<refnamediv>
<refname>systemd.exec</refname>
- <refpurpose>systemd execution environment configuration</refpurpose>
+ <refpurpose>Execution environment configuration</refpurpose>
</refnamediv>
<refsynopsisdiv>
for more information on the specific unit
configuration files. The execution specific
configuration options are configured in the [Service],
- [Socket], [Mount] resp. [Swap] section, depending on the unit
+ [Socket], [Mount], or [Swap] sections, depending on the unit
type.</para>
</refsect1>
<listitem><para>Takes an absolute
directory path. Sets the working
- directory for executed
- processes.</para></listitem>
+ directory for executed processes. If
+ not set defaults to the root directory
+ when systemd is running as a system
+ instance and the respective user's
+ home directory if run as
+ user.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Group=</varname></term>
<listitem><para>Sets the Unix user
- resp. group the processes are executed
- as. Takes a single user resp. group
+ or group that the processes are executed
+ as, respectively. Takes a single user or group
name or ID as argument. If no group is
- set the default group of the user is
+ set, the default group of the user is
chosen.</para></listitem>
</varlistentry>
<listitem><para>Sets the CPU
scheduling priority for executed
- processes. Takes an integer between 1
- (lowest priority) and 99 (highest
- priority). The available priority
+ processes. The available priority
range depends on the selected CPU
- scheduling policy (see above). See
- <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- for details.</para></listitem>
+ scheduling policy (see above). For
+ real-time scheduling policies an
+ integer between 1 (lowest priority)
+ and 99 (highest priority) can be used.
+ See <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ for details.
+ </para></listitem>
</varlistentry>
<varlistentry>
double quotes (").
The
argument passed should be an absolute
- file name, optionally prefixed with
+ file name or wildcard expression, optionally prefixed with
"-", which indicates that if the file
does not exist it won't be read and no
error or warning message is
</varlistentry>
<varlistentry>
<term><varname>TTYVTDisallocate=</varname></term>
- <listitem><para>If the the terminal
+ <listitem><para>If the terminal
device specified with
<varname>TTYPath=</varname> is a
virtual console terminal try to
argument. If true and
<varname>StandardOutput=</varname> or
<varname>StandardError=</varname> are
- set to <option>syslog</option> or
- <option>kmsg</option> log lines
+ set to <option>syslog</option>,
+ <option>kmsg</option> or
+ <option>journal</option>, log lines
written by the executed process that
are prefixed with a log level will be
passed on to syslog with this log
<listitem><para>Set a specific control
group attribute for executed
- processes, and (if needed) add the the
+ processes, and (if needed) add the
executed processes to a cgroup in the
hierarchy of the controller the
attribute belongs to. Takes two
the value is suffixed with K, M, G or
T the specified memory size is parsed
as Kilobytes, Megabytes, Gigabytes,
- resp. Terabytes (to the base
- 1024). This controls the
+ or Terabytes (to the base
+ 1024), respectively. This controls the
<literal>memory.limit_in_bytes</literal>
and
<literal>memory.soft_limit_in_bytes</literal>
path (such as
<filename>/dev/null</filename>)
followed by a combination of r, w, m
- to control reading, writing resp.
+ to control reading, writing, or
creating of the specific device node
- by the unit. This controls the
+ by the unit, respectively. This controls the
<literal>devices.allow</literal>
and
<literal>devices.deny</literal>
If the bandwidth is suffixed with K, M,
G, or T the specified bandwidth is
parsed as Kilobytes, Megabytes,
- Gigabytes, resp. Terabytes (Example:
+ Gigabytes, or Terabytes, respectively (Example:
"/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
5M"). This controls the
<literal>blkio.read_bps_device</literal>
<option>shared</option>,
<option>slave</option> or
<option>private</option>, which
- control whether namespaces set up with
- <varname>ReadWriteDirectories=</varname>,
- <varname>ReadOnlyDirectories=</varname>
- and
- <varname>InaccessibleDirectories=</varname>
- receive or propagate new mounts
- from/to the main namespace. See
- <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>1</manvolnum></citerefentry>
- for details. Defaults to
- <option>shared</option>, i.e. the new
- namespace will both receive new mount
- points from the main namespace as well
- as propagate new mounts to
- it.</para></listitem>
+ control whether the file system
+ namespace set up for this unit's
+ processes will receive or propagate
+ new mounts. See
+ <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ for details. Default to
+ <option>shared</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>UtmpIdentifier=</varname></term>
- <listitem><para>Takes a a four
+ <listitem><para>Takes a four
character identifier string for an
utmp/wtmp entry for this service. This
should only be set for services such
shell pipelines.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>NoNewPrivileges=</varname></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true ensures that the
+ service process and all its children
+ can never gain new privileges. This
+ option is more powerful than the respective
+ secure bits flags (see above), as it
+ also prohibits UID changes of any
+ kind. This is the simplest, most
+ effective way to ensure that a process
+ and its children can never elevate
+ privileges again.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SystemCallFilter=</varname></term>
+
+ <listitem><para>Takes a space
+ separated list of system call
+ names. If this setting is used all
+ system calls executed by the unit
+ process except for the listed ones
+ will result in immediate process
+ termination with the SIGSYS signal
+ (whitelisting). If the first character
+ of the list is <literal>~</literal>
+ the effect is inverted: only the
+ listed system calls will result in
+ immediate process termination
+ (blacklisting). If this option is used
+ <varname>NoNewPrivileges=yes</varname>
+ is implied. This feature makes use of
+ the Secure Computing Mode 2 interfaces
+ of the kernel ('seccomp filtering')
+ and is useful for enforcing a minimal
+ sandboxing environment. Note that the
+ <function>execve</function>,
+ <function>rt_sigreturn</function>,
+ <function>sigreturn</function>,
+ <function>exit_group</function>,
+ <function>exit</function> system calls
+ are implicitly whitelisted and don't
+ need to be listed
+ explicitly.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
</para>
</refsect1>