<para>The files listed with this
directive will be read shortly before
the process is executed (more
<para>The files listed with this
directive will be read shortly before
the process is executed (more
processes from a previous unit state
terminated. This means you can
generate these files in one unit
processes from a previous unit state
terminated. This means you can
generate these files in one unit
temporary files created by a service
in these directories will be removed
after the service is stopped. Defaults
temporary files created by a service
in these directories will be removed
after the service is stopped. Defaults
The process executed by the unit will switch to
this profile when started. Profiles must already
be loaded in the kernel, or the unit will fail.
The process executed by the unit will switch to
this profile when started. Profiles must already
be loaded in the kernel, or the unit will fail.
(which creates connected AF_UNIX
sockets only) are unaffected. Note
that this option has no effect on
(which creates connected AF_UNIX
sockets only) are unaffected. Note
that this option has no effect on
correctly on x86-64). If running in user
mode and this option is used,
<varname>NoNewPrivileges=yes</varname>
correctly on x86-64). If running in user
mode and this option is used,
<varname>NoNewPrivileges=yes</varname>
restriction applies, all address
families are accessible to
processes. If assigned the empty
restriction applies, all address
families are accessible to
processes. If assigned the empty
undone.</para>
<para>Use this option to limit
exposure of processes to remote
systems, in particular via exotic
network protocols. Note that in most
undone.</para>
<para>Use this option to limit
exposure of processes to remote
systems, in particular via exotic
network protocols. Note that in most
<constant>AF_UNIX</constant> address
family should be included in the
configured whitelist as it is
<constant>AF_UNIX</constant> address
family should be included in the
configured whitelist as it is
- useful when running 32bit services on
- a 64bit host system. If not specified
+ useful when running 32-bit services on
+ a 64-bit host system. If not specified,
directories by the specified names
will be created below
<filename>/run</filename> (for system
services) or below
<varname>$XDG_RUNTIME_DIR</varname>
(for user services) when the unit is
directories by the specified names
will be created below
<filename>/run</filename> (for system
services) or below
<varname>$XDG_RUNTIME_DIR</varname>
(for user services) when the unit is
stopped. The directories will have the
access mode specified in
<varname>RuntimeDirectoryMode=</varname>,
stopped. The directories will have the
access mode specified in
<varname>RuntimeDirectoryMode=</varname>,
<literal>/</literal>, i.e. must refer
to simple directories to create or
remove. This is particularly useful
<literal>/</literal>, i.e. must refer
to simple directories to create or
remove. This is particularly useful
create runtime directories in
<filename>/run</filename> due to lack
of privileges, and to make sure the
create runtime directories in
<filename>/run</filename> due to lack
of privileges, and to make sure the
<varname>systemd.setenv=</varname> (see
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Additional
variables may also be set through PAM,
<varname>systemd.setenv=</varname> (see
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Additional
variables may also be set through PAM,