processes. Takes a space-separated
list of CPU indices. This option may
be specified more than once in which
- case the specificed CPU affinity masks
+ case the specified CPU affinity masks
are merged. If the empty string is
assigned, the mask is reset, all
assignments prior to this will have no
<varlistentry>
<term><varname>SyslogIdentifier=</varname></term>
<listitem><para>Sets the process name
- to prefix log lines sent to syslog or
- the kernel log buffer with. If not set,
- defaults to the process name of the
- executed process. This option is only
- useful when
+ to prefix log lines sent to the
+ logging system or the kernel log
+ buffer with. If not set, defaults to
+ the process name of the executed
+ process. This option is only useful
+ when
<varname>StandardOutput=</varname> or
<varname>StandardError=</varname> are
- set to <option>syslog</option> or
- <option>kmsg</option>.</para></listitem>
+ set to <option>syslog</option>,
+ <option>journal</option> or
+ <option>kmsg</option> (or to the same
+ settings in combination with
+ <option>+console</option>).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>SyslogFacility=</varname></term>
<term><varname>LimitNICE=</varname></term>
<term><varname>LimitRTPRIO=</varname></term>
<term><varname>LimitRTTIME=</varname></term>
- <listitem><para>These settings control
- various resource limits for executed
- processes. See
+ <listitem><para>These settings set both
+ soft and hard limits of various resources for
+ executed processes. See
<citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
for details. Use the string
<varname>infinity</varname> to
configure no limit on a specific
resource.</para></listitem>
+
+ <table>
+ <title>Limit directives and their equivalent with ulimit</title>
+
+ <tgroup cols='2'>
+ <colspec colname='directive' />
+ <colspec colname='equivalent' />
+ <thead>
+ <row>
+ <entry>Directive</entry>
+ <entry>ulimit equivalent</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>LimitCPU</entry>
+ <entry>ulimit -t</entry>
+ </row>
+ <row>
+ <entry>LimitFSIZE</entry>
+ <entry>ulimit -f</entry>
+ </row>
+ <row>
+ <entry>LimitDATA</entry>
+ <entry>ulimit -d</entry>
+ </row>
+ <row>
+ <entry>LimitSTACK</entry>
+ <entry>ulimit -s</entry>
+ </row>
+ <row>
+ <entry>LimitCORE</entry>
+ <entry>ulimit -c</entry>
+ </row>
+ <row>
+ <entry>LimitRSS</entry>
+ <entry>ulimit -m</entry>
+ </row>
+ <row>
+ <entry>LimitNOFILE</entry>
+ <entry>ulimit -n</entry>
+ </row>
+ <row>
+ <entry>LimitAS</entry>
+ <entry>ulimit -v</entry>
+ </row>
+ <row>
+ <entry>LimitNPROC</entry>
+ <entry>ulimit -u</entry>
+ </row>
+ <row>
+ <entry>LimitMEMLOCK</entry>
+ <entry>ulimit -l</entry>
+ </row>
+ <row>
+ <entry>LimitLOCKS</entry>
+ <entry>ulimit -x</entry>
+ </row>
+ <row>
+ <entry>LimitSIGPENDING</entry>
+ <entry>ulimit -i</entry>
+ </row>
+ <row>
+ <entry>LimitMSGQUEUE</entry>
+ <entry>ulimit -q</entry>
+ </row>
+ <row>
+ <entry>LimitNICE</entry>
+ <entry>ulimit -e</entry>
+ </row>
+ <row>
+ <entry>LimitRTPRIO</entry>
+ <entry>ulimit -r</entry>
+ </row>
+ <row>
+ <entry>LimitRTTIME</entry>
+ <entry>No equivalent</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
</varlistentry>
<varlistentry>
<varlistentry>
<term><varname>SecureBits=</varname></term>
<listitem><para>Controls the secure
- bits set for the executed process. See
- <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details. Takes a list of strings:
+ bits set for the executed process.
+ Takes a space-separated combination of
+ options from the following list:
<option>keep-caps</option>,
<option>keep-caps-locked</option>,
<option>no-setuid-fixup</option>,
<option>no-setuid-fixup-locked</option>,
- <option>noroot</option> and/or
+ <option>noroot</option>, and
<option>noroot-locked</option>. This
option may appear more than once in
- which case the secure bits are
- ORed. If the empty string is assigned
- to this option, the bits are reset to
- 0.</para></listitem>
+ which case the secure bits are ORed.
+ If the empty string is assigned to
+ this option, the bits are reset to 0.
+ See <citerefentry
+ project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details.</para></listitem>
</varlistentry>
<varlistentry>
attached to the executed file. Due to
that
<varname>CapabilityBoundingSet=</varname>
- is probably the much more useful
+ is probably a much more useful
setting.</para></listitem>
</varlistentry>
process. If set, this will override
the automated domain
transition. However, the policy still
- needs to autorize the transition. This
+ needs to authorize the transition. This
directive is ignored if SELinux is
disabled. If prefixed by
<literal>-</literal>, all errors will
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>SmackProcessLabel=</varname></term>
+
+ <listitem><para>Takes a
+ <option>SMACK64</option> security
+ label as argument. The process
+ executed by the unit will be started
+ under this label and SMACK will decide
+ whether the processes is allowed to
+ run or not based on it. The process
+ will continue to run under the label
+ specified here unless the executable
+ has its own
+ <option>SMACK64EXEC</option> label, in
+ which case the process will transition
+ to run under that label. When not
+ specified, the label that systemd is
+ running under is used. This directive
+ is ignored if SMACK is
+ disabled.</para>
+
+ <para>The value may be prefixed by
+ <literal>-</literal>, in which case
+ all errors will be ignored. An empty
+ value may be specified to unset
+ previous assignments.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>IgnoreSIGPIPE=</varname></term>
<term><varname>$PATH</varname></term>
<listitem><para>Colon-separated list
- of directiories to use when launching
+ of directories to use when launching
executables. Systemd uses a fixed
value of
<filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>.