X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd.exec.xml;h=cfcf996dab8e9d7b1661a60f61b3fdb762248d1b;hp=952bb9595ea28987fdec55b5e5309619bf9d54a0;hb=79c1afc67f973eaece8f1b7016e016bb33c256a7;hpb=5f9cfd4c3877fdc68618faf9ae5efb5948e002b6
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 952bb9595..cfcf996da 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1,4 +1,3 @@
-
@@ -48,17 +47,17 @@
- systemd.service,
- systemd.socket,
- systemd.mount,
- systemd.swap
+ service.service,
+ socket.socket,
+ mount.mount,
+ swap.swapDescriptionUnit configuration files for services, sockets,
- mount points and swap devices share a subset of
+ mount points, and swap devices share a subset of
configuration options which define the execution
environment of spawned processes.
@@ -69,7 +68,7 @@
files, and
systemd.service5,
systemd.socket5,
- systemd.swap5
+ systemd.swap5,
and
systemd.mount5
for more information on the specific unit
@@ -90,7 +89,7 @@
Takes an absolute
directory path. Sets the working
directory for executed processes. If
- not set defaults to the root directory
+ not set, defaults to the root directory
when systemd is running as a system
instance and the respective user's
home directory if run as
@@ -104,8 +103,8 @@
directory path. Sets the root
directory for executed processes, with
the
- chroot2
- system call. If this is used it must
+ chroot2
+ system call. If this is used, it must
be ensured that the process and all
its auxiliary files are available in
the chroot()
@@ -129,7 +128,7 @@
Sets the supplementary
Unix groups the processes are executed
- as. This takes a space separated list
+ as. This takes a space-separated list
of group names or IDs. This option may
be specified more than once in which
case all listed groups are set as
@@ -167,7 +166,7 @@
for this process) and 1000 (to make
killing of this process under memory
pressure very likely). See proc.txt
+ url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt
for details.
@@ -234,7 +233,7 @@
CPUSchedulingResetOnFork=Takes a boolean
- argument. If true elevated CPU
+ argument. If true, elevated CPU
scheduling priorities and policies
will be reset when the executed
processes fork, and can hence not leak
@@ -249,11 +248,11 @@
Controls the CPU
affinity of the executed
processes. Takes a space-separated
- list of CPU indexes. This option may
+ list of CPU indices. This option may
be specified more than once in which
case the specificed CPU affinity masks
are merged. If the empty string is
- assigned the mask is reset, all
+ assigned, the mask is reset, all
assignments prior to this will have no
effect. See
sched_setaffinity2
@@ -281,28 +280,31 @@
option may be specified more than once
in which case all listed variables
will be set. If the same variable is
- set twice the later setting will
+ set twice, the later setting will
override the earlier setting. If the
empty string is assigned to this
- option the list of environment
+ option, the list of environment
variables is reset, all prior
assignments have no effect.
Variable expansion is not performed
- inside the strings, and $ has no special
- meaning.
+ inside the strings, however, specifier
+ expansion is possible. The $ character has
+ no special meaning.
If you need to assign a value containing spaces
to a variable, use double quotes (")
for the assignment.Example:
- Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"
+ Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
gives three variables VAR1,
- VAR2, VAR3.
+ VAR2, VAR3
+ with the values word1 word2,
+ word3, $word 5 6.
See
- environ7
+ environ7
for details about environment variables.
@@ -311,7 +313,7 @@
Environment= but
reads the environment variables from a
text file. The text file should
- contain new-line separated variable
+ contain new-line-separated variable
assignments. Empty lines and lines
starting with ; or # will be ignored,
which may be used for commenting. A line
@@ -323,26 +325,32 @@
double quotes (").The argument passed should be an
- absolute file name or wildcard
+ absolute filename or wildcard
expression, optionally prefixed with
- "-", which indicates that if the file
- does not exist it won't be read and no
- error or warning message is logged.
- This option may be specified more than
- once in which case all specified files
- are read. If the empty string is
- assigned to this option the list of
- file to read is reset, all prior
- assignments have no effect.
+ -, which indicates
+ that if the file does not exist, it
+ will not be read and no error or warning
+ message is logged. This option may be
+ specified more than once in which case
+ all specified files are read. If the
+ empty string is assigned to this
+ option, the list of file to read is
+ reset, all prior assignments have no
+ effect.The files listed with this
directive will be read shortly before
- the process is executed. Settings from
- these files override settings made
- with
+ the process is executed (more
+ specifically, after all
+ processes from a previous unit state
+ terminated. This means you can
+ generate these files in one unit
+ state, and read it with this option in
+ the next). Settings from these files
+ override settings made with
Environment=. If
the same variable is set twice from
- these files the files will be read in
+ these files, the files will be read in
the order they are specified and the
later setting will override the
earlier setting.
@@ -357,49 +365,59 @@
,
,
or
- . If
- is selected
- standard input will be connected to
+ .
+
+ If is
+ selected, standard input will be
+ connected to
/dev/null,
i.e. all read attempts by the process
- will result in immediate EOF. If
- is selected
- standard input is connected to a TTY
- (as configured by
+ will result in immediate EOF.
+
+ If is
+ selected, standard input is connected
+ to a TTY (as configured by
TTYPath=, see
below) and the executed process
becomes the controlling process of the
terminal. If the terminal is already
- being controlled by another process the
- executed process waits until the current
- controlling process releases the
- terminal.
-
- is similar to ,
- but the executed process is forcefully
- and immediately made the controlling
+ being controlled by another process,
+ the executed process waits until the
+ current controlling process releases
+ the terminal.
+
+ is similar
+ to , but the
+ executed process is forcefully and
+ immediately made the controlling
process of the terminal, potentially
removing previous controlling
processes from the
- terminal. is
+ terminal.
+
+ is
similar to but if
the terminal already has a controlling
process start-up of the executed
- process fails. The
- option is only
- valid in socket-activated services,
- and only when the socket configuration
- file (see
+ process fails.
+
+ The
+ option is only valid in
+ socket-activated services, and only
+ when the socket configuration file
+ (see
systemd.socket5
for details) specifies a single socket
- only. If this option is set standard
+ only. If this option is set, standard
input will be connected to the socket
the service was activated from, which
is primarily useful for compatibility
with daemons designed for use with the
traditional
inetd8
- daemon. This setting defaults to
+ daemon.
+
+ This setting defaults to
.
@@ -410,56 +428,84 @@
of ,
,
,
+ ,
,
,
- ,
+ ,
,
- ,
- or
- . If set to
- the file
- descriptor of standard input is
- duplicated for standard output. If set
- to standard
- output will be connected to
+ or
+ .
+
+
+ duplicates the file descriptor of
+ standard input for standard
+ output.
+
+ connects
+ standard output to
/dev/null,
i.e. everything written to it will be
- lost. If set to
- standard output will be connected to a
- tty (as configured via
+ lost.
+
+ connects
+ standard output to a tty (as
+ configured via
TTYPath=, see
below). If the TTY is used for output
- only the executed process will not
+ only, the executed process will not
become the controlling process of the
terminal, and will not fail or wait
for other processes to release the
- terminal.
- connects standard output to the
- syslog3
- system syslog
- service.
- connects it with the kernel log buffer
- which is accessible via
- dmesg1.
- connects it with the journal which is
- accessible via
- journalctl1
- (Note that everything that is written
- to syslog or kmsg is implicitly stored
- in the journal as well, those options
- are hence supersets of this
- one). ,
- and
- work
- similarly but copy the output to the
- system console as
- well. connects
- standard output to a socket from
- socket activation, semantics are
- similar to the respective option of
- StandardInput=.
- This setting defaults to the value set
- with
+ terminal.
+
+
+ connects standard output with the
+ journal which is accessible via
+ journalctl1.
+ Note that everything that is written
+ to syslog or kmsg (see below) is
+ implicitly stored in the journal as
+ well, the specific two options listed
+ below are hence supersets of this
+ one.
+
+ connects
+ standard output to the syslog3
+ system syslog service, in addition to
+ the journal. Note that the journal
+ daemon is usually configured to
+ forward everything it receives to
+ syslog anyway, in which case this
+ option is no different from
+ .
+
+ connects
+ standard output with the kernel log
+ buffer which is accessible via
+ dmesg1,
+ in addition to the journal. The
+ journal daemon might be configured to
+ send all logs to kmsg anyway, in which
+ case this option is no different from
+ .
+
+ ,
+ and
+ work in
+ a similar way as the three options
+ above but copy the output to the
+ system console as well.
+
+ connects
+ standard output to a socket acquired
+ via socket activation. The semantics
+ are similar to the same option of
+ StandardInput=.
+
+ This setting defaults to the
+ value set with
in
systemd-system.conf5,
@@ -469,9 +515,9 @@
StandardError=Controls where file
- descriptor 2 (STDERR) of the executed
- processes is connected to. The
- available options are identical to
+ descriptor 2 (STDERR) of the
+ executed processes is connected to.
+ The available options are identical to
those of
StandardOutput=,
with one exception: if set to
@@ -488,8 +534,8 @@
TTYPath=Sets the terminal
- device node to use if standard input,
- output or stderr are connected to a
+ device node to use if standard input, output,
+ or error are connected to a
TTY (see above). Defaults to
/dev/console.
@@ -516,7 +562,7 @@
If the terminal
device specified with
TTYPath= is a
- virtual console terminal try to
+ virtual console terminal, try to
deallocate the TTY before and after
execution. This ensures that the
screen and scrollback buffer is
@@ -527,7 +573,7 @@
SyslogIdentifier=Sets the process name
to prefix log lines sent to syslog or
- the kernel log buffer with. If not set
+ the kernel log buffer with. If not set,
defaults to the process name of the
executed process. This option is only
useful when
@@ -560,7 +606,7 @@
,
or
. See
- syslog3
+ syslog3
for details. This option is only
useful when
StandardOutput= or
@@ -582,7 +628,7 @@
,
,
. See
- syslog3
+ syslog3
for details. This option is only
useful when
StandardOutput= or
@@ -671,43 +717,18 @@
PAMName=Sets the PAM service
- name to set up a session as. If set
+ name to set up a session as. If set,
the executed process will be
registered as a PAM session under the
specified service name. This is only
useful in conjunction with the
User= setting. If
- not set no PAM session will be opened
+ not set, no PAM session will be opened
for the executed processes. See
- pam8
+ pam8
for details.
-
- TCPWrapName=
- If this is a
- socket-activated service this sets the
- tcpwrap service name to check the
- permission for the current connection
- with. This is only useful in
- conjunction with socket-activated
- services, and stream sockets (TCP) in
- particular. It has no effect on other
- socket types (e.g. datagram/UDP) and
- on processes unrelated to socket-based
- activation. If the tcpwrap
- verification fails daemon start-up
- will fail and the connection is
- terminated. See
- tcpd8
- for details. Note that this option may
- be used to do access control checks
- only. Shell commands and commands
- described in
- hosts_options5
- are not supported.
-
-
CapabilityBoundingSet=
@@ -715,40 +736,48 @@
capabilities to include in the
capability bounding set for the
executed process. See
- capabilities7
- for details. Takes a whitespace
- separated list of capability names as
- read by
- cap_from_name3.
+ capabilities7
+ for details. Takes a whitespace-separated
+ list of capability names as read by
+ cap_from_name3,
+ e.g. CAP_SYS_ADMIN,
+ CAP_DAC_OVERRIDE,
+ CAP_SYS_PTRACE.
Capabilities listed will be included
in the bounding set, all others are
removed. If the list of capabilities
- is prefixed with ~ all but the listed
- capabilities will be included, the
- effect of the assignment
- inverted. Note that this option also
- effects the respective capabilities in
- the effective, permitted and
- inheritable capability sets, on top of
- what Capabilities=
- does. If this option is not used the
+ is prefixed with ~,
+ all but the listed capabilities will
+ be included, the effect of the
+ assignment inverted. Note that this
+ option also affects the respective
+ capabilities in the effective,
+ permitted and inheritable capability
+ sets, on top of what
+ Capabilities=
+ does. If this option is not used, the
capability bounding set is not
modified on process execution, hence
no limits on the capabilities of the
process are enforced. This option may
appear more than once in which case
- the bounding sets are merged. If the empty
- string is assigned to this option the
- bounding set is reset, and all prior
- settings have no
- effect.
+ the bounding sets are merged. If the
+ empty string is assigned to this
+ option, the bounding set is reset to
+ the empty capability set, and all
+ prior settings have no effect. If set
+ to ~ (without any
+ further argument), the bounding set is
+ reset to the full set of available
+ capabilities, also undoing any
+ previous settings.SecureBits=Controls the secure
bits set for the executed process. See
- capabilities7
+ capabilities7
for details. Takes a list of strings:
,
,
@@ -759,21 +788,21 @@
option may appear more than once in
which case the secure bits are
ORed. If the empty string is assigned
- to this option the bits are reset to
+ to this option, the bits are reset to
0.Capabilities=Controls the
- capabilities7
+ capabilities7
set for the executed process. Take a
capability string describing the
effective, permitted and inherited
capability sets as documented in
cap_from_text3.
Note that these capability sets are
- usually influenced by the capabilities
+ usually influenced (and filtered) by the capabilities
attached to the executed file. Due to
that
CapabilityBoundingSet=
@@ -781,285 +810,16 @@
setting.
-
- ControlGroup=
-
- Controls the control
- groups the executed processes shall be
- made members of. Takes a
- space-separated list of cgroup
- identifiers. A cgroup identifier is
- formatted like
- cpu:/foo/bar,
- where "cpu" indicates the kernel
- control group controller used, and
- /foo/bar is the
- control group path. The controller
- name and ":" may be omitted in which
- case the named systemd control group
- hierarchy is implied. Alternatively,
- the path and ":" may be omitted, in
- which case the default control group
- path for this unit is implied.
-
- This option may be used to place
- executed processes in arbitrary groups
- in arbitrary hierarchies -- which may
- then be externally configured with
- additional execution limits. By
- default systemd will place all
- executed processes in separate
- per-unit control groups (named after
- the unit) in the systemd named
- hierarchy. This option is primarily
- intended to place executed processes
- in specific paths in specific kernel
- controller hierarchies. It is not
- recommended to manipulate the service
- control group path in the systemd
- named hierarchy. For details about
- control groups see cgroups.txt.
-
- This option may appear more than
- once, in which case the list of
- control group assignments is
- merged. If the same hierarchy gets two
- different paths assigned only the
- later setting will take effect. If the
- empty string is assigned to this
- option the list of control group
- assignments is reset, all previous
- assignments will have no
- effect.
-
- Note that the list of control
- group assignments of a unit is
- extended implicitly based on the
- settings of
- DefaultControllers=
- of
- systemd-system.conf5,
- but a unit's
- ControlGroup=
- setting for a specific controller
- takes precedence.
-
-
-
- ControlGroupModify=
- Takes a boolean
- argument. If true, the control groups
- created for this unit will be owned by
- the user specified with
- User= (and the
- appropriate group), and he/she can create
- subgroups as well as add processes to
- the group.
-
-
-
- ControlGroupPersistent=
- Takes a boolean
- argument. If true, the control groups
- created for this unit will be marked
- to be persistent, i.e. systemd will
- not remove them when stopping the
- unit. The default is false, meaning
- that the control groups will be
- removed when the unit is stopped. For
- details about the semantics of this
- logic see PaxControlGroups.
-
-
-
- ControlGroupAttribute=
-
- Set a specific control
- group attribute for executed
- processes, and (if needed) add the
- executed processes to a cgroup in the
- hierarchy of the controller the
- attribute belongs to. Takes two
- space-separated arguments: the
- attribute name (syntax is
- cpu.shares where
- cpu refers to a
- specific controller and
- shares to the
- attribute name), and the attribute
- value. Example:
- ControlGroupAttribute=cpu.shares
- 512. If this option is used
- for an attribute that belongs to a
- kernel controller hierarchy the unit
- is not already configured to be added
- to (for example via the
- ControlGroup=
- option) then the unit will be added to
- the controller and the default unit
- cgroup path is implied. Thus, using
- ControlGroupAttribute=
- is in most cases sufficient to make
- use of control group enforcements,
- explicit
- ControlGroup= are
- only necessary in case the implied
- default control group path for a
- service is not desirable. For details
- about control group attributes see
- cgroups.txt. This
- option may appear more than once, in
- order to set multiple control group
- attributes. If this option is used
- multiple times for the same cgroup
- attribute only the later setting takes
- effect. If the empty string is
- assigned to this option the list of
- attributes is reset, all previous
- cgroup attribute settings have no
- effect, including those done with
- CPUShares=,
- MemoryLimit=,
- MemorySoftLimit,
- DeviceAllow=,
- DeviceDeny=,
- BlockIOWeight=,
- BlockIOReadBandwidth=,
- BlockIOWriteBandwidth=.
-
-
-
-
- CPUShares=
-
- Assign the specified
- overall CPU time shares to the
- processes executed. Takes an integer
- value. This controls the
- cpu.shares control
- group attribute, which defaults to
- 1024. For details about this control
- group attribute see sched-design-CFS.txt.
-
-
-
- MemoryLimit=
- MemorySoftLimit=
-
- Limit the overall memory usage
- of the executed processes to a certain
- size. Takes a memory size in bytes. If
- the value is suffixed with K, M, G or
- T the specified memory size is parsed
- as Kilobytes, Megabytes, Gigabytes,
- or Terabytes (to the base
- 1024), respectively. This controls the
- memory.limit_in_bytes
- and
- memory.soft_limit_in_bytes
- control group attributes. For details
- about these control group attributes
- see memory.txt.
-
-
-
- DeviceAllow=
- DeviceDeny=
-
- Control access to
- specific device nodes by the executed processes. Takes two
- space separated strings: a device node
- path (such as
- /dev/null)
- followed by a combination of r, w, m
- to control reading, writing, or
- creating of the specific device node
- by the unit, respectively. This controls the
- devices.allow
- and
- devices.deny
- control group attributes. For details
- about these control group attributes
- see devices.txt.
-
-
-
- BlockIOWeight=
-
- Set the default or
- per-device overall block IO weight
- value for the executed
- processes. Takes either a single
- weight value (between 10 and 1000) to
- set the default block IO weight, or a
- space separated pair of a file path
- and a weight value to specify the
- device specific weight value (Example:
- "/dev/sda 500"). The file path may be
- specified as path to a block device
- node or as any other file in which
- case the backing block device of the
- file system of the file is
- determined. This controls the
- blkio.weight and
- blkio.weight_device
- control group attributes, which
- default to 1000. Use this option
- multiple times to set weights for
- multiple devices. For details about
- these control group attributes see
- blkio-controller.txt.
-
-
-
- BlockIOReadBandwidth=
- BlockIOWriteBandwidth=
-
- Set the per-device
- overall block IO bandwidth limit for
- the executed processes. Takes a space
- separated pair of a file path and a
- bandwidth value (in bytes per second)
- to specify the device specific
- bandwidth. The file path may be
- specified as path to a block device
- node or as any other file in which
- case the backing block device of the
- file system of the file is determined.
- If the bandwidth is suffixed with K, M,
- G, or T the specified bandwidth is
- parsed as Kilobytes, Megabytes,
- Gigabytes, or Terabytes, respectively (Example:
- "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
- 5M"). This controls the
- blkio.read_bps_device
- and
- blkio.write_bps_device
- control group attributes. Use this
- option multiple times to set bandwidth
- limits for multiple devices. For
- details about these control group
- attributes see blkio-controller.txt.
-
-
ReadWriteDirectories=ReadOnlyDirectories=InaccessibleDirectories=
- Sets up a new
- file-system name space for executed
+ Sets up a new file
+ system namespace for executed
processes. These options may be used
to limit access a process might have
- to the main file-system
+ to the main file system
hierarchy. Each setting takes a
space-separated list of absolute
directory paths. Directories listed in
@@ -1077,45 +837,112 @@
processes inside the namespace. Note
that restricting access with these
options does not extend to submounts
- of a directory. You must list
- submounts separately in these settings
- to ensure the same limited
- access. These options may be specified
+ of a directory that are created later
+ on. These options may be specified
more than once in which case all
directories listed will have limited
access from within the namespace. If
the empty string is assigned to this
- option the specific list is reset, and
- all prior assignments have no
- effect.
+ option, the specific list is reset,
+ and all prior assignments have no
+ effect.
+ Paths in
+ ReadOnlyDirectories=
+ and
+ InaccessibleDirectories=
+ may be prefixed with
+ -, in which case
+ they will be ignored when they do not
+ exist. Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to
+ install mount points in the main mount
+ namespace.PrivateTmp=Takes a boolean
- argument. If true sets up a new file
+ argument. If true, sets up a new file
system namespace for the executed
processes and mounts private
/tmp and
- /var/tmp directories
- inside it, that are not shared by
- processes outside of the
+ /var/tmp
+ directories inside it that is not
+ shared by processes outside of the
namespace. This is useful to secure
access to temporary files of the
process, but makes sharing between
processes via
/tmp or
/var/tmp
- impossible. Defaults to
- false.
+ impossible. If this is enabled, all
+ temporary files created by a service
+ in these directories will be removed
+ after the service is stopped. Defaults
+ to false. It is possible to run two or
+ more units within the same private
+ /tmp and
+ /var/tmp
+ namespace by using the
+ JoinsNamespaceOf=
+ directive, see
+ systemd.unit5
+ for details. Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to install
+ mount points in the main mount
+ namespace.
+
+
+
+ PrivateDevices=
+
+ Takes a boolean
+ argument. If true, sets up a new /dev
+ namespace for the executed processes
+ and only adds API pseudo devices such
+ as /dev/null,
+ /dev/zero or
+ /dev/random (as
+ well as the pseudo TTY subsystem) to
+ it, but no physical devices such as
+ /dev/sda. This is
+ useful to securely turn off physical
+ device access by the executed
+ process. Defaults to false. Enabling
+ this option will also remove
+ CAP_MKNOD from
+ the capability bounding set for the
+ unit (see above), and set
+ DevicePolicy=closed
+ (see
+ systemd.resource-control5
+ for details). Note that using this
+ setting will disconnect propagation of
+ mounts from the service to the host
+ (propagation in the opposite direction
+ continues to work). This means that
+ this setting may not be used for
+ services which shall be able to
+ install mount points in the main mount
+ namespace.PrivateNetwork=Takes a boolean
- argument. If true sets up a new
+ argument. If true, sets up a new
network namespace for the executed
processes and configures only the
loopback network device
@@ -1124,8 +951,84 @@
available to the executed process.
This is useful to securely turn off
network access by the executed
- process. Defaults to
- false.
+ process. Defaults to false. It is
+ possible to run two or more units
+ within the same private network
+ namespace by using the
+ JoinsNamespaceOf=
+ directive, see
+ systemd.unit5
+ for details. Note that this option
+ will disconnect all socket families
+ from the host, this includes
+ AF_NETLINK and AF_UNIX. The latter has
+ the effect that AF_UNIX sockets in the
+ abstract socket namespace will become
+ unavailable to the processes (however,
+ those located in the file system will
+ continue to be
+ accessible).
+
+
+
+ ProtectSystem=
+
+ Takes a boolean
+ argument or
+ full. If true,
+ mounts the /usr
+ directory read-only for processes
+ invoked by this unit. If set to
+ full, the
+ /etc directory is mounted
+ read-only, too. This setting ensures
+ that any modification of the vendor
+ supplied operating system (and
+ optionally its configuration) is
+ prohibited for the service. It is
+ recommended to enable this setting for
+ all long-running services, unless they
+ are involved with system updates or
+ need to modify the operating system in
+ other ways. Note however that
+ processes retaining the CAP_SYS_ADMIN
+ capability can undo the effect of this
+ setting. This setting is hence
+ particularly useful for daemons which
+ have this capability removed, for
+ example with
+ CapabilityBoundingSet=. Defaults
+ to off.
+
+
+
+ ProtectHome=
+
+ Takes a boolean
+ argument or
+ read-only. If true,
+ the directories
+ /home and
+ /run/user are
+ made inaccessible and empty for
+ processes invoked by this unit. If set
+ to read-only, the
+ two directores are made read-only
+ instead. It is recommended to enable
+ this setting for all long-running
+ services (in particular network-facing
+ ones), to ensure they cannot get access
+ to private user data, unless the
+ services actually require access to
+ the user's private data. Note however
+ that processes retaining the
+ CAP_SYS_ADMIN capability can undo the
+ effect of this setting. This setting
+ is hence particularly useful for
+ daemons which have this capability
+ removed, for example with
+ CapabilityBoundingSet=. Defaults
+ to off.
@@ -1136,13 +1039,45 @@
,
or
, which
- control whether the file system
- namespace set up for this unit's
- processes will receive or propagate
- new mounts. See
+ control whether mounts in the file
+ system namespace set up for this
+ unit's processes will receive or
+ propagate mounts or unmounts. See
mount2
- for details. Default to
- .
+ for details. Defaults to
+ . Use
+ to ensure that
+ mounts and unmounts are propagated
+ from the host to the container and
+ vice versa. Use
+ to run processes so that none of their
+ mounts and unmounts will propagate to
+ the host. Use
+ to also ensure that no mounts and
+ unmounts from the host will propagate
+ into the unit processes'
+ namespace. Note that
+ means that file
+ systems mounted on the host might stay
+ mounted continously in the unit's
+ namespace, and thus keep the device
+ busy. Note that the file system
+ namespace related options
+ (PrivateTmp=,
+ PrivateDevices=,
+ ProtectSystem=,
+ ProtectHome=,
+ ReadOnlyDirectories=,
+ InaccessibleDirectories=
+ and
+ ReadWriteDirectories=)
+ require that mount and unmount
+ propagation from the unit's file
+ system namespace is disabled, and
+ hence downgrade
+ to
+ .
+
@@ -1157,7 +1092,7 @@
entries must be created and cleared
before and after execution. If the
configured string is longer than four
- characters it is truncated and the
+ characters, it is truncated and the
terminal four characters are
used. This setting interprets %I style
string replacements. This setting is
@@ -1166,14 +1101,44 @@
this service.
+
+ SELinuxContext=
+
+ Set the SELinux
+ security context of the executed
+ process. If set, this will override
+ the automated domain
+ transition. However, the policy still
+ needs to autorize the transition. This
+ directive is ignored if SELinux is
+ disabled. If prefixed by
+ -, all errors will
+ be ignored. See
+ setexeccon3
+ for details.
+
+
+
+ AppArmorProfile=
+
+ Takes a profile name as argument.
+ The process executed by the unit will switch to
+ this profile when started. Profiles must already
+ be loaded in the kernel, or the unit will fail.
+ This result in a non operation if AppArmor is not
+ enabled. If prefixed by -, all errors
+ will be ignored.
+
+
+
IgnoreSIGPIPE=Takes a boolean
- argument. If true causes SIGPIPE to be
+ argument. If true, causes SIGPIPE to be
ignored in the executed
- process. Defaults to true, since
- SIGPIPE generally is useful only in
+ process. Defaults to true because
+ SIGPIPE generally is useful only in
shell pipelines.
@@ -1181,7 +1146,7 @@
NoNewPrivileges=Takes a boolean
- argument. If true ensures that the
+ argument. If true, ensures that the
service process and all its children
can never gain new privileges. This
option is more powerful than the respective
@@ -1196,43 +1161,374 @@
SystemCallFilter=
- Takes a space
- separated list of system call
- names. If this setting is used all
+ Takes a
+ space-separated list of system call
+ names. If this setting is used, all
system calls executed by the unit
- process except for the listed ones
+ processes except for the listed ones
will result in immediate process
- termination with the SIGSYS signal
+ termination with the
+ SIGSYS signal
(whitelisting). If the first character
- of the list is ~
+ of the list is ~,
the effect is inverted: only the
listed system calls will result in
immediate process termination
- (blacklisting). If this option is used
+ (blacklisting). If running in user
+ mode and this option is used,
NoNewPrivileges=yes
- is implied. This feature makes use of
- the Secure Computing Mode 2 interfaces
- of the kernel ('seccomp filtering')
- and is useful for enforcing a minimal
+ is implied. This feature makes use of the
+ Secure Computing Mode 2 interfaces of
+ the kernel ('seccomp filtering') and
+ is useful for enforcing a minimal
sandboxing environment. Note that the
execve,
rt_sigreturn,
sigreturn,
exit_group,
exit system calls
- are implicitly whitelisted and don't
+ are implicitly whitelisted and do not
need to be listed explicitly. This
option may be specified more than once
in which case the filter masks are
merged. If the empty string is
- assigned the filter is reset, all
+ assigned, the filter is reset, all
prior assignments will have no
- effect.
+ effect.
+
+ If you specify both types of
+ this option (i.e. whitelisting and
+ blacklisting), the first encountered
+ will take precedence and will dictate
+ the default action (termination or
+ approval of a system call). Then the
+ next occurrences of this option will
+ add or delete the listed system calls
+ from the set of the filtered system
+ calls, depending of its type and the
+ default action. (For example, if you have started
+ with a whitelisting of
+ read and
+ write, and right
+ after it add a blacklisting of
+ write, then
+ write will be
+ removed from the set.)
+
+
+
+
+ SystemCallErrorNumber=
+
+ Takes an
+ errno error number
+ name to return when the system call
+ filter configured with
+ SystemCallFilter=
+ is triggered, instead of terminating
+ the process immediately. Takes an
+ error name such as
+ EPERM,
+ EACCES or
+ EUCLEAN. When this
+ setting is not used, or when the empty
+ string is assigned, the process will be
+ terminated immediately when the filter
+ is triggered.
+
+
+
+ SystemCallArchitectures=
+
+ Takes a space
+ separated list of architecture
+ identifiers to include in the system
+ call filter. The known architecture
+ identifiers are
+ x86,
+ x86-64,
+ x32,
+ arm as well as
+ the special identifier
+ native. Only
+ system calls of the specified
+ architectures will be permitted to
+ processes of this unit. This is an
+ effective way to disable compatibility
+ with non-native architectures for
+ processes, for example to prohibit
+ execution of 32-bit x86 binaries on
+ 64-bit x86-64 systems. The special
+ native identifier
+ implicitly maps to the native
+ architecture of the system (or more
+ strictly: to the architecture the
+ system manager is compiled for). If
+ running in user mode and this option
+ is used,
+ NoNewPrivileges=yes
+ is implied. Note that setting this
+ option to a non-empty list implies
+ that native is
+ included too. By default, this option
+ is set to the empty list, i.e. no
+ architecture system call filtering is
+ applied.
+
+
+
+ RestrictAddressFamilies=
+
+ Restricts the set of
+ socket address families accessible to
+ the processes of this unit. Takes a
+ space-separated list of address family
+ names to whitelist, such as
+ AF_UNIX,
+ AF_INET or
+ AF_INET6. When
+ prefixed with ~
+ the listed address families will be
+ applied as blacklist, otherwise as
+ whitelist. Note that this restricts
+ access to the
+ socket2
+ system call only. Sockets passed into
+ the process by other means (for
+ example, by using socket activation
+ with socket units, see
+ systemd.socket5)
+ are unaffected. Also, sockets created
+ with socketpair()
+ (which creates connected AF_UNIX
+ sockets only) are unaffected. Note
+ that this option has no effect on
+ 32-bit x86 and is ignored (but works
+ correctly on x86-64). If running in user
+ mode and this option is used,
+ NoNewPrivileges=yes
+ is implied. By default, no
+ restriction applies, all address
+ families are accessible to
+ processes. If assigned the empty
+ string, any previous list changes are
+ undone.
+
+ Use this option to limit
+ exposure of processes to remote
+ systems, in particular via exotic
+ network protocols. Note that in most
+ cases, the local
+ AF_UNIX address
+ family should be included in the
+ configured whitelist as it is
+ frequently used for local
+ communication, including for
+ syslog2
+ logging.
+
+
+
+ Personality=
+
+ Controls which
+ kernel architecture
+ uname2
+ shall report, when invoked by unit
+ processes. Takes one of
+ x86 and
+ x86-64. This is
+ useful when running 32-bit services on
+ a 64-bit host system. If not specified,
+ the personality is left unmodified and
+ thus reflects the personality of the
+ host system's
+ kernel.
+
+
+
+ RuntimeDirectory=
+ RuntimeDirectoryMode=
+
+ Takes a list of
+ directory names. If set, one or more
+ directories by the specified names
+ will be created below
+ /run (for system
+ services) or below
+ $XDG_RUNTIME_DIR
+ (for user services) when the unit is
+ started, and removed when the unit is
+ stopped. The directories will have the
+ access mode specified in
+ RuntimeDirectoryMode=,
+ and will be owned by the user and
+ group specified in
+ User= and
+ Group=. Use this to
+ manage one or more runtime directories
+ of the unit and bind their lifetime to
+ the daemon runtime. The specified
+ directory names must be relative, and
+ may not include a
+ /, i.e. must refer
+ to simple directories to create or
+ remove. This is particularly useful
+ for unprivileged daemons that cannot
+ create runtime directories in
+ /run due to lack
+ of privileges, and to make sure the
+ runtime directory is cleaned up
+ automatically after use. For runtime
+ directories that require more complex
+ or different configuration or lifetime
+ guarantees, please consider using
+ tmpfiles.d5.
+
+ Environment variables in spawned processes
+
+ Processes started by the system are executed in
+ a clean environment in which select variables
+ listed below are set. System processes started by systemd
+ do not inherit variables from PID 1, but processes
+ started by user systemd instances inherit all
+ environment variables from the user systemd instance.
+
+
+
+
+ $PATH
+
+ Colon-separated list
+ of directiories to use when launching
+ executables. Systemd uses a fixed
+ value of
+ /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin.
+
+
+
+
+ $LANG
+
+ Locale. Can be set in
+ locale.conf5
+ or on the kernel command line (see
+ systemd1
+ and
+ kernel-command-line7).
+
+
+
+
+ $USER
+ $LOGNAME
+ $HOME
+ $SHELL
+
+ User name (twice), home
+ directory, and the login shell.
+ The variables are set for the units that
+ have User= set,
+ which includes user
+ systemd instances.
+ See
+ passwd5.
+
+
+
+
+ $XDG_RUNTIME_DIR
+
+ The directory for volatile
+ state. Set for the user systemd
+ instance, and also in user sessions.
+ See
+ pam_systemd8.
+
+
+
+
+ $XDG_SESSION_ID
+ $XDG_SEAT
+ $XDG_VTNR
+
+ The identifier of the
+ session, the seat name, and
+ virtual terminal of the session. Set
+ by
+ pam_systemd8
+ for login sessions.
+ $XDG_SEAT and
+ $XDG_VTNR will
+ only be set when attached to a seat and a
+ tty.
+
+
+
+ $MAINPID
+
+ The PID of the units
+ main process if it is known. This is
+ only set for control processes as
+ invoked by
+ ExecReload= and
+ similar.
+
+
+
+ $MANAGERPID
+
+ The PID of the user
+ systemd instance,
+ set for processes spawned by it.
+
+
+
+
+ $LISTEN_FDS
+ $LISTEN_PID
+
+ Information about file
+ descriptors passed to a service for
+ socket activation. See
+ sd_listen_fds3.
+
+
+
+
+ $TERM
+
+ Terminal type, set
+ only for units connected to a terminal
+ (StandardInput=tty,
+ StandardOutput=tty,
+ or
+ StandardError=tty).
+ See
+ termcap5.
+
+
+
+
+ Additional variables may be configured by the
+ following means: for processes spawned in specific
+ units, use the Environment= and
+ EnvironmentFile= options above; to
+ specify variables globally, use
+ DefaultEnvironment= (see
+ systemd-system.conf5)
+ or the kernel option
+ systemd.setenv= (see
+ systemd1). Additional
+ variables may also be set through PAM,
+ cf. pam_env8.
+
+
See Also
@@ -1245,7 +1541,10 @@
systemd.swap5,
systemd.mount5,
systemd.kill5,
- systemd.directives7
+ systemd.resource-control5,
+ systemd.directives7,
+ tmpfiles.d5,
+ exec3