<refnamediv>
<refname>systemd.exec</refname>
- <refpurpose>systemd execution environment configuration</refpurpose>
+ <refpurpose>Execution environment configuration</refpurpose>
</refnamediv>
<refsynopsisdiv>
<listitem><para>Takes an absolute
directory path. Sets the working
- directory for executed
- processes.</para></listitem>
+ directory for executed processes. If
+ not set defaults to the root directory
+ when systemd is running as a system
+ instance and the respective user's
+ home directory if run as
+ user.</para></listitem>
</varlistentry>
<varlistentry>
prefixes may be disabled with
<varname>SyslogLevelPrefix=</varname>,
see below. For details see
- <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
+ <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
Defaults to
<option>info</option>.</para></listitem>
these prefixes is disabled and the
logged lines are passed on as-is. For
details about this prefixing see
- <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
+ <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
Defaults to true.</para></listitem>
</varlistentry>
<term><varname>TimerSlackNSec=</varname></term>
<listitem><para>Sets the timer slack
in nanoseconds for the executed
- processes. The timer slack controls the
- accuracy of wake-ups triggered by
+ processes. The timer slack controls
+ the accuracy of wake-ups triggered by
timers. See
<citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
for more information. Note that in
contrast to most other time span
definitions this parameter takes an
- integer value in nano-seconds and does
- not understand any other
- units.</para></listitem>
+ integer value in nano-seconds if no
+ unit is specified. The usual time
+ units are understood
+ too.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>BlockIOWriteBandwidth=</varname></term>
<listitem><para>Set the per-device
- overall block IO bandwith limit for
+ overall block IO bandwidth limit for
the executed processes. Takes a space
separated pair of a file path and a
- bandwith value (in bytes per second)
+ bandwidth value (in bytes per second)
to specify the device specific
bandwidth. The file path may be
specified as path to a block device
node or as any other file in which
case the backing block device of the
file system of the file is determined.
- If the bandwith is suffixed with K, M,
- G, or T the specified bandwith is
+ If the bandwidth is suffixed with K, M,
+ G, or T the specified bandwidth is
parsed as Kilobytes, Megabytes,
Gigabytes, resp. Terabytes (Example:
"/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
and
<literal>blkio.write_bps_device</literal>
control group attributes. Use this
- option multiple times to set bandwith
+ option multiple times to set bandwidth
limits for multiple devices. For
details about these control group
attributes see <ulink
shell pipelines.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>NoNewPrivileges=</varname></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true ensures that the
+ service process and all its children
+ can never gain new privileges. This
+ option is more powerful than the respective
+ secure bits flags (see above), as it
+ also prohibits UID changes of any
+ kind. This is the simplest, most
+ effective way to ensure that a process
+ and its children can never elevate
+ privileges again.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>SystemCallFilter=</varname></term>
+
+ <listitem><para>Takes a space
+ separated list of system call
+ names. If this setting is used all
+ system calls executed by the unit
+ process except for the listed ones
+ will result in immediate process
+ termination with the SIGSYS signal
+ (whitelisting). If the first character
+ of the list is <literal>~</literal>
+ the effect is inverted: only the
+ listed system calls will result in
+ immediate process termination
+ (blacklisting). If this option is used
+ <varname>NoNewPrivileges=yes</varname>
+ is implied. This feature makes use of
+ the Secure Computing Mode 2 interfaces
+ of the kernel ('seccomp filtering')
+ and is useful for enforcing a minimal
+ sandboxing environment. Note that the
+ <function>execve</function>,
+ <function>rt_sigreturn</function>,
+ <function>sigreturn</function>,
+ <function>exit_group</function>,
+ <function>exit</function> system calls
+ are implicitly whitelisted and don't
+ need to be listed
+ explicitly.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
</para>
</refsect1>