry><literal>signal</literal></entry>
e124ccdf 2129 <entry>A service process was terminated abnormally by a signal, without dumping core. See <varname>$EXIT_CODE</varname> below for the actual signal causing the termination.</entry>
38a7c3c0
LP		 2130 </row>
2131 <row>
2132 <entry><literal>core-dump</literal></entry>
e124ccdf 2133 <entry>A service process terminated abnormally with a signal and dumped core. See <varname>$EXIT_CODE</varname> below for the signal causing the termination.</entry>
38a7c3c0
LP		 2134 </row>
2135 <row>
2136 <entry><literal>watchdog</literal></entry>
e124ccdf 2137 <entry>Watchdog keep-alive ping was enabled for the service, but the deadline was missed.</entry>
38a7c3c0
LP		 2138 </row>
2139 <row>
2140 <entry><literal>start-limit-hit</literal></entry>
e124ccdf 2141 <entry>A start limit was defined for the unit and it was hit, causing the unit to fail to start. See <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s <varname>StartLimitIntervalSec=</varname> and <varname>StartLimitBurst=</varname> for details.</entry>
38a7c3c0
LP		 2142 </row>
2143 <row>
2144 <entry><literal>resources</literal></entry>
2145 <entry>A catch-all condition in case a system operation failed.</entry>
2146 </row>
2147 </tbody>
2148 </tgroup>
2149 </table>
136dc4c4
LP		 2150
2151 <para>This environment variable is useful to monitor failure or successful termination of a service. Even
2152 though this variable is available in both <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname>, it
2153 is usually a better choice to place monitoring tools in the latter, as the former is only invoked for services
2154 that managed to start up correctly, and the latter covers both services that failed during their start-up and
2155 those which failed during their runtime.</para></listitem>
2156 </varlistentry>
2157
2158 <varlistentry>
2159 <term><varname>$EXIT_CODE</varname></term>
2160 <term><varname>$EXIT_STATUS</varname></term>
2161
2162 <listitem><para>Only defined for the service unit type, these environment variables are passed to all
2163 <varname>ExecStop=</varname>, <varname>ExecStopPost=</varname> processes and contain exit status/code
2164 information of the main process of the service. For the precise definition of the exit code and status, see
2165 <citerefentry><refentrytitle>wait</refentrytitle><manvolnum>2</manvolnum></citerefentry>. <varname>$EXIT_CODE</varname>
2166 is one of <literal>exited</literal>, <literal>killed</literal>,
2167 <literal>dumped</literal>. <varname>$EXIT_STATUS</varname> contains the numeric exit code formatted as string
2168 if <varname>$EXIT_CODE</varname> is <literal>exited</literal>, and the signal name in all other cases. Note
2169 that these environment variables are only set if the service manager succeeded to start and identify the main
e64e1bfd
ZJS		 2170 process of the service.</para>
2171
2172 <table>
2173 <title>Summary of possible service result variable values</title>
2174 <tgroup cols='3'>
2175 <colspec colname='result' />
e64e1bfd 2176 <colspec colname='code' />
a4e26faf 2177 <colspec colname='status' />
e64e1bfd
ZJS		 2178 <thead>
2179 <row>
2180 <entry><varname>$SERVICE_RESULT</varname></entry>
e64e1bfd 2181 <entry><varname>$EXIT_CODE</varname></entry>
a4e26faf 2182 <entry><varname>$EXIT_STATUS</varname></entry>
e64e1bfd
ZJS		 2183 </row>
2184 </thead>
2185
2186 <tbody>
38a7c3c0
LP		 2187 <row>
2188 <entry valign="top"><literal>success</literal></entry>
2189 <entry valign="top"><literal>exited</literal></entry>
2190 <entry><literal>0</literal></entry>
2191 </row>
a4e26faf
JW		 2192 <row>
2193 <entry morerows="1" valign="top"><literal>protocol</literal></entry>
2194 <entry valign="top">not set</entry>
2195 <entry>not set</entry>
2196 </row>
2197 <row>
2198 <entry><literal>exited</literal></entry>
2199 <entry><literal>0</literal></entry>
2200 </row>
29df65f9
ZJS		 2201 <row>
2202 <entry morerows="1" valign="top"><literal>timeout</literal></entry>
2203 <entry valign="top"><literal>killed</literal></entry>
6757c06a 2204 <entry><literal>TERM</literal>, <literal>KILL</literal></entry>
29df65f9 2205 </row>
29df65f9
ZJS		 2206 <row>
2207 <entry valign="top"><literal>exited</literal></entry>
6757c06a
LP		 2208 <entry><literal>0</literal>, <literal>1</literal>, <literal>2</literal>, <literal
2209 >3</literal>, …, <literal>255</literal></entry>
29df65f9 2210 </row>
e64e1bfd
ZJS		 2211 <row>
2212 <entry valign="top"><literal>exit-code</literal></entry>
2213 <entry valign="top"><literal>exited</literal></entry>
38a7c3c0 2214 <entry><literal>1</literal>, <literal>2</literal>, <literal
6757c06a 2215 >3</literal>, …, <literal>255</literal></entry>
e64e1bfd 2216 </row>
e64e1bfd
ZJS		 2217 <row>
2218 <entry valign="top"><literal>signal</literal></entry>
2219 <entry valign="top"><literal>killed</literal></entry>
6757c06a 2220 <entry><literal>HUP</literal>, <literal>INT</literal>, <literal>KILL</literal>, …</entry>
e64e1bfd 2221 </row>
e64e1bfd
ZJS		 2222 <row>
2223 <entry valign="top"><literal>core-dump</literal></entry>
2224 <entry valign="top"><literal>dumped</literal></entry>
6757c06a 2225 <entry><literal>ABRT</literal>, <literal>SEGV</literal>, <literal>QUIT</literal>, …</entry>
e64e1bfd 2226 </row>
e64e1bfd
ZJS		 2227 <row>
2228 <entry morerows="2" valign="top"><literal>watchdog</literal></entry>
2229 <entry><literal>dumped</literal></entry>
2230 <entry><literal>ABRT</literal></entry>
2231 </row>
2232 <row>
2233 <entry><literal>killed</literal></entry>
6757c06a 2234 <entry><literal>TERM</literal>, <literal>KILL</literal></entry>
e64e1bfd
ZJS		 2235 </row>
2236 <row>
2237 <entry><literal>exited</literal></entry>
6757c06a
LP		 2238 <entry><literal>0</literal>, <literal>1</literal>, <literal>2</literal>, <literal
2239 >3</literal>, …, <literal>255</literal></entry>
e64e1bfd 2240 </row>
38a7c3c0
LP		 2241 <row>
2242 <entry><literal>start-limit-hit</literal></entry>
2243 <entry>not set</entry>
2244 <entry>not set</entry>
2245 </row>
e64e1bfd
ZJS		 2246 <row>
2247 <entry><literal>resources</literal></entry>
2248 <entry>any of the above</entry>
2249 <entry>any of the above</entry>
2250 </row>
29df65f9 2251 <row>
38a7c3c0 2252 <entry namest="results" nameend="status">Note: the process may be also terminated by a signal not sent by systemd. In particular the process may send an arbitrary signal to itself in a handler for any of the non-maskable signals. Nevertheless, in the <literal>timeout</literal> and <literal>watchdog</literal> rows above only the signals that systemd sends have been included. Moreover, using <varname>SuccessExitStatus=</varname> additional exit statuses may be declared to indicate clean termination, which is not reflected by this table.</entry>
29df65f9 2253 </row>
e64e1bfd
ZJS		 2254 </tbody>
2255 </tgroup>
2256 </table>
2257
2258 </listitem>
2259 </varlistentry>
798d3a52 2260 </variablelist>
798d3a52
ZJS		 2261 </refsect1>
2262
91a8f867
JS		 2263 <refsect1>
2264 <title>Process exit codes</title>
2265
2266 <para>When invoking a unit process the service manager possibly fails to apply the execution parameters configured
2267 with the settings above. In that case the already created service process will exit with a non-zero exit code
2268 before the configured command line is executed. (Or in other words, the child process possibly exits with these
2269 error codes, after having been created by the <citerefentry
2270 project='man-pages'><refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call, but
2271 before the matching <citerefentry
2272 project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call is
2273 called.) Specifically, exit codes defined by the C library, by the LSB specification and by the systemd service
2274 manager itself are used.</para>
2275
2276 <para>The following basic service exit codes are defined by the C library.</para>
2277
2278 <table>
2279 <title>Basic C library exit codes</title>
2280 <tgroup cols='3'>
2281 <thead>
2282 <row>
2283 <entry>Exit Code</entry>
2284 <entry>Symbolic Name</entry>
2285 <entry>Description</entry>
2286 </row>
2287 </thead>
2288 <tbody>
2289 <row>
2290 <entry>0</entry>
2291 <entry><constant>EXIT_SUCCESS</constant></entry>
2292 <entry>Generic success code.</entry>
2293 </row>
2294 <row>
2295 <entry>1</entry>
2296 <entry><constant>EXIT_FAILURE</constant></entry>
2297 <entry>Generic failure or unspecified error.</entry>
2298 </row>
2299 </tbody>
2300 </tgroup>
2301 </table>
2302
2303 <para>The following service exit codes are defined by the <ulink
2304 url="https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html">LSB specification
2305 </ulink>.
2306 </para>
2307
2308 <table>
2309 <title>LSB service exit codes</title>
2310 <tgroup cols='3'>
2311 <thead>
2312 <row>
2313 <entry>Exit Code</entry>
2314 <entry>Symbolic Name</entry>
2315 <entry>Description</entry>
2316 </row>
2317 </thead>
2318 <tbody>
2319 <row>
2320 <entry>2</entry>
2321 <entry><constant>EXIT_INVALIDARGUMENT</constant></entry>
2322 <entry>Invalid or excess arguments.</entry>
2323 </row>
2324 <row>
2325 <entry>3</entry>
2326 <entry><constant>EXIT_NOTIMPLEMENTED</constant></entry>
2327 <entry>Unimplemented feature.</entry>
2328 </row>
2329 <row>
2330 <entry>4</entry>
2331 <entry><constant>EXIT_NOPERMISSION</constant></entry>
2332 <entry>The user has insufficient privileges.</entry>
2333 </row>
2334 <row>
2335 <entry>5</entry>
2336 <entry><constant>EXIT_NOTINSTALLED</constant></entry>
2337 <entry>The program is not installed.</entry>
2338 </row>
2339 <row>
2340 <entry>6</entry>
2341 <entry><constant>EXIT_NOTCONFIGURED</constant></entry>
2342 <entry>The program is not configured.</entry>
2343 </row>
2344 <row>
2345 <entry>7</entry>
2346 <entry><constant>EXIT_NOTRUNNING</constant></entry>
2347 <entry>The program is not running.</entry>
2348 </row>
2349 </tbody>
2350 </tgroup>
2351 </table>
2352
2353 <para>
2354 The LSB specification suggests that error codes 200 and above are reserved for implementations. Some of them are
2355 used by the service manager to indicate problems during process invocation:
2356 </para>
2357 <table>
2358 <title>systemd-specific exit codes</title>
2359 <tgroup cols='3'>
2360 <thead>
2361 <row>
2362 <entry>Exit Code</entry>
2363 <entry>Symbolic Name</entry>
2364 <entry>Description</entry>
2365 </row>
2366 </thead>
2367 <tbody>
2368 <row>
2369 <entry>200</entry>
2370 <entry><constant>EXIT_CHDIR</constant></entry>
2371 <entry>Changing to the requested working directory failed. See <varname>WorkingDirectory=</varname> above.</entry>
2372 </row>
2373 <row>
2374 <entry>201</entry>
2375 <entry><constant>EXIT_NICE</constant></entry>
2376 <entry>Failed to set up process scheduling priority (nice level). See <varname>Nice=</varname> above.</entry>
2377 </row>
2378 <row>
2379 <entry>202</entry>
2380 <entry><constant>EXIT_FDS</constant></entry>
2381 <entry>Failed to close unwanted file descriptors, or to adjust passed file descriptors.</entry>
2382 </row>
2383 <row>
2384 <entry>203</entry>
2385 <entry><constant>EXIT_EXEC</constant></entry>
2386 <entry>The actual process execution failed (specifically, the <citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call). Most likely this is caused by a missing or non-accessible executable file.</entry>
2387 </row>
2388 <row>
2389 <entry>204</entry>
2390 <entry><constant>EXIT_MEMORY</constant></entry>
2391 <entry>Failed to perform an action due to memory shortage.</entry>
2392 </row>
2393 <row>
2394 <entry>205</entry>
2395 <entry><constant>EXIT_LIMITS</constant></entry>
dcfaecc7 2396 <entry>Failed to adjust resource limits. See <varname>LimitCPU=</varname> and related settings above.</entry>
91a8f867
JS		 2397 </row>
2398 <row>
2399 <entry>206</entry>
2400 <entry><constant>EXIT_OOM_ADJUST</constant></entry>
2401 <entry>Failed to adjust the OOM setting. See <varname>OOMScoreAdjust=</varname> above.</entry>
2402 </row>
2403 <row>
2404 <entry>207</entry>
2405 <entry><constant>EXIT_SIGNAL_MASK</constant></entry>
2406 <entry>Failed to set process signal mask.</entry>
2407 </row>
2408 <row>
2409 <entry>208</entry>
2410 <entry><constant>EXIT_STDIN</constant></entry>
2411 <entry>Failed to set up standard input. See <varname>StandardInput=</varname> above.</entry>
2412 </row>
2413 <row>
2414 <entry>209</entry>
2415 <entry><constant>EXIT_STDOUT</constant></entry>
2416 <entry>Failed to set up standard output. See <varname>StandardOutput=</varname> above.</entry>
2417 </row>
2418 <row>
2419 <entry>210</entry>
2420 <entry><constant>EXIT_CHROOT</constant></entry>
2421 <entry>Failed to change root directory (<citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>). See <varname>RootDirectory=</varname>/<varname>RootImage=</varname> above.</entry>
2422 </row>
2423 <row>
2424 <entry>211</entry>
2425 <entry><constant>EXIT_IOPRIO</constant></entry>
2426 <entry>Failed to set up IO scheduling priority. See <varname>IOSchedulingClass=</varname>/<varname>IOSchedulingPriority=</varname> above.</entry>
2427 </row>
2428 <row>
2429 <entry>212</entry>
2430 <entry><constant>EXIT_TIMERSLACK</constant></entry>
2431 <entry>Failed to set up timer slack. See <varname>TimerSlackNSec=</varname> above.</entry>
2432 </row>
2433 <row>
2434 <entry>213</entry>
2435 <entry><constant>EXIT_SECUREBITS</constant></entry>
2436 <entry>Failed to set process secure bits. See <varname>SecureBits=</varname> above.</entry>
2437 </row>
2438 <row>
2439 <entry>214</entry>
2440 <entry><constant>EXIT_SETSCHEDULER</constant></entry>
2441 <entry>Failed to set up CPU scheduling. See <varname>CPUSchedulingPolicy=</varname>/<varname>CPUSchedulingPriority=</varname> above.</entry>
2442 </row>
2443 <row>
2444 <entry>215</entry>
2445 <entry><constant>EXIT_CPUAFFINITY</constant></entry>
2446 <entry>Failed to set up CPU affinity. See <varname>CPUAffinity=</varname> above.</entry>
2447 </row>
2448 <row>
2449 <entry>216</entry>
2450 <entry><constant>EXIT_GROUP</constant></entry>
2451 <entry>Failed to determine or change group credentials. See <varname>Group=</varname>/<varname>SupplementaryGroups=</varname> above.</entry>
2452 </row>
2453 <row>
2454 <entry>217</entry>
2455 <entry><constant>EXIT_USER</constant></entry>
2456 <entry>Failed to determine or change user credentials, or to set up user namespacing. See <varname>User=</varname>/<varname>PrivateUsers=</varname> above.</entry>
2457 </row>
2458 <row>
2459 <entry>218</entry>
2460 <entry><constant>EXIT_CAPABILITIES</constant></entry>
2461 <entry>Failed to drop capabilities, or apply ambient capabilities. See <varname>CapabilityBoundingSet=</varname>/<varname>AmbientCapabilities=</varname> above.</entry>
2462 </row>
2463 <row>
2464 <entry>219</entry>
2465 <entry><constant>EXIT_CGROUP</constant></entry>
2466 <entry>Setting up the service control group failed.</entry>
2467 </row>
2468 <row>
2469 <entry>220</entry>
2470 <entry><constant>EXIT_SETSID</constant></entry>
2471 <entry>Failed to create new process session.</entry>
2472 </row>
2473 <row>
2474 <entry>221</entry>
2475 <entry><constant>EXIT_CONFIRM</constant></entry>
2476 <entry>Execution has been cancelled by the user. See the <varname>systemd.confirm_spawn=</varname> kernel command line setting on <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details.</entry>
2477 </row>
2478 <row>
2479 <entry>222</entry>
2480 <entry><constant>EXIT_STDERR</constant></entry>
2481 <entry>Failed to set up standard error output. See <varname>StandardError=</varname> above.</entry>
2482 </row>
2483 <row>
2484 <entry>224</entry>
2485 <entry><constant>EXIT_PAM</constant></entry>
2486 <entry>Failed to set up PAM session. See <varname>PAMName=</varname> above.</entry>
2487 </row>
2488 <row>
2489 <entry>225</entry>
2490 <entry><constant>EXIT_NETWORK</constant></entry>
2491 <entry>Failed to set up network namespacing. See <varname>PrivateNetwork=</varname> above.</entry>
2492 </row>
2493 <row>
2494 <entry>226</entry>
2495 <entry><constant>EXIT_NAMESPACE</constant></entry>
2496 <entry>Failed to set up mount namespacing. See <varname>ReadOnlyPaths=</varname> and related settings above.</entry>
2497 </row>
2498 <row>
2499 <entry>227</entry>
2500 <entry><constant>EXIT_NO_NEW_PRIVILEGES</constant></entry>
dcfaecc7 2501 <entry>Failed to disable new privileges. See <varname>NoNewPrivileges=yes</varname> above.</entry>
91a8f867
JS		 2502 </row>
2503 <row>
2504 <entry>228</entry>
2505 <entry><constant>EXIT_SECCOMP</constant></entry>
2506 <entry>Failed to apply system call filters. See <varname>SystemCallFilter=</varname> and related settings above.</entry>
2507 </row>
2508 <row>
2509 <entry>229</entry>
2510 <entry><constant>EXIT_SELINUX_CONTEXT</constant></entry>
2511 <entry>Determining or changing SELinux context failed. See <varname>SELinuxContext=</varname> above.</entry>
2512 </row>
2513 <row>
2514 <entry>230</entry>
2515 <entry><constant>EXIT_PERSONALITY</constant></entry>
dcfaecc7 2516 <entry>Failed to set up an execution domain (personality). See <varname>Personality=</varname> above.</entry>
91a8f867
JS		 2517 </row>
2518 <row>
2519 <entry>231</entry>
2520 <entry><constant>EXIT_APPARMOR_PROFILE</constant></entry>
2521 <entry>Failed to prepare changing AppArmor profile. See <varname>AppArmorProfile=</varname> above.</entry>
2522 </row>
2523 <row>
2524 <entry>232</entry>
2525 <entry><constant>EXIT_ADDRESS_FAMILIES</constant></entry>
2526 <entry>Failed to restrict address families. See <varname>RestrictAddressFamilies=</varname> above.</entry>
2527 </row>
2528 <row>
2529 <entry>233</entry>
2530 <entry><constant>EXIT_RUNTIME_DIRECTORY</constant></entry>
2531 <entry>Setting up runtime directory failed. See <varname>RuntimeDirectory=</varname> and related settings above.</entry>
2532 </row>
2533 <row>
2534 <entry>235</entry>
2535 <entry><constant>EXIT_CHOWN</constant></entry>
2536 <entry>Failed to adjust socket ownership. Used for socket units only.</entry>
2537 </row>
2538 <row>
2539 <entry>236</entry>
2540 <entry><constant>EXIT_SMACK_PROCESS_LABEL</constant></entry>
2541 <entry>Failed to set SMACK label. See <varname>SmackProcessLabel=</varname> above.</entry>
2542 </row>
2543 <row>
2544 <entry>237</entry>
2545 <entry><constant>EXIT_KEYRING</constant></entry>
2546 <entry>Failed to set up kernel keyring.</entry>
2547 </row>
2548 <row>
2549 <entry>238</entry>
2550 <entry><constant>EXIT_STATE_DIRECTORY</constant></entry>
dcfaecc7 2551 <entry>Failed to set up unit's state directory. See <varname>StateDirectory=</varname> above.</entry>
91a8f867
JS		 2552 </row>
2553 <row>
2554 <entry>239</entry>
2555 <entry><constant>EXIT_CACHE_DIRECTORY</constant></entry>
dcfaecc7 2556 <entry>Failed to set up unit's cache directory. See <varname>CacheDirectory=</varname> above.</entry>
91a8f867
JS		 2557 </row>
2558 <row>
2559 <entry>240</entry>
2560 <entry><constant>EXIT_LOGS_DIRECTORY</constant></entry>
dcfaecc7 2561 <entry>Failed to set up unit's logging directory. See <varname>LogsDirectory=</varname> above.</entry>
91a8f867
JS		 2562 </row>
2563 <row>
2564 <entry>241</entry>
2565 <entry><constant>EXIT_CONFIGURATION_DIRECTORY</constant></entry>
dcfaecc7 2566 <entry>Failed to set up unit's configuration directory. See <varname>ConfigurationDirectory=</varname> above.</entry>
91a8f867
JS		 2567 </row>
2568 </tbody>
2569 </tgroup>
2570 </table>
2571 </refsect1>
2572
798d3a52
ZJS		 2573 <refsect1>
2574 <title>See Also</title>
2575 <para>
2576 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
2577 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
869feb33 2578 <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
798d3a52
ZJS		 2579 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
2580 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2581 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2582 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2583 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2584 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2585 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2586 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
a4c18002 2587 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
798d3a52
ZJS		 2588 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
2589 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2590 <citerefentry project='man-pages'><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>
2591 </para>
2592 </refsect1>
dd1eb43b 2593
e64e1bfd 2594
dd1eb43b 2595</refentry>
Unnamed repository; edit this file 'description' to name the repository.