</varlistentry>
<varlistentry>
<term><varname>TTYVTDisallocate=</varname></term>
- <listitem><para>If the the terminal
+ <listitem><para>If the terminal
device specified with
<varname>TTYPath=</varname> is a
virtual console terminal try to
<listitem><para>Set a specific control
group attribute for executed
- processes, and (if needed) add the the
+ processes, and (if needed) add the
executed processes to a cgroup in the
hierarchy of the controller the
attribute belongs to. Takes two
<option>shared</option>,
<option>slave</option> or
<option>private</option>, which
- control whether namespaces set up with
- <varname>ReadWriteDirectories=</varname>,
- <varname>ReadOnlyDirectories=</varname>
- and
- <varname>InaccessibleDirectories=</varname>
- receive or propagate new mounts
- from/to the main namespace. See
+ control whether the file system
+ namespace set up for this unit's
+ processes will receive or propagate
+ new mounts. See
<citerefentry><refentrytitle>mount</refentrytitle><manvolnum>1</manvolnum></citerefentry>
- for details. Defaults to
- <option>shared</option>, i.e. the new
- namespace will both receive new mount
- points from the main namespace as well
- as propagate new mounts to
- it.</para></listitem>
+ for details. Default to
+ <option>shared</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>UtmpIdentifier=</varname></term>
- <listitem><para>Takes a a four
+ <listitem><para>Takes a four
character identifier string for an
utmp/wtmp entry for this service. This
should only be set for services such
shell pipelines.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>NoNewPrivileges=</varname></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true ensures that the
+ service process and all its children
+ can never gain new privileges. This
+ option is more powerful than the respective
+ secure bits flags (see above), as it
+ also prohibits UID changes of any
+ kind. This is the simplest, most
+ effective way to ensure that a process
+ and its children can never elevate
+ privileges again.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SystemCallFilter=</varname></term>
+
+ <listitem><para>Takes a space
+ separated list of system call
+ names. If this setting is used all
+ system calls executed by the unit
+ process except for the listed ones
+ will result in immediate process
+ termination with the SIGSYS signal
+ (whitelisting). If the first character
+ of the list is <literal>~</literal>
+ the effect is inverted: only the
+ listed system calls will result in
+ immediate process termination
+ (blacklisting). If this option is used
+ <varname>NoNewPrivileges=yes</varname>
+ is implied. This feature makes use of
+ the Secure Computing Mode 2 interfaces
+ of the kernel ('seccomp filtering')
+ and is useful for enforcing a minimal
+ sandboxing environment. Note that the
+ <function>execve</function>,
+ <function>rt_sigreturn</function>,
+ <function>sigreturn</function>,
+ <function>exit_group</function>,
+ <function>exit</function> system calls
+ are implicitly whitelisted and don't
+ need to be listed
+ explicitly.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
</para>
</refsect1>