X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=5d39bd1a142f49c7e6e87a600eb5e6d673816bd8;hp=8d3b3da22e4ad5aa746cf4b59d42b82f5ff9f634;hb=93ae25e6fd62b2f87c3dd9ad3e81934eecc48057;hpb=cb07866b1b7c11e687a322d70dd9f9d73bbbe488
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 8d3b3da22..5d39bd1a1 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1,4 +1,3 @@
-
@@ -44,21 +43,21 @@
systemd.exec
- systemd execution environment configuration
+ Execution environment configuration
- systemd.service,
- systemd.socket,
- systemd.mount,
- systemd.swap
+ service.service,
+ socket.socket,
+ mount.mount,
+ swap.swapDescriptionUnit configuration files for services, sockets,
- mount points and swap devices share a subset of
+ mount points, and swap devices share a subset of
configuration options which define the execution
environment of spawned processes.
@@ -69,28 +68,32 @@
files, and
systemd.service5,
systemd.socket5,
- systemd.swap5
+ systemd.swap5,
and
systemd.mount5
for more information on the specific unit
configuration files. The execution specific
configuration options are configured in the [Service],
- [Socket], [Mount] resp. [Swap] section, depending on the unit
+ [Socket], [Mount], or [Swap] sections, depending on the unit
type.
Options
-
+ WorkingDirectory=Takes an absolute
directory path. Sets the working
- directory for executed
- processes.
+ directory for executed processes. If
+ not set, defaults to the root directory
+ when systemd is running as a system
+ instance and the respective user's
+ home directory if run as
+ user.
@@ -101,7 +104,7 @@
directory for executed processes, with
the
chroot2
- system call. If this is used it must
+ system call. If this is used, it must
be ensured that the process and all
its auxiliary files are available in
the chroot()
@@ -113,10 +116,10 @@
Group=Sets the Unix user
- resp. group the processes are executed
- as. Takes a single user resp. group
+ or group that the processes are executed
+ as, respectively. Takes a single user or group
name or ID as argument. If no group is
- set the default group of the user is
+ set, the default group of the user is
chosen.
@@ -125,14 +128,19 @@
Sets the supplementary
Unix groups the processes are executed
- as. This takes a space separated list
+ as. This takes a space-separated list
of group names or IDs. This option may
be specified more than once in which
case all listed groups are set as
- supplementary groups. This option does
- not override but extends the list of
- supplementary groups configured in the
- system group database for the
+ supplementary groups. When the empty
+ string is assigned the list of
+ supplementary groups is reset, and all
+ assignments prior to this one will
+ have no effect. In any way, this
+ option does not override, but extends
+ the list of supplementary groups
+ configured in the system group
+ database for the
user.
@@ -158,7 +166,7 @@
for this process) and 1000 (to make
killing of this process under memory
pressure very likely). See proc.txt
+ url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt
for details.
@@ -210,20 +218,22 @@
Sets the CPU
scheduling priority for executed
- processes. Takes an integer between 1
- (lowest priority) and 99 (highest
- priority). The available priority
+ processes. The available priority
range depends on the selected CPU
- scheduling policy (see above). See
- sched_setscheduler2
- for details.
+ scheduling policy (see above). For
+ real-time scheduling policies an
+ integer between 1 (lowest priority)
+ and 99 (highest priority) can be used.
+ See sched_setscheduler2
+ for details.
+
CPUSchedulingResetOnFork=Takes a boolean
- argument. If true elevated CPU
+ argument. If true, elevated CPU
scheduling priorities and policies
will be reset when the executed
processes fork, and can hence not leak
@@ -238,7 +248,13 @@
Controls the CPU
affinity of the executed
processes. Takes a space-separated
- list of CPU indexes. See
+ list of CPU indices. This option may
+ be specified more than once in which
+ case the specificed CPU affinity masks
+ are merged. If the empty string is
+ assigned, the mask is reset, all
+ assignments prior to this will have no
+ effect. See
sched_setaffinity2
for details.
@@ -264,10 +280,32 @@
option may be specified more than once
in which case all listed variables
will be set. If the same variable is
- set twice the later setting will
- override the earlier setting. See
+ set twice, the later setting will
+ override the earlier setting. If the
+ empty string is assigned to this
+ option, the list of environment
+ variables is reset, all prior
+ assignments have no effect.
+ Variable expansion is not performed
+ inside the strings, however, specifier
+ expansion is possible. The $ character has
+ no special meaning.
+ If you need to assign a value containing spaces
+ to a variable, use double quotes (")
+ for the assignment.
+
+ Example:
+ Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
+ gives three variables VAR1,
+ VAR2, VAR3
+ with the values word1 word2,
+ word3, $word 5 6.
+
+
+
+ See
environ7
- for details.
+ for details about environment variables.
EnvironmentFile=
@@ -275,31 +313,47 @@
Environment= but
reads the environment variables from a
text file. The text file should
- contain new-line separated variable
+ contain new-line-separated variable
assignments. Empty lines and lines
starting with ; or # will be ignored,
- which may be used for commenting. The
- parser strips leading and
- trailing whitespace from the values
+ which may be used for commenting. A line
+ ending with a backslash will be concatenated
+ with the following one, allowing multiline variable
+ definitions. The parser strips leading
+ and trailing whitespace from the values
of assignments, unless you use
- double quotes (").
- The
- argument passed should be an absolute
- file name, optionally prefixed with
- "-", which indicates that if the file
- does not exist it won't be read and no
- error or warning message is
- logged. The files listed with this
+ double quotes (").
+
+ The argument passed should be an
+ absolute filename or wildcard
+ expression, optionally prefixed with
+ -, which indicates
+ that if the file does not exist, it
+ will not be read and no error or warning
+ message is logged. This option may be
+ specified more than once in which case
+ all specified files are read. If the
+ empty string is assigned to this
+ option, the list of file to read is
+ reset, all prior assignments have no
+ effect.
+
+ The files listed with this
directive will be read shortly before
- the process is executed. Settings from
- these files override settings made
- with
+ the process is executed (more
+ specifically, this means after all
+ processes from a previous unit state
+ terminated. This means you can
+ generate these files in one unit
+ state, and read it with this option in
+ the next). Settings from these files
+ override settings made with
Environment=. If
the same variable is set twice from
- these files the files will be read in
+ these files, the files will be read in
the order they are specified and the
later setting will override the
- earlier setting.
+ earlier setting.
@@ -312,19 +366,19 @@
,
or
. If
- is selected
+ is selected,
standard input will be connected to
/dev/null,
i.e. all read attempts by the process
will result in immediate EOF. If
- is selected
+ is selected,
standard input is connected to a TTY
(as configured by
TTYPath=, see
below) and the executed process
becomes the controlling process of the
terminal. If the terminal is already
- being controlled by another process the
+ being controlled by another process, the
executed process waits until the current
controlling process releases the
terminal.
@@ -346,7 +400,7 @@
file (see
systemd.socket5
for details) specifies a single socket
- only. If this option is set standard
+ only. If this option is set, standard
input will be connected to the socket
the service was activated from, which
is primarily useful for compatibility
@@ -371,19 +425,19 @@
,
or
. If set to
- the file
+ , the file
descriptor of standard input is
duplicated for standard output. If set
- to standard
+ to , standard
output will be connected to
/dev/null,
i.e. everything written to it will be
- lost. If set to
+ lost. If set to ,
standard output will be connected to a
tty (as configured via
TTYPath=, see
below). If the TTY is used for output
- only the executed process will not
+ only, the executed process will not
become the controlling process of the
terminal, and will not fail or wait
for other processes to release the
@@ -416,16 +470,16 @@
with
in
- systemd.conf5,
+ systemd-system.conf5,
which defaults to
.
StandardError=Controls where file
- descriptor 2 (STDERR) of the executed
- processes is connected to. The
- available options are identical to
+ descriptor 2 (STDERR) of the
+ executed processes is connected to.
+ The available options are identical to
those of
StandardOutput=,
with one exception: if set to
@@ -435,15 +489,15 @@
setting defaults to the value set with
in
- systemd.conf5,
+ systemd-system.conf5,
which defaults to
.TTYPath=Sets the terminal
- device node to use if standard input,
- output or stderr are connected to a
+ device node to use if standard input, output,
+ or error are connected to a
TTY (see above). Defaults to
/dev/console.
@@ -467,10 +521,10 @@
TTYVTDisallocate=
- If the the terminal
+ If the terminal
device specified with
TTYPath= is a
- virtual console terminal try to
+ virtual console terminal, try to
deallocate the TTY before and after
execution. This ensures that the
screen and scrollback buffer is
@@ -481,7 +535,7 @@
SyslogIdentifier=Sets the process name
to prefix log lines sent to syslog or
- the kernel log buffer with. If not set
+ the kernel log buffer with. If not set,
defaults to the process name of the
executed process. This option is only
useful when
@@ -563,8 +617,9 @@
argument. If true and
StandardOutput= or
StandardError= are
- set to or
- log lines
+ set to ,
+ or
+ , log lines
written by the executed process that
are prefixed with a log level will be
passed on to syslog with this log
@@ -624,43 +679,18 @@
PAMName=Sets the PAM service
- name to set up a session as. If set
+ name to set up a session as. If set,
the executed process will be
registered as a PAM session under the
specified service name. This is only
useful in conjunction with the
User= setting. If
- not set no PAM session will be opened
+ not set, no PAM session will be opened
for the executed processes. See
pam8
for details.
-
- TCPWrapName=
- If this is a
- socket-activated service this sets the
- tcpwrap service name to check the
- permission for the current connection
- with. This is only useful in
- conjunction with socket-activated
- services, and stream sockets (TCP) in
- particular. It has no effect on other
- socket types (e.g. datagram/UDP) and
- on processes unrelated to socket-based
- activation. If the tcpwrap
- verification fails daemon start-up
- will fail and the connection is
- terminated. See
- tcpd8
- for details. Note that this option may
- be used to do access control checks
- only. Shell commands and commands
- described in
- hosts_options5
- are not supported.
-
-
CapabilityBoundingSet=
@@ -669,27 +699,40 @@
capability bounding set for the
executed process. See
capabilities7
- for details. Takes a whitespace
- separated list of capability names as
- read by
- cap_from_name3.
+ for details. Takes a whitespace-separated
+ list of capability names as read by
+ cap_from_name3,
+ e.g. CAP_SYS_ADMIN,
+ CAP_DAC_OVERRIDE,
+ CAP_SYS_PTRACE.
Capabilities listed will be included
in the bounding set, all others are
removed. If the list of capabilities
- is prefixed with ~ all but the listed
- capabilities will be included, the
- effect of the assignment
- inverted. Note that this option also
- effects the respective capabilities in
- the effective, permitted and
- inheritable capability sets, on top of
- what Capabilities=
- does. If this option is not used the
+ is prefixed with ~,
+ all but the listed capabilities will
+ be included, the effect of the
+ assignment inverted. Note that this
+ option also affects the respective
+ capabilities in the effective,
+ permitted and inheritable capability
+ sets, on top of what
+ Capabilities=
+ does. If this option is not used, the
capability bounding set is not
modified on process execution, hence
no limits on the capabilities of the
- process are
- enforced.
+ process are enforced. This option may
+ appear more than once in which case
+ the bounding sets are merged. If the
+ empty string is assigned to this
+ option, the bounding set is reset to
+ the empty capability set, and all
+ prior settings have no effect. If set
+ to ~ (without any
+ further argument), the bounding set is
+ reset to the full set of available
+ capabilities, also undoing any
+ previous settings.
@@ -703,8 +746,12 @@
,
,
and/or
- .
-
+ . This
+ option may appear more than once in
+ which case the secure bits are
+ ORed. If the empty string is assigned
+ to this option, the bits are reset to
+ 0.
@@ -725,249 +772,16 @@
setting.
-
- ControlGroup=
-
- Controls the control
- groups the executed processes shall be
- made members of. Takes a
- space-separated list of cgroup
- identifiers. A cgroup identifier has a
- format like
- cpu:/foo/bar,
- where "cpu" identifies the kernel
- control group controller used, and
- /foo/bar is the
- control group path. The controller
- name and ":" may be omitted in which
- case the named systemd control group
- hierarchy is implied. Alternatively,
- the path and ":" may be omitted, in
- which case the default control group
- path for this unit is implied. This
- option may be used to place executed
- processes in arbitrary groups in
- arbitrary hierarchies -- which can be
- configured externally with additional
- execution limits. By default systemd
- will place all executed processes in
- separate per-unit control groups
- (named after the unit) in the systemd
- named hierarchy. Since every process
- can be in one group per hierarchy only
- overriding the control group path in
- the named systemd hierarchy will
- disable automatic placement in the
- default group. This option is
- primarily intended to place executed
- processes in specific paths in
- specific kernel controller
- hierarchies. It is however not
- recommended to manipulate the service
- control group path in the systemd
- named hierarchy. For details about
- control groups see cgroups.txt.
-
-
-
- ControlGroupModify=
- Takes a boolean
- argument. If true, the control groups
- created for this unit will be owned by
- the user specified with
- User= (and the
- appropriate group), and he/she can create
- subgroups as well as add processes to
- the group.
-
-
-
- ControlGroupPersistent=
- Takes a boolean
- argument. If true, the control groups
- created for this unit will be marked
- to be persistent, i.e. systemd will
- not remove them when stopping the
- unit. The default is false, meaning
- that the control groups will be
- removed when the unit is stopped. For
- details about the semantics of this
- logic see PaxControlGroups.
-
-
-
- ControlGroupAttribute=
-
- Set a specific control
- group attribute for executed
- processes, and (if needed) add the the
- executed processes to a cgroup in the
- hierarchy of the controller the
- attribute belongs to. Takes two
- space-separated arguments: the
- attribute name (syntax is
- cpu.shares where
- cpu refers to a
- specific controller and
- shares to the
- attribute name), and the attribute
- value. Example:
- ControlGroupAttribute=cpu.shares
- 512. If this option is used
- for an attribute that belongs to a
- kernel controller hierarchy the unit
- is not already configured to be added
- to (for example via the
- ControlGroup=
- option) then the unit will be added to
- the controller and the default unit
- cgroup path is implied. Thus, using
- ControlGroupAttribute=
- is in most case sufficient to make use
- of control group enforcements,
- explicit
- ControlGroup= are
- only necessary in case the implied
- default control group path for a
- service is not desirable. For details
- about control group attributes see
- cgroups.txt. This
- option may appear more than once, in
- order to set multiple control group
- attributes.
-
-
-
- CPUShares=
-
- Assign the specified
- overall CPU time shares to the
- processes executed. Takes an integer
- value. This controls the
- cpu.shares control
- group attribute, which defaults to
- 1024. For details about this control
- group attribute see sched-design-CFS.txt.
-
-
-
- MemoryLimit=
- MemorySoftLimit=
-
- Limit the overall memory usage
- of the executed processes to a certain
- size. Takes a memory size in bytes. If
- the value is suffixed with K, M, G or
- T the specified memory size is parsed
- as Kilobytes, Megabytes, Gigabytes,
- resp. Terabytes (to the base
- 1024). This controls the
- memory.limit_in_bytes
- and
- memory.soft_limit_in_bytes
- control group attributes. For details
- about these control group attributes
- see memory.txt.
-
-
-
- DeviceAllow=
- DeviceDeny=
-
- Control access to
- specific device nodes by the executed processes. Takes two
- space separated strings: a device node
- path (such as
- /dev/null)
- followed by a combination of r, w, m
- to control reading, writing resp.
- creating of the specific device node
- by the unit. This controls the
- devices.allow
- and
- devices.deny
- control group attributes. For details
- about these control group attributes
- see devices.txt.
-
-
-
- BlockIOWeight=
-
- Set the default or
- per-device overall block IO weight
- value for the executed
- processes. Takes either a single
- weight value (between 10 and 1000) to
- set the default block IO weight, or a
- space separated pair of a file path
- and a weight value to specify the
- device specific weight value (Example:
- "/dev/sda 500"). The file path may be
- specified as path to a block device
- node or as any other file in which
- case the backing block device of the
- file system of the file is
- determined. This controls the
- blkio.weight and
- blkio.weight_device
- control group attributes, which
- default to 1000. Use this option
- multiple times to set weights for
- multiple devices. For details about
- these control group attributes see
- blkio-controller.txt.
-
-
-
- BlockIOReadBandwidth=
- BlockIOWriteBandwidth=
-
- Set the per-device
- overall block IO bandwith limit for
- the executed processes. Takes a space
- separated pair of a file path and a
- bandwith value (in bytes per second)
- to specify the device specific
- bandwidth. The file path may be
- specified as path to a block device
- node or as any other file in which
- case the backing block device of the
- file system of the file is determined.
- If the bandwith is suffixed with K, M,
- G, or T the specified bandwith is
- parsed as Kilobytes, Megabytes,
- Gigabytes, resp. Terabytes (Example:
- "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
- 5M"). This controls the
- blkio.read_bps_device
- and
- blkio.write_bps_device
- control group attributes. Use this
- option multiple times to set bandwith
- limits for multiple devices. For
- details about these control group
- attributes see blkio-controller.txt.
-
-
ReadWriteDirectories=ReadOnlyDirectories=InaccessibleDirectories=Sets up a new
- file-system name space for executed
+ file system namespace for executed
processes. These options may be used
to limit access a process might have
- to the main file-system
+ to the main file system
hierarchy. Each setting takes a
space-separated list of absolute
directory paths. Directories listed in
@@ -981,17 +795,36 @@
usual file access controls would
permit this. Directories listed in
InaccessibleDirectories=
- will be made inaccessible for processes
- inside the namespace. Note that
- restricting access with these options
- does not extend to submounts of a
- directory. You must list submounts
- separately in these settings to
- ensure the same limited access. These
- options may be specified more than
- once in which case all directories
- listed will have limited access from
- within the
+ will be made inaccessible for
+ processes inside the namespace. Note
+ that restricting access with these
+ options does not extend to submounts
+ of a directory. You must list
+ submounts separately in these settings
+ to ensure the same limited
+ access. These options may be specified
+ more than once in which case all
+ directories listed will have limited
+ access from within the namespace. If
+ the empty string is assigned to this
+ option, the specific list is reset, and
+ all prior assignments have no
+ effect.
+ Paths in
+ ReadOnlyDirectories=
+ and
+ InaccessibleDirectories=
+ may be prefixed with
+ -, in which case
+ they will be ignored when they do not
+ exist. Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to
+ install mount points in the main mount
namespace.
@@ -999,26 +832,81 @@
PrivateTmp=Takes a boolean
- argument. If true sets up a new file
+ argument. If true, sets up a new file
system namespace for the executed
- processes and mounts a private
- /tmp directory
- inside it, that is not shared by
- processes outside of the
+ processes and mounts private
+ /tmp and
+ /var/tmp
+ directories inside it that is not
+ shared by processes outside of the
namespace. This is useful to secure
access to temporary files of the
process, but makes sharing between
processes via
- /tmp
- impossible. Defaults to
- false.
+ /tmp or
+ /var/tmp
+ impossible. If this is enabled all
+ temporary files created by a service
+ in these directories will be removed
+ after the service is stopped. Defaults
+ to false. It is possible to run two or
+ more units within the same private
+ /tmp and
+ /var/tmp
+ namespace by using the
+ JoinsNamespaceOf=
+ directive, see
+ systemd.unit5
+ for details. Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to install
+ mount points in the main mount
+ namespace.
+
+
+
+ PrivateDevices=
+
+ Takes a boolean
+ argument. If true, sets up a new /dev
+ namespace for the executed processes
+ and only adds API pseudo devices such
+ as /dev/null,
+ /dev/zero or
+ /dev/random (as
+ well as the pseudo TTY subsystem) to
+ it, but no physical devices such as
+ /dev/sda. This is
+ useful to securely turn off physical
+ device access by the executed
+ process. Defaults to false. Enabling
+ this option will also remove
+ CAP_MKNOD from
+ the capability bounding set for the
+ unit (see above), and set
+ DevicePolicy=closed
+ (see
+ systemd.resource-control5
+ for details). Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to
+ install mount points in the main mount
+ namespace.PrivateNetwork=Takes a boolean
- argument. If true sets up a new
+ argument. If true, sets up a new
network namespace for the executed
processes and configures only the
loopback network device
@@ -1027,8 +915,23 @@
available to the executed process.
This is useful to securely turn off
network access by the executed
- process. Defaults to
- false.
+ process. Defaults to false. It is
+ possible to run two or more units
+ within the same private network
+ namespace by using the
+ JoinsNamespaceOf=
+ directive, see
+ systemd.unit5
+ for details. Note that this option
+ will disconnect all socket families
+ from the host, this includes
+ AF_NETLINK and AF_UNIX. The latter has
+ the effect that AF_UNIX sockets in the
+ abstract socket namespace will become
+ unavailable to the processes (however,
+ those located in the file system will
+ continue to be
+ accessible).
@@ -1039,26 +942,49 @@
,
or
, which
- control whether namespaces set up with
- ReadWriteDirectories=,
- ReadOnlyDirectories=
- and
- InaccessibleDirectories=
- receive or propagate new mounts
- from/to the main namespace. See
- mount1
+ control whether mounts in the file
+ system namespace set up for this
+ unit's processes will receive or
+ propagate mounts or unmounts. See
+ mount2
for details. Defaults to
- , i.e. the new
- namespace will both receive new mount
- points from the main namespace as well
- as propagate new mounts to
- it.
+ . Use
+ to ensure that
+ mounts and unmounts are propagated
+ from the host to the container and
+ vice versa. Use
+ to run processes so that none of their
+ mounts and unmounts will propagate to
+ the host. Use
+ to also ensure that no mounts and
+ unmounts from the host will propagate
+ into the unit processes'
+ namespace. Note that
+ means that file
+ systems mounted on the host might stay
+ mounted continously in the unit's
+ namespace, and thus keep the device
+ busy. Note that the file system
+ namespace related options
+ (PrivateTmp=,
+ PrivateDevices=,
+ ReadOnlyDirectories=,
+ InaccessibleDirectories=
+ and
+ ReadWriteDirectories=)
+ require that mount and unmount
+ propagation from the unit's file
+ system namespace is disabled, and
+ hence downgrade
+ to
+ .
+
UtmpIdentifier=
- Takes a a four
+ Takes a four
character identifier string for an
utmp/wtmp entry for this service. This
should only be set for services such
@@ -1067,7 +993,7 @@
entries must be created and cleared
before and after execution. If the
configured string is longer than four
- characters it is truncated and the
+ characters, it is truncated and the
terminal four characters are
used. This setting interprets %I style
string replacements. This setting is
@@ -1076,20 +1002,434 @@
this service.
+
+ SELinuxContext=
+
+ Set the SELinux
+ security context of the executed
+ process. If set, this will override
+ the automated domain
+ transition. However, the policy still
+ needs to autorize the transition. This
+ directive is ignored if SELinux is
+ disabled. If prefixed by
+ -, all errors will
+ be ignored. See
+ setexeccon3
+ for details.
+
+
+
+ AppArmorProfile=
+
+ Take a profile name as argument.
+ The process executed by the unit will switch to
+ this profile when started. Profiles must already
+ be loaded in the kernel, or the unit will fail.
+ This result in a non operation if AppArmor is not
+ enabled. If prefixed by -, all errors
+ will be ignored.
+
+
+
IgnoreSIGPIPE=Takes a boolean
- argument. If true causes SIGPIPE to be
+ argument. If true, causes SIGPIPE to be
ignored in the executed
- process. Defaults to true, since
- SIGPIPE generally is useful only in
+ process. Defaults to true because
+ SIGPIPE generally is useful only in
shell pipelines.
+
+ NoNewPrivileges=
+
+ Takes a boolean
+ argument. If true, ensures that the
+ service process and all its children
+ can never gain new privileges. This
+ option is more powerful than the respective
+ secure bits flags (see above), as it
+ also prohibits UID changes of any
+ kind. This is the simplest, most
+ effective way to ensure that a process
+ and its children can never elevate
+ privileges again.
+
+
+
+ SystemCallFilter=
+
+ Takes a
+ space-separated list of system call
+ names. If this setting is used, all
+ system calls executed by the unit
+ processes except for the listed ones
+ will result in immediate process
+ termination with the
+ SIGSYS signal
+ (whitelisting). If the first character
+ of the list is ~,
+ the effect is inverted: only the
+ listed system calls will result in
+ immediate process termination
+ (blacklisting). If running in user
+ mode and this option is used,
+ NoNewPrivileges=yes
+ is implied. This feature makes use of the
+ Secure Computing Mode 2 interfaces of
+ the kernel ('seccomp filtering') and
+ is useful for enforcing a minimal
+ sandboxing environment. Note that the
+ execve,
+ rt_sigreturn,
+ sigreturn,
+ exit_group,
+ exit system calls
+ are implicitly whitelisted and do not
+ need to be listed explicitly. This
+ option may be specified more than once
+ in which case the filter masks are
+ merged. If the empty string is
+ assigned, the filter is reset, all
+ prior assignments will have no
+ effect.
+
+ If you specify both types of
+ this option (i.e. whitelisting and
+ blacklisting), the first encountered
+ will take precedence and will dictate
+ the default action (termination or
+ approval of a system call). Then the
+ next occurrences of this option will
+ add or delete the listed system calls
+ from the set of the filtered system
+ calls, depending of its type and the
+ default action. (For example, if you have started
+ with a whitelisting of
+ read and
+ write, and right
+ after it add a blacklisting of
+ write, then
+ write will be
+ removed from the set.)
+
+
+
+
+ SystemCallErrorNumber=
+
+ Takes an
+ errno error number
+ name to return when the system call
+ filter configured with
+ SystemCallFilter=
+ is triggered, instead of terminating
+ the process immediately. Takes an
+ error name such as
+ EPERM,
+ EACCES or
+ EUCLEAN. When this
+ setting is not used, or when the empty
+ string is assigned, the process will be
+ terminated immediately when the filter
+ is triggered.
+
+
+
+ SystemCallArchitectures=
+
+ Takes a space
+ separated list of architecture
+ identifiers to include in the system
+ call filter. The known architecture
+ identifiers are
+ x86,
+ x86-64,
+ x32,
+ arm as well as
+ the special identifier
+ native. Only
+ system calls of the specified
+ architectures will be permitted to
+ processes of this unit. This is an
+ effective way to disable compatibility
+ with non-native architectures for
+ processes, for example to prohibit
+ execution of 32-bit x86 binaries on
+ 64-bit x86-64 systems. The special
+ native identifier
+ implicitly maps to the native
+ architecture of the system (or more
+ strictly: to the architecture the
+ system manager is compiled for). If
+ running in user mode and this option
+ is used,
+ NoNewPrivileges=yes
+ is implied. Note that setting this
+ option to a non-empty list implies
+ that native is
+ included too. By default, this option
+ is set to the empty list, i.e. no
+ architecture system call filtering is
+ applied.
+
+
+
+ RestrictAddressFamilies=
+
+ Restricts the set of
+ socket address families accessible to
+ the processes of this unit. Takes a
+ space-separated list of address family
+ names to whitelist, such as
+ AF_UNIX,
+ AF_INET or
+ AF_INET6. When
+ prefixed with ~
+ the listed address families will be
+ applied as blacklist, otherwise as
+ whitelist. Note that this restricts
+ access to the
+ socket2
+ system call only. Sockets passed into
+ the process by other means (for
+ example, by using socket activation
+ with socket units, see
+ systemd.socket5)
+ are unaffected. Also, sockets created
+ with socketpair()
+ (which creates connected AF_UNIX
+ sockets only) are unaffected. Note
+ that this option has no effect on
+ 32bit x86 and is ignored (but works
+ correctly on x86-64). If running in user
+ mode and this option is used,
+ NoNewPrivileges=yes
+ is implied. By default no
+ restriction applies, all address
+ families are accessible to
+ processes. If assigned the empty
+ string any previous list changes are
+ undone.
+
+ Use this option to limit
+ exposure of processes to remote
+ systems, in particular via exotic
+ network protocols. Note that in most
+ cases the local
+ AF_UNIX address
+ family should be included in the
+ configured whitelist as it is
+ frequently used for local
+ communication, including for
+ syslog2
+ logging.
+
+
+
+ Personality=
+
+ Controls which
+ kernel architecture
+ uname2
+ shall report, when invoked by unit
+ processes. Takes one of
+ x86 and
+ x86-64. This is
+ useful when running 32bit services on
+ a 64bit host system. If not specified
+ the personality is left unmodified and
+ thus reflects the personality of the
+ host system's
+ kernel.
+
+
+
+ RuntimeDirectory=
+ RuntimeDirectoryMode=
+
+ Takes a list of
+ directory names. If set one or more
+ directories by the specified names
+ will be created below
+ /run (for system
+ services) or below
+ $XDG_RUNTIME_DIR
+ (for user services) when the unit is
+ started and removed when the unit is
+ stopped. The directories will have the
+ access mode specified in
+ RuntimeDirectoryMode=,
+ and will be owned by the user and
+ group specified in
+ User= and
+ Group=. Use this to
+ manage one or more runtime directories
+ of the unit and bind their lifetime to
+ the daemon runtime. The specified
+ directory names must be relative, and
+ may not include a
+ /, i.e. must refer
+ to simple directories to create or
+ remove. This is particularly useful
+ for unpriviliges daemons that cannot
+ create runtime directories in
+ /run due to lack
+ of privileges, and to make sure the
+ runtime directory is cleaned up
+ automatically after use. For runtime
+ directories that require more complex
+ or different configuration or lifetime
+ guarantees, please consider using
+ tmpfiles.d5.
+
+
+
+ Environment variables in spawned processes
+
+ Processes started by the system are executed in
+ a clean environment in which select variables
+ listed below are set. System processes started by systemd
+ do not inherit variables from PID 1, but processes
+ started by user systemd instances inherit all
+ environment variables from the user systemd instance.
+
+
+
+
+ $PATH
+
+ Colon-separated list
+ of directiories to use when launching
+ executables. Systemd uses a fixed
+ value of
+ /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin.
+
+
+
+
+ $LANG
+
+ Locale. Can be set in
+ locale.conf5
+ or on the kernel command line (see
+ systemd1
+ and
+ kernel-command-line7).
+
+
+
+
+ $USER
+ $LOGNAME
+ $HOME
+ $SHELL
+
+ User name (twice), home
+ directory, and the login shell.
+ The variables are set for the units that
+ have User= set,
+ which includes user
+ systemd instances.
+ See
+ passwd5.
+
+
+
+
+ $XDG_RUNTIME_DIR
+
+ The directory for volatile
+ state. Set for the user systemd
+ instance, and also in user sessions.
+ See
+ pam_systemd8.
+
+
+
+
+ $XDG_SESSION_ID
+ $XDG_SEAT
+ $XDG_VTNR
+
+ The identifier of the
+ session, the seat name, and
+ virtual terminal of the session. Set
+ by
+ pam_systemd8
+ for login sessions.
+ $XDG_SEAT and
+ $XDG_VTNR will
+ only be set when attached to a seat and a
+ tty.
+
+
+
+ $MAINPID
+
+ The PID of the units
+ main process if it is known. This is
+ only set for control processes as
+ invoked by
+ ExecReload= and
+ similar.
+
+
+
+ $MANAGERPID
+
+ The PID of the user
+ systemd instance,
+ set for processes spawned by it.
+
+
+
+
+ $LISTEN_FDS
+ $LISTEN_PID
+
+ Information about file
+ descriptors passed to a service for
+ socket activation. See
+ sd_listen_fds3.
+
+
+
+
+ $TERM
+
+ Terminal type, set
+ only for units connected to a terminal
+ (StandardInput=tty,
+ StandardOutput=tty,
+ or
+ StandardError=tty).
+ See
+ termcap5.
+
+
+
+
+ Additional variables may be configured by the
+ following means: for processes spawned in specific
+ units, use the Environment= and
+ EnvironmentFile= options above; to
+ specify variables globally, use
+ DefaultEnvironment= (see
+ systemd-system.conf5)
+ or the kernel option
+ systemd.setenv= (see
+ systemd1). Additional
+ variables may also be set through PAM,
+ c.f. pam_env8.
+
+
See Also
@@ -1100,7 +1440,12 @@
systemd.service5,
systemd.socket5,
systemd.swap5,
- systemd.mount5
+ systemd.mount5,
+ systemd.kill5,
+ systemd.resource-control5,
+ systemd.directives7,
+ tmpfiles.d5,
+ exec3