-<?xml version='1.0'?> <!--*-nxml-*-->
<?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
</refnamediv>
<refsynopsisdiv>
- <para><filename>systemd.service</filename>,
- <filename>systemd.socket</filename>,
- <filename>systemd.mount</filename>,
- <filename>systemd.swap</filename></para>
+ <para><filename><replaceable>service</replaceable>.service</filename>,
+ <filename><replaceable>socket</replaceable>.socket</filename>,
+ <filename><replaceable>mount</replaceable>.mount</filename>,
+ <filename><replaceable>swap</replaceable>.swap</filename></para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>Unit configuration files for services, sockets,
- mount points and swap devices share a subset of
+ mount points, and swap devices share a subset of
configuration options which define the execution
environment of spawned processes.</para>
files, and
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
and
<citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on the specific unit
<refsect1>
<title>Options</title>
- <variablelist>
+ <variablelist class='unit-directives'>
<varlistentry>
<term><varname>WorkingDirectory=</varname></term>
<listitem><para>Takes an absolute
directory path. Sets the working
directory for executed processes. If
- not set defaults to the root directory
+ not set, defaults to the root directory
when systemd is running as a system
instance and the respective user's
home directory if run as
directory for executed processes, with
the
<citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- system call. If this is used it must
+ system call. If this is used, it must
be ensured that the process and all
its auxiliary files are available in
the <function>chroot()</function>
<listitem><para>Sets the supplementary
Unix groups the processes are executed
- as. This takes a space separated list
+ as. This takes a space-separated list
of group names or IDs. This option may
be specified more than once in which
case all listed groups are set as
- supplementary groups. This option does
- not override but extends the list of
- supplementary groups configured in the
- system group database for the
+ supplementary groups. When the empty
+ string is assigned the list of
+ supplementary groups is reset, and all
+ assignments prior to this one will
+ have no effect. In any way, this
+ option does not override, but extends
+ the list of supplementary groups
+ configured in the system group
+ database for the
user.</para></listitem>
</varlistentry>
for this process) and 1000 (to make
killing of this process under memory
pressure very likely). See <ulink
- url="http://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
+ url="https://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
for details.</para></listitem>
</varlistentry>
<term><varname>CPUSchedulingResetOnFork=</varname></term>
<listitem><para>Takes a boolean
- argument. If true elevated CPU
+ argument. If true, elevated CPU
scheduling priorities and policies
will be reset when the executed
processes fork, and can hence not leak
<listitem><para>Controls the CPU
affinity of the executed
processes. Takes a space-separated
- list of CPU indexes. See
+ list of CPU indexes. This option may
+ be specified more than once in which
+ case the specificed CPU affinity masks
+ are merged. If the empty string is
+ assigned, the mask is reset, all
+ assignments prior to this will have no
+ effect. See
<citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
for details.</para></listitem>
</varlistentry>
option may be specified more than once
in which case all listed variables
will be set. If the same variable is
- set twice the later setting will
- override the earlier setting. See
+ set twice, the later setting will
+ override the earlier setting. If the
+ empty string is assigned to this
+ option, the list of environment
+ variables is reset, all prior
+ assignments have no effect.
+ Variable expansion is not performed
+ inside the strings, however, specifier
+ expansion is possible. The $ character has
+ no special meaning.
+ If you need to assign a value containing spaces
+ to a variable, use double quotes (")
+ for the assignment.</para>
+
+ <para>Example:
+ <programlisting>Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"</programlisting>
+ gives three variables <literal>VAR1</literal>,
+ <literal>VAR2</literal>, <literal>VAR3</literal>.
+ </para>
+
+ <para>
+ See
<citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details.</para></listitem>
+ for details about environment variables.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>EnvironmentFile=</varname></term>
<varname>Environment=</varname> but
reads the environment variables from a
text file. The text file should
- contain new-line separated variable
+ contain new-line-separated variable
assignments. Empty lines and lines
starting with ; or # will be ignored,
- which may be used for commenting. The
- parser strips leading and
- trailing whitespace from the values
+ which may be used for commenting. A line
+ ending with a backslash will be concatenated
+ with the following one, allowing multiline variable
+ definitions. The parser strips leading
+ and trailing whitespace from the values
of assignments, unless you use
- double quotes (").
- The
- argument passed should be an absolute
- file name, optionally prefixed with
- "-", which indicates that if the file
- does not exist it won't be read and no
- error or warning message is
- logged. The files listed with this
+ double quotes (").</para>
+
+ <para>The argument passed should be an
+ absolute filename or wildcard
+ expression, optionally prefixed with
+ <literal>-</literal>, which indicates
+ that if the file does not exist, it
+ will not be read and no error or warning
+ message is logged. This option may be
+ specified more than once in which case
+ all specified files are read. If the
+ empty string is assigned to this
+ option, the list of file to read is
+ reset, all prior assignments have no
+ effect.</para>
+
+ <para>The files listed with this
directive will be read shortly before
the process is executed. Settings from
these files override settings made
with
<varname>Environment=</varname>. If
the same variable is set twice from
- these files the files will be read in
+ these files, the files will be read in
the order they are specified and the
later setting will override the
- earlier setting. </para></listitem>
+ earlier setting.</para></listitem>
</varlistentry>
<varlistentry>
<option>tty-force</option>,
<option>tty-fail</option> or
<option>socket</option>. If
- <option>null</option> is selected
+ <option>null</option> is selected,
standard input will be connected to
<filename>/dev/null</filename>,
i.e. all read attempts by the process
will result in immediate EOF. If
- <option>tty</option> is selected
+ <option>tty</option> is selected,
standard input is connected to a TTY
(as configured by
<varname>TTYPath=</varname>, see
below) and the executed process
becomes the controlling process of the
terminal. If the terminal is already
- being controlled by another process the
+ being controlled by another process, the
executed process waits until the current
controlling process releases the
terminal.
file (see
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details) specifies a single socket
- only. If this option is set standard
+ only. If this option is set, standard
input will be connected to the socket
the service was activated from, which
is primarily useful for compatibility
<option>kmsg+console</option>,
<option>journal+console</option> or
<option>socket</option>. If set to
- <option>inherit</option> the file
+ <option>inherit</option>, the file
descriptor of standard input is
duplicated for standard output. If set
- to <option>null</option> standard
+ to <option>null</option>, standard
output will be connected to
<filename>/dev/null</filename>,
i.e. everything written to it will be
- lost. If set to <option>tty</option>
+ lost. If set to <option>tty</option>,
standard output will be connected to a
tty (as configured via
<varname>TTYPath=</varname>, see
below). If the TTY is used for output
- only the executed process will not
+ only, the executed process will not
become the controlling process of the
terminal, and will not fail or wait
for other processes to release the
with
<option>DefaultStandardOutput=</option>
in
- <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
which defaults to
<option>journal</option>.</para></listitem>
</varlistentry>
setting defaults to the value set with
<option>DefaultStandardError=</option>
in
- <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
which defaults to
<option>inherit</option>.</para></listitem>
</varlistentry>
<listitem><para>If the terminal
device specified with
<varname>TTYPath=</varname> is a
- virtual console terminal try to
+ virtual console terminal, try to
deallocate the TTY before and after
execution. This ensures that the
screen and scrollback buffer is
<term><varname>SyslogIdentifier=</varname></term>
<listitem><para>Sets the process name
to prefix log lines sent to syslog or
- the kernel log buffer with. If not set
+ the kernel log buffer with. If not set,
defaults to the process name of the
executed process. This option is only
useful when
<varlistentry>
<term><varname>PAMName=</varname></term>
<listitem><para>Sets the PAM service
- name to set up a session as. If set
+ name to set up a session as. If set,
the executed process will be
registered as a PAM session under the
specified service name. This is only
useful in conjunction with the
<varname>User=</varname> setting. If
- not set no PAM session will be opened
+ not set, no PAM session will be opened
for the executed processes. See
<citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for details.</para></listitem>
<varlistentry>
<term><varname>TCPWrapName=</varname></term>
<listitem><para>If this is a
- socket-activated service this sets the
+ socket-activated service, this sets the
tcpwrap service name to check the
permission for the current connection
with. This is only useful in
socket types (e.g. datagram/UDP) and
on processes unrelated to socket-based
activation. If the tcpwrap
- verification fails daemon start-up
+ verification fails, daemon start-up
will fail and the connection is
terminated. See
<citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
capability bounding set for the
executed process. See
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details. Takes a whitespace
- separated list of capability names as
- read by
- <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ for details. Takes a whitespace-separated
+ list of capability names as read by
+ <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ e.g. <constant>CAP_SYS_ADMIN</constant>,
+ <constant>CAP_DAC_OVERRIDE</constant>,
+ <constant>CAP_SYS_PTRACE</constant>.
Capabilities listed will be included
in the bounding set, all others are
removed. If the list of capabilities
- is prefixed with ~ all but the listed
- capabilities will be included, the
- effect of the assignment
- inverted. Note that this option also
- effects the respective capabilities in
- the effective, permitted and
- inheritable capability sets, on top of
- what <varname>Capabilities=</varname>
- does. If this option is not used the
+ is prefixed with <literal>~</literal>,
+ all but the listed capabilities will
+ be included, the effect of the
+ assignment inverted. Note that this
+ option also affects the respective
+ capabilities in the effective,
+ permitted and inheritable capability
+ sets, on top of what
+ <varname>Capabilities=</varname>
+ does. If this option is not used, the
capability bounding set is not
modified on process execution, hence
no limits on the capabilities of the
- process are
- enforced.</para></listitem>
+ process are enforced. This option may
+ appear more than once in which case
+ the bounding sets are merged. If the
+ empty string is assigned to this
+ option, the bounding set is reset to
+ the empty capability set, and all
+ prior settings have no effect. If set
+ to <literal>~</literal> (without any
+ further argument), the bounding set is
+ reset to the full set of available
+ capabilities, also undoing any
+ previous settings.</para></listitem>
</varlistentry>
<varlistentry>
<option>no-setuid-fixup</option>,
<option>no-setuid-fixup-locked</option>,
<option>noroot</option> and/or
- <option>noroot-locked</option>.
- </para></listitem>
+ <option>noroot-locked</option>. This
+ option may appear more than once in
+ which case the secure bits are
+ ORed. If the empty string is assigned
+ to this option, the bits are reset to
+ 0.</para></listitem>
</varlistentry>
<varlistentry>
setting.</para></listitem>
</varlistentry>
- <varlistentry>
- <term><varname>ControlGroup=</varname></term>
-
- <listitem><para>Controls the control
- groups the executed processes shall be
- made members of. Takes a
- space-separated list of cgroup
- identifiers. A cgroup identifier has a
- format like
- <filename>cpu:/foo/bar</filename>,
- where "cpu" identifies the kernel
- control group controller used, and
- <filename>/foo/bar</filename> is the
- control group path. The controller
- name and ":" may be omitted in which
- case the named systemd control group
- hierarchy is implied. Alternatively,
- the path and ":" may be omitted, in
- which case the default control group
- path for this unit is implied. This
- option may be used to place executed
- processes in arbitrary groups in
- arbitrary hierarchies -- which can be
- configured externally with additional
- execution limits. By default systemd
- will place all executed processes in
- separate per-unit control groups
- (named after the unit) in the systemd
- named hierarchy. Since every process
- can be in one group per hierarchy only
- overriding the control group path in
- the named systemd hierarchy will
- disable automatic placement in the
- default group. This option is
- primarily intended to place executed
- processes in specific paths in
- specific kernel controller
- hierarchies. It is however not
- recommended to manipulate the service
- control group path in the systemd
- named hierarchy. For details about
- control groups see <ulink
- url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>ControlGroupModify=</varname></term>
- <listitem><para>Takes a boolean
- argument. If true, the control groups
- created for this unit will be owned by
- the user specified with
- <varname>User=</varname> (and the
- appropriate group), and he/she can create
- subgroups as well as add processes to
- the group.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>ControlGroupPersistent=</varname></term>
- <listitem><para>Takes a boolean
- argument. If true, the control groups
- created for this unit will be marked
- to be persistent, i.e. systemd will
- not remove them when stopping the
- unit. The default is false, meaning
- that the control groups will be
- removed when the unit is stopped. For
- details about the semantics of this
- logic see <ulink
- url="http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups">PaxControlGroups</ulink>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>ControlGroupAttribute=</varname></term>
-
- <listitem><para>Set a specific control
- group attribute for executed
- processes, and (if needed) add the
- executed processes to a cgroup in the
- hierarchy of the controller the
- attribute belongs to. Takes two
- space-separated arguments: the
- attribute name (syntax is
- <literal>cpu.shares</literal> where
- <literal>cpu</literal> refers to a
- specific controller and
- <literal>shares</literal> to the
- attribute name), and the attribute
- value. Example:
- <literal>ControlGroupAttribute=cpu.shares
- 512</literal>. If this option is used
- for an attribute that belongs to a
- kernel controller hierarchy the unit
- is not already configured to be added
- to (for example via the
- <literal>ControlGroup=</literal>
- option) then the unit will be added to
- the controller and the default unit
- cgroup path is implied. Thus, using
- <varname>ControlGroupAttribute=</varname>
- is in most case sufficient to make use
- of control group enforcements,
- explicit
- <varname>ControlGroup=</varname> are
- only necessary in case the implied
- default control group path for a
- service is not desirable. For details
- about control group attributes see
- <ulink
- url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>. This
- option may appear more than once, in
- order to set multiple control group
- attributes.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>CPUShares=</varname></term>
-
- <listitem><para>Assign the specified
- overall CPU time shares to the
- processes executed. Takes an integer
- value. This controls the
- <literal>cpu.shares</literal> control
- group attribute, which defaults to
- 1024. For details about this control
- group attribute see <ulink
- url="http://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>MemoryLimit=</varname></term>
- <term><varname>MemorySoftLimit=</varname></term>
-
- <listitem><para>Limit the overall memory usage
- of the executed processes to a certain
- size. Takes a memory size in bytes. If
- the value is suffixed with K, M, G or
- T the specified memory size is parsed
- as Kilobytes, Megabytes, Gigabytes,
- or Terabytes (to the base
- 1024), respectively. This controls the
- <literal>memory.limit_in_bytes</literal>
- and
- <literal>memory.soft_limit_in_bytes</literal>
- control group attributes. For details
- about these control group attributes
- see <ulink
- url="http://www.kernel.org/doc/Documentation/cgroups/memory.txt">memory.txt</ulink>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>DeviceAllow=</varname></term>
- <term><varname>DeviceDeny=</varname></term>
-
- <listitem><para>Control access to
- specific device nodes by the executed processes. Takes two
- space separated strings: a device node
- path (such as
- <filename>/dev/null</filename>)
- followed by a combination of r, w, m
- to control reading, writing, or
- creating of the specific device node
- by the unit, respectively. This controls the
- <literal>devices.allow</literal>
- and
- <literal>devices.deny</literal>
- control group attributes. For details
- about these control group attributes
- see <ulink
- url="http://www.kernel.org/doc/Documentation/cgroups/devices.txt">devices.txt</ulink>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>BlockIOWeight=</varname></term>
-
- <listitem><para>Set the default or
- per-device overall block IO weight
- value for the executed
- processes. Takes either a single
- weight value (between 10 and 1000) to
- set the default block IO weight, or a
- space separated pair of a file path
- and a weight value to specify the
- device specific weight value (Example:
- "/dev/sda 500"). The file path may be
- specified as path to a block device
- node or as any other file in which
- case the backing block device of the
- file system of the file is
- determined. This controls the
- <literal>blkio.weight</literal> and
- <literal>blkio.weight_device</literal>
- control group attributes, which
- default to 1000. Use this option
- multiple times to set weights for
- multiple devices. For details about
- these control group attributes see
- <ulink
- url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>BlockIOReadBandwidth=</varname></term>
- <term><varname>BlockIOWriteBandwidth=</varname></term>
-
- <listitem><para>Set the per-device
- overall block IO bandwidth limit for
- the executed processes. Takes a space
- separated pair of a file path and a
- bandwidth value (in bytes per second)
- to specify the device specific
- bandwidth. The file path may be
- specified as path to a block device
- node or as any other file in which
- case the backing block device of the
- file system of the file is determined.
- If the bandwidth is suffixed with K, M,
- G, or T the specified bandwidth is
- parsed as Kilobytes, Megabytes,
- Gigabytes, or Terabytes, respectively (Example:
- "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
- 5M"). This controls the
- <literal>blkio.read_bps_device</literal>
- and
- <literal>blkio.write_bps_device</literal>
- control group attributes. Use this
- option multiple times to set bandwidth
- limits for multiple devices. For
- details about these control group
- attributes see <ulink
- url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
- </varlistentry>
-
<varlistentry>
<term><varname>ReadWriteDirectories=</varname></term>
<term><varname>ReadOnlyDirectories=</varname></term>
<term><varname>InaccessibleDirectories=</varname></term>
<listitem><para>Sets up a new
- file-system name space for executed
+ file system namespace for executed
processes. These options may be used
to limit access a process might have
- to the main file-system
+ to the main file system
hierarchy. Each setting takes a
space-separated list of absolute
directory paths. Directories listed in
usual file access controls would
permit this. Directories listed in
<varname>InaccessibleDirectories=</varname>
- will be made inaccessible for processes
- inside the namespace. Note that
- restricting access with these options
- does not extend to submounts of a
- directory. You must list submounts
- separately in these settings to
- ensure the same limited access. These
- options may be specified more than
- once in which case all directories
- listed will have limited access from
- within the
- namespace.</para></listitem>
+ will be made inaccessible for
+ processes inside the namespace. Note
+ that restricting access with these
+ options does not extend to submounts
+ of a directory. You must list
+ submounts separately in these settings
+ to ensure the same limited
+ access. These options may be specified
+ more than once in which case all
+ directories listed will have limited
+ access from within the namespace. If
+ the empty string is assigned to this
+ option, the specific list is reset, and
+ all prior assignments have no
+ effect.</para>
+ <para>Paths in
+ <varname>ReadOnlyDirectories=</varname>
+ and
+ <varname>InaccessibleDirectories=</varname>
+ may be prefixed with
+ <literal>-</literal>, in which case
+ they will be ignored when they do not
+ exist.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>PrivateTmp=</varname></term>
<listitem><para>Takes a boolean
- argument. If true sets up a new file
+ argument. If true, sets up a new file
system namespace for the executed
- processes and mounts a private
- <filename>/tmp</filename> directory
- inside it, that is not shared by
+ processes and mounts private
+ <filename>/tmp</filename> and
+ <filename>/var/tmp</filename> directories
+ inside it, that are not shared by
processes outside of the
namespace. This is useful to secure
access to temporary files of the
process, but makes sharing between
processes via
- <filename>/tmp</filename>
- impossible. Defaults to
+ <filename>/tmp</filename> or
+ <filename>/var/tmp</filename>
+ impossible. All temporary data created
+ by service will be removed after service
+ is stopped. Defaults to
false.</para></listitem>
</varlistentry>
<term><varname>PrivateNetwork=</varname></term>
<listitem><para>Takes a boolean
- argument. If true sets up a new
+ argument. If true, sets up a new
network namespace for the executed
processes and configures only the
loopback network device
namespace set up for this unit's
processes will receive or propagate
new mounts. See
- <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
for details. Default to
<option>shared</option>.</para></listitem>
</varlistentry>
entries must be created and cleared
before and after execution. If the
configured string is longer than four
- characters it is truncated and the
+ characters, it is truncated and the
terminal four characters are
used. This setting interprets %I style
string replacements. This setting is
<term><varname>IgnoreSIGPIPE=</varname></term>
<listitem><para>Takes a boolean
- argument. If true causes SIGPIPE to be
+ argument. If true, causes <constant>SIGPIPE</constant> to be
ignored in the executed
- process. Defaults to true, since
- SIGPIPE generally is useful only in
+ process. Defaults to true because
+ <constant>SIGPIPE</constant> generally is useful only in
shell pipelines.</para></listitem>
</varlistentry>
<term><varname>NoNewPrivileges=</varname></term>
<listitem><para>Takes a boolean
- argument. If true ensures that the
+ argument. If true, ensures that the
service process and all its children
can never gain new privileges. This
option is more powerful than the respective
<varlistentry>
<term><varname>SystemCallFilter=</varname></term>
- <listitem><para>Takes a space
- separated list of system call
- names. If this setting is used all
+ <listitem><para>Takes a space-separated
+ list of system call
+ names. If this setting is used, all
system calls executed by the unit
process except for the listed ones
will result in immediate process
- termination with the SIGSYS signal
+ termination with the
+ <constant>SIGSYS</constant> signal
(whitelisting). If the first character
- of the list is <literal>~</literal>
+ of the list is <literal>~</literal>,
the effect is inverted: only the
listed system calls will result in
immediate process termination
- (blacklisting). If this option is used
+ (blacklisting). If this option is used,
<varname>NoNewPrivileges=yes</varname>
is implied. This feature makes use of
the Secure Computing Mode 2 interfaces
<function>sigreturn</function>,
<function>exit_group</function>,
<function>exit</function> system calls
- are implicitly whitelisted and don't
- need to be listed
- explicitly.</para></listitem>
+ are implicitly whitelisted and do not
+ need to be listed explicitly. This
+ option may be specified more than once
+ in which case the filter masks are
+ merged. If the empty string is
+ assigned, the filter is reset, all
+ prior assignments will have no
+ effect.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
+ <refsect1>
+ <title>Environment variables in spawned processes</title>
+
+ <para>Processes started by the system are executed in
+ a clean environment in which select variables
+ listed below are set. System processes started by systemd
+ do not inherit variables from PID 1, but processes
+ started by user systemd instances inherit all
+ environment variables from the user systemd instance.
+ </para>
+
+ <variablelist class='environment-variables'>
+ <varlistentry>
+ <term><varname>$PATH</varname></term>
+
+ <listitem><para>Colon-separated list
+ of directiories to use when launching
+ executables. Systemd uses a fixed
+ value of
+ <filename>/usr/local/sbin</filename>:<filename>/usr/local/bin</filename>:<filename>/usr/sbin</filename>:<filename>/usr/bin</filename>:<filename>/sbin</filename>:<filename>/bin</filename>.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>$LANG</varname></term>
+
+ <listitem><para>Locale. Can be set in
+ <citerefentry><refentrytitle>locale.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ or on the kernel command line (see
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ and
+ <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>).
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>$USER</varname></term>
+ <term><varname>$HOME</varname></term>
+
+ <listitem><para>User name and home
+ directory. Set for the units which
+ have <varname>User=</varname> set,
+ which includes user
+ <command>systemd</command> instances.
+ See
+ <citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>$XDG_RUNTIME_DIR</varname></term>
+
+ <listitem><para>The directory for volatile
+ state. Set for the user <command>systemd</command>
+ instance, and also in user sessions.
+ See
+ <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>$XDG_SESSION_ID</varname></term>
+ <term><varname>$XDG_SEAT</varname></term>
+ <term><varname>$XDG_VTNR</varname></term>
+
+ <listitem><para>The identifier of the
+ session, and the seat name, and
+ virtual terminal of the session. Set
+ by
+ <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ for login sessions.
+ <varname>$XDG_SEAT</varname> and
+ <varname>$XDG_VTNR</varname> will be
+ only set when attached to a seat and a
+ tty.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>$MANAGERPID</varname></term>
+
+ <listitem><para>The PID of the user
+ <command>systemd</command> instance,
+ set for processes spawned by it.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>$LISTEN_FDS</varname></term>
+ <term><varname>$LISTEN_PID</varname></term>
+
+ <listitem><para>Information about file
+ descriptors passed to a service for
+ socket activation. See
+ <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>Additional variables may be configured by the
+ following means: for processes spawned in specific
+ units, use the <varname>Environment=</varname> and
+ <varname>EnvironmentFile=</varname> options above; to
+ specify variables globally, use
+ <varname>DefaultEnvironment=</varname> (see
+ <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
+ or the kernel option
+ <varname>systemd.setenv=</varname> (see
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Additional
+ variables may also be set through PAM,
+ c.f. <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+ </refsect1>
+
<refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.cgroup</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>
</para>
</refsect1>