DescriptionUnit configuration files for services, sockets,
- mount points and swap devices share a subset of
+ mount points, and swap devices share a subset of
configuration options which define the execution
environment of spawned processes.
@@ -89,7 +89,7 @@
Takes an absolute
directory path. Sets the working
directory for executed processes. If
- not set defaults to the root directory
+ not set, defaults to the root directory
when systemd is running as a system
instance and the respective user's
home directory if run as
@@ -104,7 +104,7 @@
directory for executed processes, with
the
chroot2
- system call. If this is used it must
+ system call. If this is used, it must
be ensured that the process and all
its auxiliary files are available in
the chroot()
@@ -233,7 +233,7 @@
CPUSchedulingResetOnFork=Takes a boolean
- argument. If true elevated CPU
+ argument. If true, elevated CPU
scheduling priorities and policies
will be reset when the executed
processes fork, and can hence not leak
@@ -248,11 +248,11 @@
Controls the CPU
affinity of the executed
processes. Takes a space-separated
- list of CPU indexes. This option may
+ list of CPU indices. This option may
be specified more than once in which
case the specificed CPU affinity masks
are merged. If the empty string is
- assigned the mask is reset, all
+ assigned, the mask is reset, all
assignments prior to this will have no
effect. See
sched_setaffinity2
@@ -280,24 +280,26 @@
option may be specified more than once
in which case all listed variables
will be set. If the same variable is
- set twice the later setting will
+ set twice, the later setting will
override the earlier setting. If the
empty string is assigned to this
- option the list of environment
+ option, the list of environment
variables is reset, all prior
assignments have no effect.
Variable expansion is not performed
inside the strings, however, specifier
- expansion is possible. $ character has
+ expansion is possible. The $ character has
no special meaning.
If you need to assign a value containing spaces
to a variable, use double quotes (")
for the assignment.Example:
- Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"
+ Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
gives three variables VAR1,
- VAR2, VAR3.
+ VAR2, VAR3
+ with the values word1 word2,
+ word3, $word 5 6.
@@ -332,7 +334,7 @@
specified more than once in which case
all specified files are read. If the
empty string is assigned to this
- option the list of file to read is
+ option, the list of file to read is
reset, all prior assignments have no
effect.
@@ -343,7 +345,7 @@
with
Environment=. If
the same variable is set twice from
- these files the files will be read in
+ these files, the files will be read in
the order they are specified and the
later setting will override the
earlier setting.
@@ -359,19 +361,19 @@
,
or
. If
- is selected
+ is selected,
standard input will be connected to
/dev/null,
i.e. all read attempts by the process
will result in immediate EOF. If
- is selected
+ is selected,
standard input is connected to a TTY
(as configured by
TTYPath=, see
below) and the executed process
becomes the controlling process of the
terminal. If the terminal is already
- being controlled by another process the
+ being controlled by another process, the
executed process waits until the current
controlling process releases the
terminal.
@@ -393,7 +395,7 @@
file (see
systemd.socket5
for details) specifies a single socket
- only. If this option is set standard
+ only. If this option is set, standard
input will be connected to the socket
the service was activated from, which
is primarily useful for compatibility
@@ -418,19 +420,19 @@
,
or
. If set to
- the file
+ , the file
descriptor of standard input is
duplicated for standard output. If set
- to standard
+ to , standard
output will be connected to
/dev/null,
i.e. everything written to it will be
- lost. If set to
+ lost. If set to ,
standard output will be connected to a
tty (as configured via
TTYPath=, see
below). If the TTY is used for output
- only the executed process will not
+ only, the executed process will not
become the controlling process of the
terminal, and will not fail or wait
for other processes to release the
@@ -470,9 +472,9 @@
StandardError=Controls where file
- descriptor 2 (STDERR) of the executed
- processes is connected to. The
- available options are identical to
+ descriptor 2 (STDERR) of the
+ executed processes is connected to.
+ The available options are identical to
those of
StandardOutput=,
with one exception: if set to
@@ -489,8 +491,8 @@
TTYPath=Sets the terminal
- device node to use if standard input,
- output or stderr are connected to a
+ device node to use if standard input, output,
+ or error are connected to a
TTY (see above). Defaults to
/dev/console.
@@ -517,7 +519,7 @@
If the terminal
device specified with
TTYPath= is a
- virtual console terminal try to
+ virtual console terminal, try to
deallocate the TTY before and after
execution. This ensures that the
screen and scrollback buffer is
@@ -528,7 +530,7 @@
SyslogIdentifier=Sets the process name
to prefix log lines sent to syslog or
- the kernel log buffer with. If not set
+ the kernel log buffer with. If not set,
defaults to the process name of the
executed process. This option is only
useful when
@@ -672,13 +674,13 @@
PAMName=Sets the PAM service
- name to set up a session as. If set
+ name to set up a session as. If set,
the executed process will be
registered as a PAM session under the
specified service name. This is only
useful in conjunction with the
User= setting. If
- not set no PAM session will be opened
+ not set, no PAM session will be opened
for the executed processes. See
pam8
for details.
@@ -687,7 +689,7 @@
TCPWrapName=If this is a
- socket-activated service this sets the
+ socket-activated service, this sets the
tcpwrap service name to check the
permission for the current connection
with. This is only useful in
@@ -697,7 +699,7 @@
socket types (e.g. datagram/UDP) and
on processes unrelated to socket-based
activation. If the tcpwrap
- verification fails daemon start-up
+ verification fails, daemon start-up
will fail and the connection is
terminated. See
tcpd8
@@ -726,7 +728,7 @@
Capabilities listed will be included
in the bounding set, all others are
removed. If the list of capabilities
- is prefixed with ~
+ is prefixed with ~,
all but the listed capabilities will
be included, the effect of the
assignment inverted. Note that this
@@ -735,7 +737,7 @@
permitted and inheritable capability
sets, on top of what
Capabilities=
- does. If this option is not used the
+ does. If this option is not used, the
capability bounding set is not
modified on process execution, hence
no limits on the capabilities of the
@@ -743,11 +745,11 @@
appear more than once in which case
the bounding sets are merged. If the
empty string is assigned to this
- option the bounding set is reset to
+ option, the bounding set is reset to
the empty capability set, and all
prior settings have no effect. If set
to ~ (without any
- further argument) the bounding set is
+ further argument), the bounding set is
reset to the full set of available
capabilities, also undoing any
previous settings.
@@ -768,7 +770,7 @@
option may appear more than once in
which case the secure bits are
ORed. If the empty string is assigned
- to this option the bits are reset to
+ to this option, the bits are reset to
0.
@@ -825,7 +827,7 @@
directories listed will have limited
access from within the namespace. If
the empty string is assigned to this
- option the specific list is reset, and
+ option, the specific list is reset, and
all prior assignments have no
effect.Paths in
@@ -842,13 +844,13 @@
PrivateTmp=Takes a boolean
- argument. If true sets up a new file
+ argument. If true, sets up a new file
system namespace for the executed
processes and mounts private
/tmp and
- /var/tmp directories
- inside it, that are not shared by
- processes outside of the
+ /var/tmp
+ directories inside it that is not
+ shared by processes outside of the
namespace. This is useful to secure
access to temporary files of the
process, but makes sharing between
@@ -856,16 +858,24 @@
/tmp or
/var/tmp
impossible. All temporary data created
- by service will be removed after service
- is stopped. Defaults to
- false.
+ by service will be removed after
+ the service is stopped. Defaults to
+ false. Note that it is possible to run
+ two or more units within the same
+ private /tmp and
+ /var/tmp
+ namespace by using the
+ JoinsNamespaceOf=
+ directive, see
+ systemd.unit5
+ for details.PrivateNetwork=Takes a boolean
- argument. If true sets up a new
+ argument. If true, sets up a new
network namespace for the executed
processes and configures only the
loopback network device
@@ -874,6 +884,30 @@
available to the executed process.
This is useful to securely turn off
network access by the executed
+ process. Defaults to false. Note that
+ it is possible to run two or more
+ units within the same private network
+ namespace by using the
+ JoinsNamespaceOf=
+ directive, see
+ systemd.unit5
+ for details.
+
+
+
+ PrivateDevices=
+
+ Takes a boolean
+ argument. If true, sets up a new /dev
+ namespace for the executed processes
+ and only adds API pseudo devices such
+ as /dev/null,
+ /dev/zero or
+ /dev/random to
+ it, but no physical devices such as
+ /dev/sda. This is
+ useful to securely turn off physical
+ device access by the executed
process. Defaults to
false.
@@ -907,7 +941,7 @@
entries must be created and cleared
before and after execution. If the
configured string is longer than four
- characters it is truncated and the
+ characters, it is truncated and the
terminal four characters are
used. This setting interprets %I style
string replacements. This setting is
@@ -916,6 +950,36 @@
this service.
+
+ SELinuxContext=
+
+ Set the SELinux
+ security context of the executed
+ process. If set, this will override
+ the automated domain
+ transition. However, the policy still
+ needs to autorize the transition. This
+ directive is ignored if SELinux is
+ disabled. If prefixed by
+ -, all errors will
+ be ignored. See
+ setexeccon3
+ for details.
+
+
+
+ AppArmorProfile=
+
+ Take a profile name as argument.
+ The process executed by the unit will switch to
+ this profile when started. Profiles must already
+ be loaded in the kernel, or the unit will fail.
+ This result in a non operation if AppArmor is not
+ enabled. If prefixed by -, all errors
+ will be ignored.
+
+
+
IgnoreSIGPIPE=
@@ -946,25 +1010,26 @@
SystemCallFilter=
- Takes a space-separated
- list of system call
+ Takes a
+ space-separated list of system call
names. If this setting is used, all
system calls executed by the unit
- process except for the listed ones
+ processes except for the listed ones
will result in immediate process
termination with the
SIGSYS signal
(whitelisting). If the first character
- of the list is ~
+ of the list is ~,
the effect is inverted: only the
listed system calls will result in
immediate process termination
- (blacklisting). If this option is used
+ (blacklisting). If running in user
+ mode and this option is used,
NoNewPrivileges=yes
- is implied. This feature makes use of
- the Secure Computing Mode 2 interfaces
- of the kernel ('seccomp filtering')
- and is useful for enforcing a minimal
+ is implied. This feature makes use of the
+ Secure Computing Mode 2 interfaces of
+ the kernel ('seccomp filtering') and
+ is useful for enforcing a minimal
sandboxing environment. Note that the
execve,
rt_sigreturn,
@@ -976,12 +1041,301 @@
option may be specified more than once
in which case the filter masks are
merged. If the empty string is
- assigned the filter is reset, all
+ assigned, the filter is reset, all
prior assignments will have no
- effect.
+ effect.
+
+ If you specify both types of
+ this option (i.e. whitelisting and
+ blacklisting), the first encountered
+ will take precedence and will dictate
+ the default action (termination or
+ approval of a system call). Then the
+ next occurrences of this option will
+ add or delete the listed system calls
+ from the set of the filtered system
+ calls, depending of its type and the
+ default action. (For example, if you have started
+ with a whitelisting of
+ read and
+ write, and right
+ after it add a blacklisting of
+ write, then
+ write will be
+ removed from the set.)
+
+
+
+
+ SystemCallErrorNumber=
+
+ Takes an
+ errno error number
+ name to return when the system call
+ filter configured with
+ SystemCallFilter=
+ is triggered, instead of terminating
+ the process immediately. Takes an
+ error name such as
+ EPERM,
+ EACCES or
+ EUCLEAN. When this
+ setting is not used, or when the empty
+ string is assigned, the process will be
+ terminated immediately when the filter
+ is triggered.
+
+
+
+ SystemCallArchitectures=
+
+ Takes a space
+ separated list of architecture
+ identifiers to include in the system
+ call filter. The known architecture
+ identifiers are
+ x86,
+ x86-64,
+ x32,
+ arm as well as
+ the special identifier
+ native. Only
+ system calls of the specified
+ architectures will be permitted to
+ processes of this unit. This is an
+ effective way to disable compatibility
+ with non-native architectures for
+ processes, for example to prohibit
+ execution of 32-bit x86 binaries on
+ 64-bit x86-64 systems. The special
+ native identifier
+ implicitly maps to the native
+ architecture of the system (or more
+ strictly: to the architecture the
+ system manager is compiled for). If
+ running in user mode and this option
+ is used,
+ NoNewPrivileges=yes
+ is implied. Note that setting this
+ option to a non-empty list implies
+ that native is
+ included too. By default, this option
+ is set to the empty list, i.e. no
+ architecture system call filtering is
+ applied.
+
+
+
+ RestrictAddressFamilies=
+
+ Restricts the set of
+ socket address families accessible to
+ the processes of this unit. Takes a
+ space-separated list of address family
+ names to whitelist, such as
+ AF_UNIX,
+ AF_INET or
+ AF_INET6. When
+ prefixed with ~
+ the listed address families will be
+ applied as blacklist, otherwise as
+ whitelist. Note that this restricts
+ access to the
+ socket2
+ system call only. Sockets passed into
+ the process by other means (for
+ example, by using socket activation
+ with socket units, see
+ systemd.socket5)
+ are unaffected. Also, sockets created
+ with socketpair()
+ (which creates connected AF_UNIX
+ sockets only) are unaffected. Note
+ that this option has no effect on
+ 32bit x86 and is ignored (but works
+ correctly on x86-64). If running in user
+ mode and this option is used,
+ NoNewPrivileges=yes
+ is implied. By default no
+ restriction applies, all address
+ families are accessible to
+ processes. If assigned the empty
+ string any previous list changes are
+ undone.
+
+ Use this option to limit
+ exposure of processes to remote
+ systems, in particular via exotic
+ network protocols. Note that in most
+ cases the local
+ AF_UNIX address
+ family should be included in the
+ configured whitelist as it is
+ frequently used for local
+ communication, including for
+ syslog2
+ logging.
+
+
+
+ Personality=
+
+ Controls which
+ kernel architecture
+ uname2
+ shall report, when invoked by unit
+ processes. Takes one of
+ x86 and
+ x86-64. This is
+ useful when running 32bit services on
+ a 64bit host system. If not specified
+ the personality is left unmodified and
+ thus reflects the personality of the
+ host system's
+ kernel.
+
+
+
+
+
+
+ Environment variables in spawned processes
+
+ Processes started by the system are executed in
+ a clean environment in which select variables
+ listed below are set. System processes started by systemd
+ do not inherit variables from PID 1, but processes
+ started by user systemd instances inherit all
+ environment variables from the user systemd instance.
+
+
+
+
+ $PATH
+
+ Colon-separated list
+ of directiories to use when launching
+ executables. Systemd uses a fixed
+ value of
+ /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin.
+
+
+
+
+ $LANG
+
+ Locale. Can be set in
+ locale.conf5
+ or on the kernel command line (see
+ systemd1
+ and
+ kernel-command-line7).
+
+
+
+
+ $USER
+ $LOGNAME
+ $HOME
+ $SHELL
+
+ User name (twice), home
+ directory, and the login shell.
+ The variables are set for the units that
+ have User= set,
+ which includes user
+ systemd instances.
+ See
+ passwd5.
+
+
+
+
+ $XDG_RUNTIME_DIR
+
+ The directory for volatile
+ state. Set for the user systemd
+ instance, and also in user sessions.
+ See
+ pam_systemd8.
+
+
+
+
+ $XDG_SESSION_ID
+ $XDG_SEAT
+ $XDG_VTNR
+
+ The identifier of the
+ session, the seat name, and
+ virtual terminal of the session. Set
+ by
+ pam_systemd8
+ for login sessions.
+ $XDG_SEAT and
+ $XDG_VTNR will
+ only be set when attached to a seat and a
+ tty.
+
+
+
+ $MAINPID
+
+ The PID of the units
+ main process if it is known. This is
+ only set for control processes as
+ invoked by
+ ExecReload= and
+ similar.
+
+
+
+ $MANAGERPID
+
+ The PID of the user
+ systemd instance,
+ set for processes spawned by it.
+
+
+
+
+ $LISTEN_FDS
+ $LISTEN_PID
+
+ Information about file
+ descriptors passed to a service for
+ socket activation. See
+ sd_listen_fds3.
+
+
+ $TERM
+
+ Terminal type, set
+ only for units connected to a terminal
+ (StandardInput=tty,
+ StandardOutput=tty,
+ or
+ StandardError=tty).
+ See
+ termcap5.
+
+
+
+ Additional variables may be configured by the
+ following means: for processes spawned in specific
+ units, use the Environment= and
+ EnvironmentFile= options above; to
+ specify variables globally, use
+ DefaultEnvironment= (see
+ systemd-system.conf5)
+ or the kernel option
+ systemd.setenv= (see
+ systemd1). Additional
+ variables may also be set through PAM,
+ c.f. pam_env8.
@@ -996,8 +1350,9 @@
systemd.swap5,
systemd.mount5,
systemd.kill5,
- systemd.cgroup5,
- systemd.directives7
+ systemd.resource-control5,
+ systemd.directives7,
+ exec3