1SYSTEMD.EXEC(5) systemd.exec SYSTEMD.EXEC(5)
2
3
4
6 systemd.exec - Execution environment configuration
7
9 service.service, socket.socket, mount.mount, swap.swap
10
12 Unit configuration files for services, sockets, mount points, and swap
13 devices share a subset of configuration options which define the
14 execution environment of spawned processes.
15
16 This man page lists the configuration options shared by these four unit
17 types. See systemd.unit(5) for the common options of all unit
18 configuration files, and systemd.service(5), systemd.socket(5),
19 systemd.swap(5), and systemd.mount(5) for more information on the
20 specific unit configuration files. The execution specific configuration
21 options are configured in the [Service], [Socket], [Mount], or [Swap]
22 sections, depending on the unit type.
23
24 In addition, options which control resources through Linux Control
25 Groups (cgroups) are listed in systemd.resource-control(5). Those
26 options complement options listed here.
27
29 A few execution parameters result in additional, automatic dependencies
30 to be added:
31
32 · Units with WorkingDirectory=, RootDirectory=, RootImage=,
33 RuntimeDirectory=, StateDirectory=, CacheDirectory=, LogsDirectory=
34 or ConfigurationDirectory= set automatically gain dependencies of
35 type Requires= and After= on all mount units required to access the
36 specified paths. This is equivalent to having them listed
37 explicitly in RequiresMountsFor=.
38
39 · Similar, units with PrivateTmp= enabled automatically get mount
40 unit dependencies for all mounts required to access /tmp and
41 /var/tmp. They will also gain an automatic After= dependency on
42 systemd-tmpfiles-setup.service(8).
43
44 · Units whose standard output or error output is connected to
45 journal, syslog or kmsg (or their combinations with console output,
46 see below) automatically acquire dependencies of type After= on
47 systemd-journald.socket.
48
50 The following settings may be used to change a service's view of the
51 filesystem. Please note that the paths must be absolute and must not
52 contain a ".." path component.
53
54 WorkingDirectory=
55 Takes a directory path relative to the service's root directory
56 specified by RootDirectory=, or the special value "~". Sets the
57 working directory for executed processes. If set to "~", the home
58 directory of the user specified in User= is used. If not set,
59 defaults to the root directory when systemd is running as a system
60 instance and the respective user's home directory if run as user.
61 If the setting is prefixed with the "-" character, a missing
62 working directory is not considered fatal. If
63 RootDirectory=/RootImage= is not set, then WorkingDirectory= is
64 relative to the root of the system running the service manager.
65 Note that setting this parameter might result in additional
66 dependencies to be added to the unit (see above).
67
68 RootDirectory=
69 Takes a directory path relative to the host's root directory (i.e.
70 the root of the system running the service manager). Sets the root
71 directory for executed processes, with the chroot(2) system call.
72 If this is used, it must be ensured that the process binary and all
73 its auxiliary files are available in the chroot() jail. Note that
74 setting this parameter might result in additional dependencies to
75 be added to the unit (see above).
76
77 The MountAPIVFS= and PrivateUsers= settings are particularly useful
78 in conjunction with RootDirectory=. For details, see below.
79
80 This option is only available for system services and is not
81 supported for services running in per-user instances of the service
82 manager.
83
84 RootImage=
85 Takes a path to a block device node or regular file as argument.
86 This call is similar to RootDirectory= however mounts a file system
87 hierarchy from a block device node or loopback file instead of a
88 directory. The device node or file system image file needs to
89 contain a file system without a partition table, or a file system
90 within an MBR/MS-DOS or GPT partition table with only a single
91 Linux-compatible partition, or a set of file systems within a GPT
92 partition table that follows the Discoverable Partitions
93 Specification[1].
94
95 When DevicePolicy= is set to "closed" or "strict", or set to "auto"
96 and DeviceAllow= is set, then this setting adds /dev/loop-control
97 with rw mode, "block-loop" and "block-blkext" with rwm mode to
98 DeviceAllow=. See systemd.resource-control(5) for the details about
99 DevicePolicy= or DeviceAllow=. Also, see PrivateDevices= below, as
100 it may change the setting of DevicePolicy=.
101
102 This option is only available for system services and is not
103 supported for services running in per-user instances of the service
104 manager.
105
106 MountAPIVFS=
107 Takes a boolean argument. If on, a private mount namespace for the
108 unit's processes is created and the API file systems /proc, /sys,
109 and /dev are mounted inside of it, unless they are already mounted.
110 Note that this option has no effect unless used in conjunction with
111 RootDirectory=/RootImage= as these three mounts are generally
112 mounted in the host anyway, and unless the root directory is
113 changed, the private mount namespace will be a 1:1 copy of the
114 host's, and include these three mounts. Note that the /dev file
115 system of the host is bind mounted if this option is used without
116 PrivateDevices=. To run the service with a private, minimal version
117 of /dev/, combine this option with PrivateDevices=.
118
119 This option is only available for system services and is not
120 supported for services running in per-user instances of the service
121 manager.
122
123 BindPaths=, BindReadOnlyPaths=
124 Configures unit-specific bind mounts. A bind mount makes a
125 particular file or directory available at an additional place in
126 the unit's view of the file system. Any bind mounts created with
127 this option are specific to the unit, and are not visible in the
128 host's mount table. This option expects a whitespace separated list
129 of bind mount definitions. Each definition consists of a
130 colon-separated triple of source path, destination path and option
131 string, where the latter two are optional. If only a source path is
132 specified the source and destination is taken to be the same. The
133 option string may be either "rbind" or "norbind" for configuring a
134 recursive or non-recursive bind mount. If the destination path is
135 omitted, the option string must be omitted too. Each bind mount
136 definition may be prefixed with "-", in which case it will be
137 ignored when its source path does not exist.
138
139 BindPaths= creates regular writable bind mounts (unless the source
140 file system mount is already marked read-only), while
141 BindReadOnlyPaths= creates read-only bind mounts. These settings
142 may be used more than once, each usage appends to the unit's list
143 of bind mounts. If the empty string is assigned to either of these
144 two options the entire list of bind mounts defined prior to this is
145 reset. Note that in this case both read-only and regular bind
146 mounts are reset, regardless which of the two settings is used.
147
148 This option is particularly useful when RootDirectory=/RootImage=
149 is used. In this case the source path refers to a path on the host
150 file system, while the destination path refers to a path below the
151 root directory of the unit.
152
153 Note that the destination directory must exist or systemd must be
154 able to create it. Thus, it is not possible to use those options
155 for mount points nested underneath paths specified in
156 InaccessiblePaths=, or under /home/ and other protected directories
157 if ProtectHome=yes is specified. TemporaryFileSystem= with ":ro"
158 or ProtectHome=tmpfs should be used instead.
159
160 This option is only available for system services and is not
161 supported for services running in per-user instances of the service
162 manager.
163
165 These options are only available for system services and are not
166 supported for services running in per-user instances of the service
167 manager.
168
169 User=, Group=
170 Set the UNIX user or group that the processes are executed as,
171 respectively. Takes a single user or group name, or a numeric ID as
172 argument. For system services (services run by the system service
173 manager, i.e. managed by PID 1) and for user services of the root
174 user (services managed by root's instance of systemd --user), the
175 default is "root", but User= may be used to specify a different
176 user. For user services of any other user, switching user identity
177 is not permitted, hence the only valid setting is the same user the
178 user's service manager is running as. If no group is set, the
179 default group of the user is used. This setting does not affect
180 commands whose command line is prefixed with "+".
181
182 Note that restrictions on the user/group name syntax are enforced:
183 the specified name must consist only of the characters a-z, A-Z,
184 0-9, "_" and "-", except for the first character which must be one
185 of a-z, A-Z or "_" (i.e. numbers and "-" are not permitted as first
186 character). The user/group name must have at least one character,
187 and at most 31. These restrictions are enforced in order to avoid
188 ambiguities and to ensure user/group names and unit files remain
189 portable among Linux systems.
190
191 When used in conjunction with DynamicUser= the user/group name
192 specified is dynamically allocated at the time the service is
193 started, and released at the time the service is stopped — unless
194 it is already allocated statically (see below). If DynamicUser= is
195 not used the specified user and group must have been created
196 statically in the user database no later than the moment the
197 service is started, for example using the sysusers.d(5) facility,
198 which is applied at boot or package install time.
199
200 DynamicUser=
201 Takes a boolean parameter. If set, a UNIX user and group pair is
202 allocated dynamically when the unit is started, and released as
203 soon as it is stopped. The user and group will not be added to
204 /etc/passwd or /etc/group, but are managed transiently during
205 runtime. The nss-systemd(8) glibc NSS module provides integration
206 of these dynamic users/groups into the system's user and group
207 databases. The user and group name to use may be configured via
208 User= and Group= (see above). If these options are not used and
209 dynamic user/group allocation is enabled for a unit, the name of
210 the dynamic user/group is implicitly derived from the unit name. If
211 the unit name without the type suffix qualifies as valid user name
212 it is used directly, otherwise a name incorporating a hash of it is
213 used. If a statically allocated user or group of the configured
214 name already exists, it is used and no dynamic user/group is
215 allocated. Note that if User= is specified and the static group
216 with the name exists, then it is required that the static user with
217 the name already exists. Similarly, if Group= is specified and the
218 static user with the name exists, then it is required that the
219 static group with the name already exists. Dynamic users/groups are
220 allocated from the UID/GID range 61184...65519. It is recommended
221 to avoid this range for regular system or login users. At any point
222 in time each UID/GID from this range is only assigned to zero or
223 one dynamically allocated users/groups in use. However, UID/GIDs
224 are recycled after a unit is terminated. Care should be taken that
225 any processes running as part of a unit for which dynamic
226 users/groups are enabled do not leave files or directories owned by
227 these users/groups around, as a different unit might get the same
228 UID/GID assigned later on, and thus gain access to these files or
229 directories. If DynamicUser= is enabled, RemoveIPC=, PrivateTmp=
230 are implied. This ensures that the lifetime of IPC objects and
231 temporary files created by the executed processes is bound to the
232 runtime of the service, and hence the lifetime of the dynamic
233 user/group. Since /tmp and /var/tmp are usually the only
234 world-writable directories on a system this ensures that a unit
235 making use of dynamic user/group allocation cannot leave files
236 around after unit termination. Moreover ProtectSystem=strict and
237 ProtectHome=read-only are implied, thus prohibiting the service to
238 write to arbitrary file system locations. In order to allow the
239 service to write to certain directories, they have to be
240 whitelisted using ReadWritePaths=, but care must be taken so that
241 UID/GID recycling doesn't create security issues involving files
242 created by the service. Use RuntimeDirectory= (see below) in order
243 to assign a writable runtime directory to a service, owned by the
244 dynamic user/group and removed automatically when the unit is
245 terminated. Use StateDirectory=, CacheDirectory= and LogsDirectory=
246 in order to assign a set of writable directories for specific
247 purposes to the service in a way that they are protected from
248 vulnerabilities due to UID reuse (see below). If this option is
249 enabled, care should be taken that the unit's processes do not get
250 access to directories outside of these explicitly configured and
251 managed ones. Specifically, do not use BindPaths= and be careful
252 with AF_UNIX file descriptor passing for directory file
253 descriptors, as this would permit processes to create files or
254 directories owned by the dynamic user/group that are not subject to
255 the life-cycle and access guarantees of the service. Defaults to
256 off.
257
258 SupplementaryGroups=
259 Sets the supplementary Unix groups the processes are executed as.
260 This takes a space-separated list of group names or IDs. This
261 option may be specified more than once, in which case all listed
262 groups are set as supplementary groups. When the empty string is
263 assigned, the list of supplementary groups is reset, and all
264 assignments prior to this one will have no effect. In any way, this
265 option does not override, but extends the list of supplementary
266 groups configured in the system group database for the user. This
267 does not affect commands prefixed with "+".
268
269 PAMName=
270 Sets the PAM service name to set up a session as. If set, the
271 executed process will be registered as a PAM session under the
272 specified service name. This is only useful in conjunction with the
273 User= setting, and is otherwise ignored. If not set, no PAM session
274 will be opened for the executed processes. See pam(8) for details.
275
276 Note that for each unit making use of this option a PAM session
277 handler process will be maintained as part of the unit and stays
278 around as long as the unit is active, to ensure that appropriate
279 actions can be taken when the unit and hence the PAM session
280 terminates. This process is named "(sd-pam)" and is an immediate
281 child process of the unit's main process.
282
283 Note that when this option is used for a unit it is very likely
284 (depending on PAM configuration) that the main unit process will be
285 migrated to its own session scope unit when it is activated. This
286 process will hence be associated with two units: the unit it was
287 originally started from (and for which PAMName= was configured),
288 and the session scope unit. Any child processes of that process
289 will however be associated with the session scope unit only. This
290 has implications when used in combination with NotifyAccess=all, as
291 these child processes will not be able to affect changes in the
292 original unit through notification messages. These messages will be
293 considered belonging to the session scope unit and not the original
294 unit. It is hence not recommended to use PAMName= in combination
295 with NotifyAccess=all.
296
298 These options are only available for system services and are not
299 supported for services running in per-user instances of the service
300 manager.
301
302 CapabilityBoundingSet=
303 Controls which capabilities to include in the capability bounding
304 set for the executed process. See capabilities(7) for details.
305 Takes a whitespace-separated list of capability names, e.g.
306 CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE. Capabilities
307 listed will be included in the bounding set, all others are
308 removed. If the list of capabilities is prefixed with "~", all but
309 the listed capabilities will be included, the effect of the
310 assignment inverted. Note that this option also affects the
311 respective capabilities in the effective, permitted and inheritable
312 capability sets. If this option is not used, the capability
313 bounding set is not modified on process execution, hence no limits
314 on the capabilities of the process are enforced. This option may
315 appear more than once, in which case the bounding sets are merged
316 by OR, or by AND if the lines are prefixed with "~" (see below). If
317 the empty string is assigned to this option, the bounding set is
318 reset to the empty capability set, and all prior settings have no
319 effect. If set to "~" (without any further argument), the bounding
320 set is reset to the full set of available capabilities, also
321 undoing any previous settings. This does not affect commands
322 prefixed with "+".
323
324 Example: if a unit has the following,
325
326 CapabilityBoundingSet=CAP_A CAP_B
327 CapabilityBoundingSet=CAP_B CAP_C
328
329 then CAP_A, CAP_B, and CAP_C are set. If the second line is
330 prefixed with "~", e.g.,
331
332 CapabilityBoundingSet=CAP_A CAP_B
333 CapabilityBoundingSet=~CAP_B CAP_C
334
335 then, only CAP_A is set.
336
337 AmbientCapabilities=
338 Controls which capabilities to include in the ambient capability
339 set for the executed process. Takes a whitespace-separated list of
340 capability names, e.g. CAP_SYS_ADMIN, CAP_DAC_OVERRIDE,
341 CAP_SYS_PTRACE. This option may appear more than once in which case
342 the ambient capability sets are merged (see the above examples in
343 CapabilityBoundingSet=). If the list of capabilities is prefixed
344 with "~", all but the listed capabilities will be included, the
345 effect of the assignment inverted. If the empty string is assigned
346 to this option, the ambient capability set is reset to the empty
347 capability set, and all prior settings have no effect. If set to
348 "~" (without any further argument), the ambient capability set is
349 reset to the full set of available capabilities, also undoing any
350 previous settings. Note that adding capabilities to ambient
351 capability set adds them to the process's inherited capability set.
352
353 Ambient capability sets are useful if you want to execute a process
354 as a non-privileged user but still want to give it some
355 capabilities. Note that in this case option keep-caps is
356 automatically added to SecureBits= to retain the capabilities over
357 the user change. AmbientCapabilities= does not affect commands
358 prefixed with "+".
359
361 NoNewPrivileges=
362 Takes a boolean argument. If true, ensures that the service process
363 and all its children can never gain new privileges through execve()
364 (e.g. via setuid or setgid bits, or filesystem capabilities). This
365 is the simplest and most effective way to ensure that a process and
366 its children can never elevate privileges again. Defaults to false,
367 but certain settings override this and ignore the value of this
368 setting. This is the case when SystemCallFilter=,
369 SystemCallArchitectures=, RestrictAddressFamilies=,
370 RestrictNamespaces=, PrivateDevices=, ProtectKernelTunables=,
371 ProtectKernelModules=, MemoryDenyWriteExecute=, RestrictRealtime=,
372 RestrictSUIDSGID= or LockPersonality= are specified. Note that even
373 if this setting is overridden by them, systemctl show shows the
374 original value of this setting. Also see No New Privileges Flag[2].
375
376 SecureBits=
377 Controls the secure bits set for the executed process. Takes a
378 space-separated combination of options from the following list:
379 keep-caps, keep-caps-locked, no-setuid-fixup,
380 no-setuid-fixup-locked, noroot, and noroot-locked. This option may
381 appear more than once, in which case the secure bits are ORed. If
382 the empty string is assigned to this option, the bits are reset to
383 0. This does not affect commands prefixed with "+". See
384 capabilities(7) for details.
385
387 These options are only available for system services and are not
388 supported for services running in per-user instances of the service
389 manager.
390
391 SELinuxContext=
392 Set the SELinux security context of the executed process. If set,
393 this will override the automated domain transition. However, the
394 policy still needs to authorize the transition. This directive is
395 ignored if SELinux is disabled. If prefixed by "-", all errors will
396 be ignored. This does not affect commands prefixed with "+". See
397 setexeccon(3) for details.
398
399 AppArmorProfile=
400 Takes a profile name as argument. The process executed by the unit
401 will switch to this profile when started. Profiles must already be
402 loaded in the kernel, or the unit will fail. This result in a non
403 operation if AppArmor is not enabled. If prefixed by "-", all
404 errors will be ignored. This does not affect commands prefixed with
405 "+".
406
407 SmackProcessLabel=
408 Takes a SMACK64 security label as argument. The process executed by
409 the unit will be started under this label and SMACK will decide
410 whether the process is allowed to run or not, based on it. The
411 process will continue to run under the label specified here unless
412 the executable has its own SMACK64EXEC label, in which case the
413 process will transition to run under that label. When not
414 specified, the label that systemd is running under is used. This
415 directive is ignored if SMACK is disabled.
416
417 The value may be prefixed by "-", in which case all errors will be
418 ignored. An empty value may be specified to unset previous
419 assignments. This does not affect commands prefixed with "+".
420
422 LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=,
423 LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=,
424 LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=,
425 LimitRTTIME=
426 Set soft and hard limits on various resources for executed
427 processes. See setrlimit(2) for details on the resource limit
428 concept. Resource limits may be specified in two formats: either as
429 single value to set a specific soft and hard limit to the same
430 value, or as colon-separated pair soft:hard to set both limits
431 individually (e.g. "LimitAS=4G:16G"). Use the string infinity to
432 configure no limit on a specific resource. The multiplicative
433 suffixes K, M, G, T, P and E (to the base 1024) may be used for
434 resource limits measured in bytes (e.g. LimitAS=16G). For the
435 limits referring to time values, the usual time units ms, s, min, h
436 and so on may be used (see systemd.time(7) for details). Note that
437 if no time unit is specified for LimitCPU= the default unit of
438 seconds is implied, while for LimitRTTIME= the default unit of
439 microseconds is implied. Also, note that the effective granularity
440 of the limits might influence their enforcement. For example, time
441 limits specified for LimitCPU= will be rounded up implicitly to
442 multiples of 1s. For LimitNICE= the value may be specified in two
443 syntaxes: if prefixed with "+" or "-", the value is understood as
444 regular Linux nice value in the range -20..19. If not prefixed like
445 this the value is understood as raw resource limit parameter in the
446 range 0..40 (with 0 being equivalent to 1).
447
448 Note that most process resource limits configured with these
449 options are per-process, and processes may fork in order to acquire
450 a new set of resources that are accounted independently of the
451 original process, and may thus escape limits set. Also note that
452 LimitRSS= is not implemented on Linux, and setting it has no
453 effect. Often it is advisable to prefer the resource controls
454 listed in systemd.resource-control(5) over these per-process
455 limits, as they apply to services as a whole, may be altered
456 dynamically at runtime, and are generally more expressive. For
457 example, MemoryLimit= is a more powerful (and working) replacement
458 for LimitRSS=.
459
460 For system units these resource limits may be chosen freely. For
461 user units however (i.e. units run by a per-user instance of
462 systemd(1)), these limits are bound by (possibly more restrictive)
463 per-user limits enforced by the OS.
464
465 Resource limits not configured explicitly for a unit default to the
466 value configured in the various DefaultLimitCPU=,
467 DefaultLimitFSIZE=, ... options available in systemd-
468 system.conf(5), and – if not configured there – the kernel or
469 per-user defaults, as defined by the OS (the latter only for user
470 services, see above).
471
472 Table 1. Resource limit directives, their equivalent ulimit shell
473 commands and the unit used
474 ┌─────────────────┬───────────────────┬─────────────────────┐
475 │Directive │ ulimit equivalent │ Unit │
476 ├─────────────────┼───────────────────┼─────────────────────┤
477 │LimitCPU= │ ulimit -t │ Seconds │
478 ├─────────────────┼───────────────────┼─────────────────────┤
479 │LimitFSIZE= │ ulimit -f │ Bytes │
480 ├─────────────────┼───────────────────┼─────────────────────┤
481 │LimitDATA= │ ulimit -d │ Bytes │
482 ├─────────────────┼───────────────────┼─────────────────────┤
483 │LimitSTACK= │ ulimit -s │ Bytes │
484 ├─────────────────┼───────────────────┼─────────────────────┤
485 │LimitCORE= │ ulimit -c │ Bytes │
486 ├─────────────────┼───────────────────┼─────────────────────┤
487 │LimitRSS= │ ulimit -m │ Bytes │
488 ├─────────────────┼───────────────────┼─────────────────────┤
489 │LimitNOFILE= │ ulimit -n │ Number of File │
490 │ │ │ Descriptors │
491 ├─────────────────┼───────────────────┼─────────────────────┤
492 │LimitAS= │ ulimit -v │ Bytes │
493 ├─────────────────┼───────────────────┼─────────────────────┤
494 │LimitNPROC= │ ulimit -u │ Number of Processes │
495 ├─────────────────┼───────────────────┼─────────────────────┤
496 │LimitMEMLOCK= │ ulimit -l │ Bytes │
497 ├─────────────────┼───────────────────┼─────────────────────┤
498 │LimitLOCKS= │ ulimit -x │ Number of Locks │
499 ├─────────────────┼───────────────────┼─────────────────────┤
500 │LimitSIGPENDING= │ ulimit -i │ Number of Queued │
501 │ │ │ Signals │
502 ├─────────────────┼───────────────────┼─────────────────────┤
503 │LimitMSGQUEUE= │ ulimit -q │ Bytes │
504 ├─────────────────┼───────────────────┼─────────────────────┤
505 │LimitNICE= │ ulimit -e │ Nice Level │
506 ├─────────────────┼───────────────────┼─────────────────────┤
507 │LimitRTPRIO= │ ulimit -r │ Realtime Priority │
508 ├─────────────────┼───────────────────┼─────────────────────┤
509 │LimitRTTIME= │ No equivalent │ Microseconds │
510 └─────────────────┴───────────────────┴─────────────────────┘
511
512 UMask=
513 Controls the file mode creation mask. Takes an access mode in octal
514 notation. See umask(2) for details. Defaults to 0022.
515
516 KeyringMode=
517 Controls how the kernel session keyring is set up for the service
518 (see session-keyring(7) for details on the session keyring). Takes
519 one of inherit, private, shared. If set to inherit no special
520 keyring setup is done, and the kernel's default behaviour is
521 applied. If private is used a new session keyring is allocated when
522 a service process is invoked, and it is not linked up with any user
523 keyring. This is the recommended setting for system services, as
524 this ensures that multiple services running under the same system
525 user ID (in particular the root user) do not share their key
526 material among each other. If shared is used a new session keyring
527 is allocated as for private, but the user keyring of the user
528 configured with User= is linked into it, so that keys assigned to
529 the user may be requested by the unit's processes. In this modes
530 multiple units running processes under the same user ID may share
531 key material. Unless inherit is selected the unique invocation ID
532 for the unit (see below) is added as a protected key by the name
533 "invocation_id" to the newly created session keyring. Defaults to
534 private for services of the system service manager and to inherit
535 for non-service units and for services of the user service manager.
536
537 OOMScoreAdjust=
538 Sets the adjustment level for the Out-Of-Memory killer for executed
539 processes. Takes an integer between -1000 (to disable OOM killing
540 for this process) and 1000 (to make killing of this process under
541 memory pressure very likely). See proc.txt[3] for details.
542
543 TimerSlackNSec=
544 Sets the timer slack in nanoseconds for the executed processes. The
545 timer slack controls the accuracy of wake-ups triggered by timers.
546 See prctl(2) for more information. Note that in contrast to most
547 other time span definitions this parameter takes an integer value
548 in nano-seconds if no unit is specified. The usual time units are
549 understood too.
550
551 Personality=
552 Controls which kernel architecture uname(2) shall report, when
553 invoked by unit processes. Takes one of the architecture
554 identifiers x86, x86-64, ppc, ppc-le, ppc64, ppc64-le, s390 or
555 s390x. Which personality architectures are supported depends on the
556 system architecture. Usually the 64bit versions of the various
557 system architectures support their immediate 32bit personality
558 architecture counterpart, but no others. For example, x86-64
559 systems support the x86-64 and x86 personalities but no others. The
560 personality feature is useful when running 32-bit services on a
561 64-bit host system. If not specified, the personality is left
562 unmodified and thus reflects the personality of the host system's
563 kernel.
564
565 IgnoreSIGPIPE=
566 Takes a boolean argument. If true, causes SIGPIPE to be ignored in
567 the executed process. Defaults to true because SIGPIPE generally is
568 useful only in shell pipelines.
569
571 Nice=
572 Sets the default nice level (scheduling priority) for executed
573 processes. Takes an integer between -20 (highest priority) and 19
574 (lowest priority). See setpriority(2) for details.
575
576 CPUSchedulingPolicy=
577 Sets the CPU scheduling policy for executed processes. Takes one of
578 other, batch, idle, fifo or rr. See sched_setscheduler(2) for
579 details.
580
581 CPUSchedulingPriority=
582 Sets the CPU scheduling priority for executed processes. The
583 available priority range depends on the selected CPU scheduling
584 policy (see above). For real-time scheduling policies an integer
585 between 1 (lowest priority) and 99 (highest priority) can be used.
586 See sched_setscheduler(2) for details.
587
588 CPUSchedulingResetOnFork=
589 Takes a boolean argument. If true, elevated CPU scheduling
590 priorities and policies will be reset when the executed processes
591 fork, and can hence not leak into child processes. See
592 sched_setscheduler(2) for details. Defaults to false.
593
594 CPUAffinity=
595 Controls the CPU affinity of the executed processes. Takes a list
596 of CPU indices or ranges separated by either whitespace or commas.
597 CPU ranges are specified by the lower and upper CPU indices
598 separated by a dash. This option may be specified more than once,
599 in which case the specified CPU affinity masks are merged. If the
600 empty string is assigned, the mask is reset, all assignments prior
601 to this will have no effect. See sched_setaffinity(2) for details.
602
603 IOSchedulingClass=
604 Sets the I/O scheduling class for executed processes. Takes an
605 integer between 0 and 3 or one of the strings none, realtime,
606 best-effort or idle. If the empty string is assigned to this
607 option, all prior assignments to both IOSchedulingClass= and
608 IOSchedulingPriority= have no effect. See ioprio_set(2) for
609 details.
610
611 IOSchedulingPriority=
612 Sets the I/O scheduling priority for executed processes. Takes an
613 integer between 0 (highest priority) and 7 (lowest priority). The
614 available priorities depend on the selected I/O scheduling class
615 (see above). If the empty string is assigned to this option, all
616 prior assignments to both IOSchedulingClass= and
617 IOSchedulingPriority= have no effect. See ioprio_set(2) for
618 details.
619
621 The following sandboxing options are an effective way to limit the
622 exposure of the system towards the unit's processes. It is recommended
623 to turn on as many of these options for each unit as is possible
624 without negatively affecting the process' ability to operate. Note that
625 many of these sandboxing features are gracefully turned off on systems
626 where the underlying security mechanism is not available. For example,
627 ProtectSystem= has no effect if the kernel is built without file system
628 namespacing or if the service manager runs in a container manager that
629 makes file system namespacing unavailable to its payload. Similar,
630 RestrictRealtime= has no effect on systems that lack support for
631 SECCOMP system call filtering, or in containers where support for this
632 is turned off.
633
634 Also note that some sandboxing functionality is generally not available
635 in user services (i.e. services run by the per-user service manager).
636 Specifically, the various settings requiring file system namespacing
637 support (such as ProtectSystem=) are not available, as the underlying
638 kernel functionality is only accessible to privileged processes.
639
640 ProtectSystem=
641 Takes a boolean argument or the special values "full" or "strict".
642 If true, mounts the /usr and /boot directories read-only for
643 processes invoked by this unit. If set to "full", the /etc
644 directory is mounted read-only, too. If set to "strict" the entire
645 file system hierarchy is mounted read-only, except for the API file
646 system subtrees /dev, /proc and /sys (protect these directories
647 using PrivateDevices=, ProtectKernelTunables=,
648 ProtectControlGroups=). This setting ensures that any modification
649 of the vendor-supplied operating system (and optionally its
650 configuration, and local mounts) is prohibited for the service. It
651 is recommended to enable this setting for all long-running
652 services, unless they are involved with system updates or need to
653 modify the operating system in other ways. If this option is used,
654 ReadWritePaths= may be used to exclude specific directories from
655 being made read-only. This setting is implied if DynamicUser= is
656 set. This setting cannot ensure protection in all cases. In general
657 it has the same limitations as ReadOnlyPaths=, see below. Defaults
658 to off.
659
660 ProtectHome=
661 Takes a boolean argument or the special values "read-only" or
662 "tmpfs". If true, the directories /home, /root, and /run/user are
663 made inaccessible and empty for processes invoked by this unit. If
664 set to "read-only", the three directories are made read-only
665 instead. If set to "tmpfs", temporary file systems are mounted on
666 the three directories in read-only mode. The value "tmpfs" is
667 useful to hide home directories not relevant to the processes
668 invoked by the unit, while still allowing necessary directories to
669 be made visible when listed in BindPaths= or BindReadOnlyPaths=.
670
671 Setting this to "yes" is mostly equivalent to set the three
672 directories in InaccessiblePaths=. Similarly, "read-only" is mostly
673 equivalent to ReadOnlyPaths=, and "tmpfs" is mostly equivalent to
674 TemporaryFileSystem= with ":ro".
675
676 It is recommended to enable this setting for all long-running
677 services (in particular network-facing ones), to ensure they cannot
678 get access to private user data, unless the services actually
679 require access to the user's private data. This setting is implied
680 if DynamicUser= is set. This setting cannot ensure protection in
681 all cases. In general it has the same limitations as
682 ReadOnlyPaths=, see below.
683
684 This option is only available for system services and is not
685 supported for services running in per-user instances of the service
686 manager.
687
688 RuntimeDirectory=, StateDirectory=, CacheDirectory=, LogsDirectory=,
689 ConfigurationDirectory=
690 These options take a whitespace-separated list of directory names.
691 The specified directory names must be relative, and may not include
692 "..". If set, one or more directories by the specified names will
693 be created (including their parents) below the locations defined in
694 the following table, when the unit is started. Also, the
695 corresponding environment variable is defined with the full path of
696 directories. If multiple directories are set, then in the
697 environment variable the paths are concatenated with colon (":").
698
699 Table 2. Automatic directory creation and environment variables
700 ┌────────────────────────┬────────────┬──────────────────────┬──────────────────────────┐
701 │Locations │ for system │ for users │ Environment │
702 │ │ │ │ variable │
703 ├────────────────────────┼────────────┼──────────────────────┼──────────────────────────┤
704 │RuntimeDirectory= │ /run │ $XDG_RUNTIME_DIR │ $RUNTIME_DIRECTORY │
705 ├────────────────────────┼────────────┼──────────────────────┼──────────────────────────┤
706 │StateDirectory= │ /var/lib │ $XDG_CONFIG_HOME │ $STATE_DIRECTORY │
707 ├────────────────────────┼────────────┼──────────────────────┼──────────────────────────┤
708 │CacheDirectory= │ /var/cache │ $XDG_CACHE_HOME │ $CACHE_DIRECTORY │
709 ├────────────────────────┼────────────┼──────────────────────┼──────────────────────────┤
710 │LogsDirectory= │ /var/log │ $XDG_CONFIG_HOME/log │ $LOGS_DIRECTORY │
711 ├────────────────────────┼────────────┼──────────────────────┼──────────────────────────┤
712 │ConfigurationDirectory= │ /etc │ $XDG_CONFIG_HOME │ $CONFIGURATION_DIRECTORY │
713 └────────────────────────┴────────────┴──────────────────────┴──────────────────────────┘
714 In case of RuntimeDirectory= the lowest subdirectories are removed
715 when the unit is stopped. It is possible to preserve the specified
716 directories in this case if RuntimeDirectoryPreserve= is configured
717 to restart or yes (see below). The directories specified with
718 StateDirectory=, CacheDirectory=, LogsDirectory=,
719 ConfigurationDirectory= are not removed when the unit is stopped.
720
721 Except in case of ConfigurationDirectory=, the innermost specified
722 directories will be owned by the user and group specified in User=
723 and Group=. If the specified directories already exist and their
724 owning user or group do not match the configured ones, all files
725 and directories below the specified directories as well as the
726 directories themselves will have their file ownership recursively
727 changed to match what is configured. As an optimization, if the
728 specified directories are already owned by the right user and
729 group, files and directories below of them are left as-is, even if
730 they do not match what is requested. The innermost specified
731 directories will have their access mode adjusted to the what is
732 specified in RuntimeDirectoryMode=, StateDirectoryMode=,
733 CacheDirectoryMode=, LogsDirectoryMode= and
734 ConfigurationDirectoryMode=.
735
736 These options imply BindPaths= for the specified paths. When
737 combined with RootDirectory= or RootImage= these paths always
738 reside on the host and are mounted from there into the unit's file
739 system namespace.
740
741 If DynamicUser= is used in conjunction with StateDirectory=,
742 CacheDirectory= and LogsDirectory= is slightly altered: the
743 directories are created below /var/lib/private, /var/cache/private
744 and /var/log/private, respectively, which are host directories made
745 inaccessible to unprivileged users, which ensures that access to
746 these directories cannot be gained through dynamic user ID
747 recycling. Symbolic links are created to hide this difference in
748 behaviour. Both from perspective of the host and from inside the
749 unit, the relevant directories hence always appear directly below
750 /var/lib, /var/cache and /var/log.
751
752 Use RuntimeDirectory= to manage one or more runtime directories for
753 the unit and bind their lifetime to the daemon runtime. This is
754 particularly useful for unprivileged daemons that cannot create
755 runtime directories in /run due to lack of privileges, and to make
756 sure the runtime directory is cleaned up automatically after use.
757 For runtime directories that require more complex or different
758 configuration or lifetime guarantees, please consider using
759 tmpfiles.d(5).
760
761 Example: if a system service unit has the following,
762
763 RuntimeDirectory=foo/bar baz
764
765 the service manager creates /run/foo (if it does not exist),
766 /run/foo/bar, and /run/baz. The directories /run/foo/bar and
767 /run/baz except /run/foo are owned by the user and group specified
768 in User= and Group=, and removed when the service is stopped.
769
770 Example: if a system service unit has the following,
771
772 RuntimeDirectory=foo/bar
773 StateDirectory=aaa/bbb ccc
774
775 then the environment variable "RUNTIME_DIRECTORY" is set with
776 "/run/foo/bar", and "STATE_DIRECTORY" is set with
777 "/var/lib/aaa/bbb:/var/lib/ccc".
778
779 RuntimeDirectoryMode=, StateDirectoryMode=, CacheDirectoryMode=,
780 LogsDirectoryMode=, ConfigurationDirectoryMode=
781 Specifies the access mode of the directories specified in
782 RuntimeDirectory=, StateDirectory=, CacheDirectory=,
783 LogsDirectory=, or ConfigurationDirectory=, respectively, as an
784 octal number. Defaults to 0755. See "Permissions" in
785 path_resolution(7) for a discussion of the meaning of permission
786 bits.
787
788 RuntimeDirectoryPreserve=
789 Takes a boolean argument or restart. If set to no (the default),
790 the directories specified in RuntimeDirectory= are always removed
791 when the service stops. If set to restart the directories are
792 preserved when the service is both automatically and manually
793 restarted. Here, the automatic restart means the operation
794 specified in Restart=, and manual restart means the one triggered
795 by systemctl restart foo.service. If set to yes, then the
796 directories are not removed when the service is stopped. Note that
797 since the runtime directory /run is a mount point of "tmpfs", then
798 for system services the directories specified in RuntimeDirectory=
799 are removed when the system is rebooted.
800
801 ReadWritePaths=, ReadOnlyPaths=, InaccessiblePaths=
802 Sets up a new file system namespace for executed processes. These
803 options may be used to limit access a process might have to the
804 file system hierarchy. Each setting takes a space-separated list of
805 paths relative to the host's root directory (i.e. the system
806 running the service manager). Note that if paths contain symlinks,
807 they are resolved relative to the root directory set with
808 RootDirectory=/RootImage=.
809
810 Paths listed in ReadWritePaths= are accessible from within the
811 namespace with the same access modes as from outside of it. Paths
812 listed in ReadOnlyPaths= are accessible for reading only, writing
813 will be refused even if the usual file access controls would permit
814 this. Nest ReadWritePaths= inside of ReadOnlyPaths= in order to
815 provide writable subdirectories within read-only directories. Use
816 ReadWritePaths= in order to whitelist specific paths for write
817 access if ProtectSystem=strict is used.
818
819 Paths listed in InaccessiblePaths= will be made inaccessible for
820 processes inside the namespace along with everything below them in
821 the file system hierarchy. This may be more restrictive than
822 desired, because it is not possible to nest ReadWritePaths=,
823 ReadOnlyPaths=, BindPaths=, or BindReadOnlyPaths= inside it. For a
824 more flexible option, see TemporaryFileSystem=.
825
826 Non-directory paths may be specified as well. These options may be
827 specified more than once, in which case all paths listed will have
828 limited access from within the namespace. If the empty string is
829 assigned to this option, the specific list is reset, and all prior
830 assignments have no effect.
831
832 Paths in ReadWritePaths=, ReadOnlyPaths= and InaccessiblePaths= may
833 be prefixed with "-", in which case they will be ignored when they
834 do not exist. If prefixed with "+" the paths are taken relative to
835 the root directory of the unit, as configured with
836 RootDirectory=/RootImage=, instead of relative to the root
837 directory of the host (see above). When combining "-" and "+" on
838 the same path make sure to specify "-" first, and "+" second.
839
840 Note that these settings will disconnect propagation of mounts from
841 the unit's processes to the host. This means that this setting may
842 not be used for services which shall be able to install mount
843 points in the main mount namespace. For ReadWritePaths= and
844 ReadOnlyPaths= propagation in the other direction is not affected,
845 i.e. mounts created on the host generally appear in the unit
846 processes' namespace, and mounts removed on the host also disappear
847 there too. In particular, note that mount propagation from host to
848 unit will result in unmodified mounts to be created in the unit's
849 namespace, i.e. writable mounts appearing on the host will be
850 writable in the unit's namespace too, even when propagated below a
851 path marked with ReadOnlyPaths=! Restricting access with these
852 options hence does not extend to submounts of a directory that are
853 created later on. This means the lock-down offered by that setting
854 is not complete, and does not offer full protection.
855
856 Note that the effect of these settings may be undone by privileged
857 processes. In order to set up an effective sandboxed environment
858 for a unit it is thus recommended to combine these settings with
859 either CapabilityBoundingSet=~CAP_SYS_ADMIN or
860 SystemCallFilter=~@mount.
861
862 These options are only available for system services and are not
863 supported for services running in per-user instances of the service
864 manager.
865
866 TemporaryFileSystem=
867 Takes a space-separated list of mount points for temporary file
868 systems (tmpfs). If set, a new file system namespace is set up for
869 executed processes, and a temporary file system is mounted on each
870 mount point. This option may be specified more than once, in which
871 case temporary file systems are mounted on all listed mount points.
872 If the empty string is assigned to this option, the list is reset,
873 and all prior assignments have no effect. Each mount point may
874 optionally be suffixed with a colon (":") and mount options such as
875 "size=10%" or "ro". By default, each temporary file system is
876 mounted with "nodev,strictatime,mode=0755". These can be disabled
877 by explicitly specifying the corresponding mount options, e.g.,
878 "dev" or "nostrictatime".
879
880 This is useful to hide files or directories not relevant to the
881 processes invoked by the unit, while necessary files or directories
882 can be still accessed by combining with BindPaths= or
883 BindReadOnlyPaths=:
884
885 Example: if a unit has the following,
886
887 TemporaryFileSystem=/var:ro
888 BindReadOnlyPaths=/var/lib/systemd
889
890 then the invoked processes by the unit cannot see any files or
891 directories under /var except for /var/lib/systemd or its contents.
892
893 This option is only available for system services and is not
894 supported for services running in per-user instances of the service
895 manager.
896
897 PrivateTmp=
898 Takes a boolean argument. If true, sets up a new file system
899 namespace for the executed processes and mounts private /tmp and
900 /var/tmp directories inside it that is not shared by processes
901 outside of the namespace. This is useful to secure access to
902 temporary files of the process, but makes sharing between processes
903 via /tmp or /var/tmp impossible. If this is enabled, all temporary
904 files created by a service in these directories will be removed
905 after the service is stopped. Defaults to false. It is possible to
906 run two or more units within the same private /tmp and /var/tmp
907 namespace by using the JoinsNamespaceOf= directive, see
908 systemd.unit(5) for details. This setting is implied if
909 DynamicUser= is set. For this setting the same restrictions
910 regarding mount propagation and privileges apply as for
911 ReadOnlyPaths= and related calls, see above. Enabling this setting
912 has the side effect of adding Requires= and After= dependencies on
913 all mount units necessary to access /tmp and /var/tmp. Moreover an
914 implicitly After= ordering on systemd-tmpfiles-setup.service(8) is
915 added.
916
917 Note that the implementation of this setting might be impossible
918 (for example if mount namespaces are not available), and the unit
919 should be written in a way that does not solely rely on this
920 setting for security.
921
922 This option is only available for system services and is not
923 supported for services running in per-user instances of the service
924 manager.
925
926 PrivateDevices=
927 Takes a boolean argument. If true, sets up a new /dev mount for the
928 executed processes and only adds API pseudo devices such as
929 /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY
930 subsystem) to it, but no physical devices such as /dev/sda, system
931 memory /dev/mem, system ports /dev/port and others. This is useful
932 to securely turn off physical device access by the executed
933 process. Defaults to false. Enabling this option will install a
934 system call filter to block low-level I/O system calls that are
935 grouped in the @raw-io set, will also remove CAP_MKNOD and
936 CAP_SYS_RAWIO from the capability bounding set for the unit (see
937 above), and set DevicePolicy=closed (see systemd.resource-
938 control(5) for details). Note that using this setting will
939 disconnect propagation of mounts from the service to the host
940 (propagation in the opposite direction continues to work). This
941 means that this setting may not be used for services which shall be
942 able to install mount points in the main mount namespace. The new
943 /dev will be mounted read-only and 'noexec'. The latter may break
944 old programs which try to set up executable memory by using mmap(2)
945 of /dev/zero instead of using MAP_ANON. For this setting the same
946 restrictions regarding mount propagation and privileges apply as
947 for ReadOnlyPaths= and related calls, see above. If turned on and
948 if running in user mode, or in system mode, but without the
949 CAP_SYS_ADMIN capability (e.g. setting User=), NoNewPrivileges=yes
950 is implied.
951
952 Note that the implementation of this setting might be impossible
953 (for example if mount namespaces are not available), and the unit
954 should be written in a way that does not solely rely on this
955 setting for security.
956
957 This option is only available for system services and is not
958 supported for services running in per-user instances of the service
959 manager.
960
961 PrivateNetwork=
962 Takes a boolean argument. If true, sets up a new network namespace
963 for the executed processes and configures only the loopback network
964 device "lo" inside it. No other network devices will be available
965 to the executed process. This is useful to turn off network access
966 by the executed process. Defaults to false. It is possible to run
967 two or more units within the same private network namespace by
968 using the JoinsNamespaceOf= directive, see systemd.unit(5) for
969 details. Note that this option will disconnect all socket families
970 from the host, including AF_NETLINK and AF_UNIX. Effectively, for
971 AF_NETLINK this means that device configuration events received
972 from systemd-udevd.service(8) are not delivered to the unit's
973 processes. And for AF_UNIX this has the effect that AF_UNIX sockets
974 in the abstract socket namespace of the host will become
975 unavailable to the unit's processes (however, those located in the
976 file system will continue to be accessible).
977
978 Note that the implementation of this setting might be impossible
979 (for example if network namespaces are not available), and the unit
980 should be written in a way that does not solely rely on this
981 setting for security.
982
983 This option is only available for system services and is not
984 supported for services running in per-user instances of the service
985 manager.
986
987 PrivateUsers=
988 Takes a boolean argument. If true, sets up a new user namespace for
989 the executed processes and configures a minimal user and group
990 mapping, that maps the "root" user and group as well as the unit's
991 own user and group to themselves and everything else to the
992 "nobody" user and group. This is useful to securely detach the user
993 and group databases used by the unit from the rest of the system,
994 and thus to create an effective sandbox environment. All files,
995 directories, processes, IPC objects and other resources owned by
996 users/groups not equaling "root" or the unit's own will stay
997 visible from within the unit but appear owned by the "nobody" user
998 and group. If this mode is enabled, all unit processes are run
999 without privileges in the host user namespace (regardless if the
1000 unit's own user/group is "root" or not). Specifically this means
1001 that the process will have zero process capabilities on the host's
1002 user namespace, but full capabilities within the service's user
1003 namespace. Settings such as CapabilityBoundingSet= will affect only
1004 the latter, and there's no way to acquire additional capabilities
1005 in the host's user namespace. Defaults to off.
1006
1007 This setting is particularly useful in conjunction with
1008 RootDirectory=/RootImage=, as the need to synchronize the user and
1009 group databases in the root directory and on the host is reduced,
1010 as the only users and groups who need to be matched are "root",
1011 "nobody" and the unit's own user and group.
1012
1013 Note that the implementation of this setting might be impossible
1014 (for example if user namespaces are not available), and the unit
1015 should be written in a way that does not solely rely on this
1016 setting for security.
1017
1018 This option is only available for system services and is not
1019 supported for services running in per-user instances of the service
1020 manager.
1021
1022 ProtectKernelTunables=
1023 Takes a boolean argument. If true, kernel variables accessible
1024 through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
1025 /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made
1026 read-only to all processes of the unit. Usually, tunable kernel
1027 variables should be initialized only at boot-time, for example with
1028 the sysctl.d(5) mechanism. Few services need to write to these at
1029 runtime; it is hence recommended to turn this on for most services.
1030 For this setting the same restrictions regarding mount propagation
1031 and privileges apply as for ReadOnlyPaths= and related calls, see
1032 above. Defaults to off. If turned on and if running in user mode,
1033 or in system mode, but without the CAP_SYS_ADMIN capability (e.g.
1034 services for which User= is set), NoNewPrivileges=yes is implied.
1035 Note that this option does not prevent indirect changes to kernel
1036 tunables effected by IPC calls to other processes. However,
1037 InaccessiblePaths= may be used to make relevant IPC file system
1038 objects inaccessible. If ProtectKernelTunables= is set,
1039 MountAPIVFS=yes is implied.
1040
1041 This option is only available for system services and is not
1042 supported for services running in per-user instances of the service
1043 manager.
1044
1045 ProtectKernelModules=
1046 Takes a boolean argument. If true, explicit module loading will be
1047 denied. This allows module load and unload operations to be turned
1048 off on modular kernels. It is recommended to turn this on for most
1049 services that do not need special file systems or extra kernel
1050 modules to work. Defaults to off. Enabling this option removes
1051 CAP_SYS_MODULE from the capability bounding set for the unit, and
1052 installs a system call filter to block module system calls, also
1053 /usr/lib/modules is made inaccessible. For this setting the same
1054 restrictions regarding mount propagation and privileges apply as
1055 for ReadOnlyPaths= and related calls, see above. Note that limited
1056 automatic module loading due to user configuration or kernel
1057 mapping tables might still happen as side effect of requested user
1058 operations, both privileged and unprivileged. To disable module
1059 auto-load feature please see sysctl.d(5) kernel.modules_disabled
1060 mechanism and /proc/sys/kernel/modules_disabled documentation. If
1061 turned on and if running in user mode, or in system mode, but
1062 without the CAP_SYS_ADMIN capability (e.g. setting User=),
1063 NoNewPrivileges=yes is implied.
1064
1065 This option is only available for system services and is not
1066 supported for services running in per-user instances of the service
1067 manager.
1068
1069 ProtectControlGroups=
1070 Takes a boolean argument. If true, the Linux Control Groups
1071 (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
1072 made read-only to all processes of the unit. Except for container
1073 managers no services should require write access to the control
1074 groups hierarchies; it is hence recommended to turn this on for
1075 most services. For this setting the same restrictions regarding
1076 mount propagation and privileges apply as for ReadOnlyPaths= and
1077 related calls, see above. Defaults to off. If ProtectControlGroups=
1078 is set, MountAPIVFS=yes is implied.
1079
1080 This option is only available for system services and is not
1081 supported for services running in per-user instances of the service
1082 manager.
1083
1084 RestrictAddressFamilies=
1085 Restricts the set of socket address families accessible to the
1086 processes of this unit. Takes a space-separated list of address
1087 family names to whitelist, such as AF_UNIX, AF_INET or AF_INET6.
1088 When prefixed with ~ the listed address families will be applied as
1089 blacklist, otherwise as whitelist. Note that this restricts access
1090 to the socket(2) system call only. Sockets passed into the process
1091 by other means (for example, by using socket activation with socket
1092 units, see systemd.socket(5)) are unaffected. Also, sockets created
1093 with socketpair() (which creates connected AF_UNIX sockets only)
1094 are unaffected. Note that this option has no effect on 32-bit x86,
1095 s390, s390x, mips, mips-le, ppc, ppc-le, pcc64, ppc64-le and is
1096 ignored (but works correctly on other ABIs, including x86-64). Note
1097 that on systems supporting multiple ABIs (such as x86/x86-64) it is
1098 recommended to turn off alternative ABIs for services, so that they
1099 cannot be used to circumvent the restrictions of this option.
1100 Specifically, it is recommended to combine this option with
1101 SystemCallArchitectures=native or similar. If running in user mode,
1102 or in system mode, but without the CAP_SYS_ADMIN capability (e.g.
1103 setting User=nobody), NoNewPrivileges=yes is implied. By default,
1104 no restrictions apply, all address families are accessible to
1105 processes. If assigned the empty string, any previous address
1106 familiy restriction changes are undone. This setting does not
1107 affect commands prefixed with "+".
1108
1109 Use this option to limit exposure of processes to remote access, in
1110 particular via exotic and sensitive network protocols, such as
1111 AF_PACKET. Note that in most cases, the local AF_UNIX address
1112 family should be included in the configured whitelist as it is
1113 frequently used for local communication, including for syslog(2)
1114 logging.
1115
1116 RestrictNamespaces=
1117 Restricts access to Linux namespace functionality for the processes
1118 of this unit. For details about Linux namespaces, see
1119 namespaces(7). Either takes a boolean argument, or a
1120 space-separated list of namespace type identifiers. If false (the
1121 default), no restrictions on namespace creation and switching are
1122 made. If true, access to any kind of namespacing is prohibited.
1123 Otherwise, a space-separated list of namespace type identifiers
1124 must be specified, consisting of any combination of: cgroup, ipc,
1125 net, mnt, pid, user and uts. Any namespace type listed is made
1126 accessible to the unit's processes, access to namespace types not
1127 listed is prohibited (whitelisting). By prepending the list with a
1128 single tilde character ("~") the effect may be inverted: only the
1129 listed namespace types will be made inaccessible, all unlisted ones
1130 are permitted (blacklisting). If the empty string is assigned, the
1131 default namespace restrictions are applied, which is equivalent to
1132 false. This option may appear more than once, in which case the
1133 namespace types are merged by OR, or by AND if the lines are
1134 prefixed with "~" (see examples below). Internally, this setting
1135 limits access to the unshare(2), clone(2) and setns(2) system
1136 calls, taking the specified flags parameters into account. Note
1137 that — if this option is used — in addition to restricting creation
1138 and switching of the specified types of namespaces (or all of them,
1139 if true) access to the setns() system call with a zero flags
1140 parameter is prohibited. This setting is only supported on x86,
1141 x86-64, mips, mips-le, mips64, mips64-le, mips64-n32,
1142 mips64-le-n32, ppc64, ppc64-le, s390 and s390x, and enforces no
1143 restrictions on other architectures. If running in user mode, or in
1144 system mode, but without the CAP_SYS_ADMIN capability (e.g. setting
1145 User=), NoNewPrivileges=yes is implied.
1146
1147 Example: if a unit has the following,
1148
1149 RestrictNamespaces=cgroup ipc
1150 RestrictNamespaces=cgroup net
1151
1152 then cgroup, ipc, and net are set. If the second line is prefixed
1153 with "~", e.g.,
1154
1155 RestrictNamespaces=cgroup ipc
1156 RestrictNamespaces=~cgroup net
1157
1158 then, only ipc is set.
1159
1160 LockPersonality=
1161 Takes a boolean argument. If set, locks down the personality(2)
1162 system call so that the kernel execution domain may not be changed
1163 from the default or the personality selected with Personality=
1164 directive. This may be useful to improve security, because odd
1165 personality emulations may be poorly tested and source of
1166 vulnerabilities. If running in user mode, or in system mode, but
1167 without the CAP_SYS_ADMIN capability (e.g. setting User=),
1168 NoNewPrivileges=yes is implied.
1169
1170 MemoryDenyWriteExecute=
1171 Takes a boolean argument. If set, attempts to create memory
1172 mappings that are writable and executable at the same time, or to
1173 change existing memory mappings to become executable, or mapping
1174 shared memory segments as executable are prohibited. Specifically,
1175 a system call filter is added that rejects mmap(2) system calls
1176 with both PROT_EXEC and PROT_WRITE set, mprotect(2) or
1177 pkey_mprotect(2) system calls with PROT_EXEC set and shmat(2)
1178 system calls with SHM_EXEC set. Note that this option is
1179 incompatible with programs and libraries that generate program code
1180 dynamically at runtime, including JIT execution engines, executable
1181 stacks, and code "trampoline" feature of various C compilers. This
1182 option improves service security, as it makes harder for software
1183 exploits to change running code dynamically. However, the
1184 protection can be circumvented, if the service can write to a
1185 filesystem, which is not mounted with noexec (such as /dev/shm), or
1186 it can use memfd_create(). This can be prevented by making such
1187 file systems inaccessible to the service (e.g.
1188 InaccessiblePaths=/dev/shm) and installing further system call
1189 filters (SystemCallFilter=~memfd_create). Note that this feature is
1190 fully available on x86-64, and partially on x86. Specifically, the
1191 shmat() protection is not available on x86. Note that on systems
1192 supporting multiple ABIs (such as x86/x86-64) it is recommended to
1193 turn off alternative ABIs for services, so that they cannot be used
1194 to circumvent the restrictions of this option. Specifically, it is
1195 recommended to combine this option with
1196 SystemCallArchitectures=native or similar. If running in user mode,
1197 or in system mode, but without the CAP_SYS_ADMIN capability (e.g.
1198 setting User=), NoNewPrivileges=yes is implied.
1199
1200 RestrictRealtime=
1201 Takes a boolean argument. If set, any attempts to enable realtime
1202 scheduling in a process of the unit are refused. This restricts
1203 access to realtime task scheduling policies such as SCHED_FIFO,
1204 SCHED_RR or SCHED_DEADLINE. See sched(7) for details about these
1205 scheduling policies. If running in user mode, or in system mode,
1206 but without the CAP_SYS_ADMIN capability (e.g. setting User=),
1207 NoNewPrivileges=yes is implied. Realtime scheduling policies may be
1208 used to monopolize CPU time for longer periods of time, and may
1209 hence be used to lock up or otherwise trigger Denial-of-Service
1210 situations on the system. It is hence recommended to restrict
1211 access to realtime scheduling to the few programs that actually
1212 require them. Defaults to off.
1213
1214 RestrictSUIDSGID=
1215 Takes a boolean argument. If set, any attempts to set the
1216 set-user-ID (SUID) or set-group-ID (SGID) bits on files or
1217 directories will be denied (for details on these bits see
1218 inode(7)). If running in user mode, or in system mode, but without
1219 the CAP_SYS_ADMIN capability (e.g. setting User=),
1220 NoNewPrivileges=yes is implied. As the SUID/SGID bits are
1221 mechanisms to elevate privileges, and allows users to acquire the
1222 identity of other users, it is recommended to restrict creation of
1223 SUID/SGID files to the few programs that actually require them.
1224 Note that this restricts marking of any type of file system object
1225 with these bits, including both regular files and directories
1226 (where the SGID is a different meaning than for files, see
1227 documentation). Defaults to off.
1228
1229 RemoveIPC=
1230 Takes a boolean parameter. If set, all System V and POSIX IPC
1231 objects owned by the user and group the processes of this unit are
1232 run as are removed when the unit is stopped. This setting only has
1233 an effect if at least one of User=, Group= and DynamicUser= are
1234 used. It has no effect on IPC objects owned by the root user.
1235 Specifically, this removes System V semaphores, as well as System V
1236 and POSIX shared memory segments and message queues. If multiple
1237 units use the same user or group the IPC objects are removed when
1238 the last of these units is stopped. This setting is implied if
1239 DynamicUser= is set.
1240
1241 This option is only available for system services and is not
1242 supported for services running in per-user instances of the service
1243 manager.
1244
1245 PrivateMounts=
1246 Takes a boolean parameter. If set, the processes of this unit will
1247 be run in their own private file system (mount) namespace with all
1248 mount propagation from the processes towards the host's main file
1249 system namespace turned off. This means any file system mount
1250 points established or removed by the unit's processes will be
1251 private to them and not be visible to the host. However, file
1252 system mount points established or removed on the host will be
1253 propagated to the unit's processes. See mount_namespaces(7) for
1254 details on file system namespaces. Defaults to off.
1255
1256 When turned on, this executes three operations for each invoked
1257 process: a new CLONE_NEWNS namespace is created, after which all
1258 existing mounts are remounted to MS_SLAVE to disable propagation
1259 from the unit's processes to the host (but leaving propagation in
1260 the opposite direction in effect). Finally, the mounts are
1261 remounted again to the propagation mode configured with
1262 MountFlags=, see below.
1263
1264 File system namespaces are set up individually for each process
1265 forked off by the service manager. Mounts established in the
1266 namespace of the process created by ExecStartPre= will hence be
1267 cleaned up automatically as soon as that process exits and will not
1268 be available to subsequent processes forked off for ExecStart= (and
1269 similar applies to the various other commands configured for
1270 units). Similarly, JoinsNamespaceOf= does not permit sharing kernel
1271 mount namespaces between units, it only enables sharing of the
1272 /tmp/ and /var/tmp/ directories.
1273
1274 Other file system namespace unit settings — PrivateMounts=,
1275 PrivateTmp=, PrivateDevices=, ProtectSystem=, ProtectHome=,
1276 ReadOnlyPaths=, InaccessiblePaths=, ReadWritePaths=, ... — also
1277 enable file system namespacing in a fashion equivalent to this
1278 option. Hence it is primarily useful to explicitly request this
1279 behaviour if none of the other settings are used.
1280
1281 This option is only available for system services and is not
1282 supported for services running in per-user instances of the service
1283 manager.
1284
1285 MountFlags=
1286 Takes a mount propagation setting: shared, slave or private, which
1287 controls whether file system mount points in the file system
1288 namespaces set up for this unit's processes will receive or
1289 propagate mounts and unmounts from other file system namespaces.
1290 See mount(2) for details on mount propagation, and the three
1291 propagation flags in particular.
1292
1293 This setting only controls the final propagation setting in effect
1294 on all mount points of the file system namespace created for each
1295 process of this unit. Other file system namespacing unit settings
1296 (see the discussion in PrivateMounts= above) will implicitly
1297 disable mount and unmount propagation from the unit's processes
1298 towards the host by changing the propagation setting of all mount
1299 points in the unit's file system namepace to slave first. Setting
1300 this option to shared does not reestablish propagation in that
1301 case.
1302
1303 If not set – but file system namespaces are enabled through another
1304 file system namespace unit setting – shared mount propagation is
1305 used, but — as mentioned — as slave is applied first, propagation
1306 from the unit's processes to the host is still turned off.
1307
1308 It is not recommended to to use private mount propagation for
1309 units, as this means temporary mounts (such as removable media) of
1310 the host will stay mounted and thus indefinitely busy in forked off
1311 processes, as unmount propagation events won't be received by the
1312 file system namespace of the unit.
1313
1314 Usually, it is best to leave this setting unmodified, and use
1315 higher level file system namespacing options instead, in particular
1316 PrivateMounts=, see above.
1317
1318 This option is only available for system services and is not
1319 supported for services running in per-user instances of the service
1320 manager.
1321
1323 SystemCallFilter=
1324 Takes a space-separated list of system call names. If this setting
1325 is used, all system calls executed by the unit processes except for
1326 the listed ones will result in immediate process termination with
1327 the SIGSYS signal (whitelisting). If the first character of the
1328 list is "~", the effect is inverted: only the listed system calls
1329 will result in immediate process termination (blacklisting).
1330 Blacklisted system calls and system call groups may optionally be
1331 suffixed with a colon (":") and "errno" error number (between 0 and
1332 4095) or errno name such as EPERM, EACCES or EUCLEAN. This value
1333 will be returned when a blacklisted system call is triggered,
1334 instead of terminating the processes immediately. This value takes
1335 precedence over the one given in SystemCallErrorNumber=. If running
1336 in user mode, or in system mode, but without the CAP_SYS_ADMIN
1337 capability (e.g. setting User=nobody), NoNewPrivileges=yes is
1338 implied. This feature makes use of the Secure Computing Mode 2
1339 interfaces of the kernel ('seccomp filtering') and is useful for
1340 enforcing a minimal sandboxing environment. Note that the execve,
1341 exit, exit_group, getrlimit, rt_sigreturn, sigreturn system calls
1342 and the system calls for querying time and sleeping are implicitly
1343 whitelisted and do not need to be listed explicitly. This option
1344 may be specified more than once, in which case the filter masks are
1345 merged. If the empty string is assigned, the filter is reset, all
1346 prior assignments will have no effect. This does not affect
1347 commands prefixed with "+".
1348
1349 Note that on systems supporting multiple ABIs (such as x86/x86-64)
1350 it is recommended to turn off alternative ABIs for services, so
1351 that they cannot be used to circumvent the restrictions of this
1352 option. Specifically, it is recommended to combine this option with
1353 SystemCallArchitectures=native or similar.
1354
1355 Note that strict system call filters may impact execution and error
1356 handling code paths of the service invocation. Specifically, access
1357 to the execve system call is required for the execution of the
1358 service binary — if it is blocked service invocation will
1359 necessarily fail. Also, if execution of the service binary fails
1360 for some reason (for example: missing service executable), the
1361 error handling logic might require access to an additional set of
1362 system calls in order to process and log this failure correctly. It
1363 might be necessary to temporarily disable system call filters in
1364 order to simplify debugging of such failures.
1365
1366 If you specify both types of this option (i.e. whitelisting and
1367 blacklisting), the first encountered will take precedence and will
1368 dictate the default action (termination or approval of a system
1369 call). Then the next occurrences of this option will add or delete
1370 the listed system calls from the set of the filtered system calls,
1371 depending of its type and the default action. (For example, if you
1372 have started with a whitelisting of read and write, and right after
1373 it add a blacklisting of write, then write will be removed from the
1374 set.)
1375
1376 As the number of possible system calls is large, predefined sets of
1377 system calls are provided. A set starts with "@" character,
1378 followed by name of the set.
1379
1380 Table 3. Currently predefined system call sets
1381 ┌────────────────┬────────────────────────────┐
1382 │Set │ Description │
1383 ├────────────────┼────────────────────────────┤
1384 │@aio │ Asynchronous I/O │
1385 │ │ (io_setup(2), │
1386 │ │ io_submit(2), and related │
1387 │ │ calls) │
1388 ├────────────────┼────────────────────────────┤
1389 │@basic-io │ System calls for basic │
1390 │ │ I/O: reading, writing, │
1391 │ │ seeking, file descriptor │
1392 │ │ duplication and closing │
1393 │ │ (read(2), write(2), and │
1394 │ │ related calls) │
1395 ├────────────────┼────────────────────────────┤
1396 │@chown │ Changing file ownership │
1397 │ │ (chown(2), fchownat(2), │
1398 │ │ and related calls) │
1399 ├────────────────┼────────────────────────────┤
1400 │@clock │ System calls for changing │
1401 │ │ the system clock │
1402 │ │ (adjtimex(2), │
1403 │ │ settimeofday(2), and │
1404 │ │ related calls) │
1405 ├────────────────┼────────────────────────────┤
1406 │@cpu-emulation │ System calls for CPU │
1407 │ │ emulation functionality │
1408 │ │ (vm86(2) and related │
1409 │ │ calls) │
1410 ├────────────────┼────────────────────────────┤
1411 │@debug │ Debugging, performance │
1412 │ │ monitoring and tracing │
1413 │ │ functionality (ptrace(2), │
1414 │ │ perf_event_open(2) and │
1415 │ │ related calls) │
1416 ├────────────────┼────────────────────────────┤
1417 │@file-system │ File system operations: │
1418 │ │ opening, creating files │
1419 │ │ and directories for read │
1420 │ │ and write, renaming and │
1421 │ │ removing them, reading │
1422 │ │ file properties, or │
1423 │ │ creating hard and symbolic │
1424 │ │ links. │
1425 ├────────────────┼────────────────────────────┤
1426 │@io-event │ Event loop system calls │
1427 │ │ (poll(2), select(2), │
1428 │ │ epoll(7), eventfd(2) and │
1429 │ │ related calls) │
1430 ├────────────────┼────────────────────────────┤
1431 │@ipc │ Pipes, SysV IPC, POSIX │
1432 │ │ Message Queues and other │
1433 │ │ IPC (mq_overview(7), │
1434 │ │ svipc(7)) │
1435 ├────────────────┼────────────────────────────┤
1436 │@keyring │ Kernel keyring access │
1437 │ │ (keyctl(2) and related │
1438 │ │ calls) │
1439 ├────────────────┼────────────────────────────┤
1440 │@memlock │ Locking of memory into RAM │
1441 │ │ (mlock(2), mlockall(2) and │
1442 │ │ related calls) │
1443 ├────────────────┼────────────────────────────┤
1444 │@module │ Loading and unloading of │
1445 │ │ kernel modules │
1446 │ │ (init_module(2), │
1447 │ │ delete_module(2) and │
1448 │ │ related calls) │
1449 ├────────────────┼────────────────────────────┤
1450 │@mount │ Mounting and unmounting of │
1451 │ │ file systems (mount(2), │
1452 │ │ chroot(2), and related │
1453 │ │ calls) │
1454 ├────────────────┼────────────────────────────┤
1455 │@network-io │ Socket I/O (including │
1456 │ │ local AF_UNIX): socket(7), │
1457 │ │ unix(7) │
1458 ├────────────────┼────────────────────────────┤
1459 │@obsolete │ Unusual, obsolete or │
1460 │ │ unimplemented │
1461 │ │ (create_module(2), │
1462 │ │ gtty(2), ...) │
1463 ├────────────────┼────────────────────────────┤
1464 │@privileged │ All system calls which │
1465 │ │ need super-user │
1466 │ │ capabilities │
1467 │ │ (capabilities(7)) │
1468 ├────────────────┼────────────────────────────┤
1469 │@process │ Process control, │
1470 │ │ execution, namespaceing │
1471 │ │ operations (clone(2), │
1472 │ │ kill(2), namespaces(7), │
1473 │ │ ... │
1474 ├────────────────┼────────────────────────────┤
1475 │@raw-io │ Raw I/O port access │
1476 │ │ (ioperm(2), iopl(2), │
1477 │ │ pciconfig_read(), ...) │
1478 ├────────────────┼────────────────────────────┤
1479 │@reboot │ System calls for rebooting │
1480 │ │ and reboot preparation │
1481 │ │ (reboot(2), kexec(), ...) │
1482 ├────────────────┼────────────────────────────┤
1483 │@resources │ System calls for changing │
1484 │ │ resource limits, memory │
1485 │ │ and scheduling parameters │
1486 │ │ (setrlimit(2), │
1487 │ │ setpriority(2), ...) │
1488 ├────────────────┼────────────────────────────┤
1489 │@setuid │ System calls for changing │
1490 │ │ user ID and group ID │
1491 │ │ credentials, (setuid(2), │
1492 │ │ setgid(2), setresuid(2), │
1493 │ │ ...) │
1494 ├────────────────┼────────────────────────────┤
1495 │@signal │ System calls for │
1496 │ │ manipulating and handling │
1497 │ │ process signals │
1498 │ │ (signal(2), │
1499 │ │ sigprocmask(2), ...) │
1500 ├────────────────┼────────────────────────────┤
1501 │@swap │ System calls for │
1502 │ │ enabling/disabling swap │
1503 │ │ devices (swapon(2), │
1504 │ │ swapoff(2)) │
1505 ├────────────────┼────────────────────────────┤
1506 │@sync │ Synchronizing files and │
1507 │ │ memory to disk: (fsync(2), │
1508 │ │ msync(2), and related │
1509 │ │ calls) │
1510 ├────────────────┼────────────────────────────┤
1511 │@system-service │ A reasonable set of system │
1512 │ │ calls used by common │
1513 │ │ system services, excluding │
1514 │ │ any special purpose calls. │
1515 │ │ This is the recommended │
1516 │ │ starting point for │
1517 │ │ whitelisting system calls │
1518 │ │ for system services, as it │
1519 │ │ contains what is typically │
1520 │ │ needed by system services, │
1521 │ │ but excludes overly │
1522 │ │ specific interfaces. For │
1523 │ │ example, the following │
1524 │ │ APIs are excluded: │
1525 │ │ "@clock", "@mount", │
1526 │ │ "@swap", "@reboot". │
1527 ├────────────────┼────────────────────────────┤
1528 │@timer │ System calls for │
1529 │ │ scheduling operations by │
1530 │ │ time (alarm(2), │
1531 │ │ timer_create(2), ...) │
1532 └────────────────┴────────────────────────────┘
1533 Note, that as new system calls are added to the kernel, additional
1534 system calls might be added to the groups above. Contents of the
1535 sets may also change between systemd versions. In addition, the
1536 list of system calls depends on the kernel version and architecture
1537 for which systemd was compiled. Use systemd-analyze syscall-filter
1538 to list the actual list of system calls in each filter.
1539
1540 Generally, whitelisting system calls (rather than blacklisting) is
1541 the safer mode of operation. It is recommended to enforce system
1542 call whitelists for all long-running system services. Specifically,
1543 the following lines are a relatively safe basic choice for the
1544 majority of system services:
1545
1546 [Service]
1547 SystemCallFilter=@system-service
1548 SystemCallErrorNumber=EPERM
1549
1550 It is recommended to combine the file system namespacing related
1551 options with SystemCallFilter=~@mount, in order to prohibit the
1552 unit's processes to undo the mappings. Specifically these are the
1553 options PrivateTmp=, PrivateDevices=, ProtectSystem=, ProtectHome=,
1554 ProtectKernelTunables=, ProtectControlGroups=, ReadOnlyPaths=,
1555 InaccessiblePaths= and ReadWritePaths=.
1556
1557 SystemCallErrorNumber=
1558 Takes an "errno" error number (between 1 and 4095) or errno name
1559 such as EPERM, EACCES or EUCLEAN, to return when the system call
1560 filter configured with SystemCallFilter= is triggered, instead of
1561 terminating the process immediately. When this setting is not used,
1562 or when the empty string is assigned, the process will be
1563 terminated immediately when the filter is triggered.
1564
1565 SystemCallArchitectures=
1566 Takes a space-separated list of architecture identifiers to include
1567 in the system call filter. The known architecture identifiers are
1568 the same as for ConditionArchitecture= described in
1569 systemd.unit(5), as well as x32, mips64-n32, mips64-le-n32, and the
1570 special identifier native. The special identifier native implicitly
1571 maps to the native architecture of the system (or more precisely:
1572 to the architecture the system manager is compiled for). If running
1573 in user mode, or in system mode, but without the CAP_SYS_ADMIN
1574 capability (e.g. setting User=nobody), NoNewPrivileges=yes is
1575 implied. By default, this option is set to the empty list, i.e. no
1576 system call architecture filtering is applied.
1577
1578 If this setting is used, processes of this unit will only be
1579 permitted to call native system calls, and system calls of the
1580 specified architectures. For the purposes of this option, the x32
1581 architecture is treated as including x86-64 system calls. However,
1582 this setting still fulfills its purpose, as explained below, on
1583 x32.
1584
1585 System call filtering is not equally effective on all
1586 architectures. For example, on x86 filtering of network
1587 socket-related calls is not possible, due to ABI limitations — a
1588 limitation that x86-64 does not have, however. On systems
1589 supporting multiple ABIs at the same time — such as x86/x86-64 — it
1590 is hence recommended to limit the set of permitted system call
1591 architectures so that secondary ABIs may not be used to circumvent
1592 the restrictions applied to the native ABI of the system. In
1593 particular, setting SystemCallArchitectures=native is a good choice
1594 for disabling non-native ABIs.
1595
1596 System call architectures may also be restricted system-wide via
1597 the SystemCallArchitectures= option in the global configuration.
1598 See systemd-system.conf(5) for details.
1599
1601 Environment=
1602 Sets environment variables for executed processes. Takes a
1603 space-separated list of variable assignments. This option may be
1604 specified more than once, in which case all listed variables will
1605 be set. If the same variable is set twice, the later setting will
1606 override the earlier setting. If the empty string is assigned to
1607 this option, the list of environment variables is reset, all prior
1608 assignments have no effect. Variable expansion is not performed
1609 inside the strings, however, specifier expansion is possible. The $
1610 character has no special meaning. If you need to assign a value
1611 containing spaces or the equals sign to a variable, use double
1612 quotes (") for the assignment.
1613
1614 Example:
1615
1616 Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
1617
1618 gives three variables "VAR1", "VAR2", "VAR3" with the values "word1
1619 word2", "word3", "$word 5 6".
1620
1621 See environ(7) for details about environment variables.
1622
1623 Note that environment variables are not suitable for passing
1624 secrets (such as passwords, key material, ...) to service
1625 processes. Environment variables set for a unit are exposed to
1626 unprivileged clients via D-Bus IPC, and generally not understood as
1627 being data that requires protection. Moreover, environment
1628 variables are propagated down the process tree, including across
1629 security boundaries (such as setuid/setgid executables), and hence
1630 might leak to processes that should not have access to the secret
1631 data.
1632
1633 EnvironmentFile=
1634 Similar to Environment= but reads the environment variables from a
1635 text file. The text file should contain new-line-separated variable
1636 assignments. Empty lines, lines without an "=" separator, or lines
1637 starting with ; or # will be ignored, which may be used for
1638 commenting. A line ending with a backslash will be concatenated
1639 with the following one, allowing multiline variable definitions.
1640 The parser strips leading and trailing whitespace from the values
1641 of assignments, unless you use double quotes (").
1642
1643 The argument passed should be an absolute filename or wildcard
1644 expression, optionally prefixed with "-", which indicates that if
1645 the file does not exist, it will not be read and no error or
1646 warning message is logged. This option may be specified more than
1647 once in which case all specified files are read. If the empty
1648 string is assigned to this option, the list of file to read is
1649 reset, all prior assignments have no effect.
1650
1651 The files listed with this directive will be read shortly before
1652 the process is executed (more specifically, after all processes
1653 from a previous unit state terminated. This means you can generate
1654 these files in one unit state, and read it with this option in the
1655 next).
1656
1657 Settings from these files override settings made with Environment=.
1658 If the same variable is set twice from these files, the files will
1659 be read in the order they are specified and the later setting will
1660 override the earlier setting.
1661
1662 PassEnvironment=
1663 Pass environment variables set for the system service manager to
1664 executed processes. Takes a space-separated list of variable names.
1665 This option may be specified more than once, in which case all
1666 listed variables will be passed. If the empty string is assigned to
1667 this option, the list of environment variables to pass is reset,
1668 all prior assignments have no effect. Variables specified that are
1669 not set for the system manager will not be passed and will be
1670 silently ignored. Note that this option is only relevant for the
1671 system service manager, as system services by default do not
1672 automatically inherit any environment variables set for the service
1673 manager itself. However, in case of the user service manager all
1674 environment variables are passed to the executed processes anyway,
1675 hence this option is without effect for the user service manager.
1676
1677 Variables set for invoked processes due to this setting are subject
1678 to being overridden by those configured with Environment= or
1679 EnvironmentFile=.
1680
1681 Example:
1682
1683 PassEnvironment=VAR1 VAR2 VAR3
1684
1685 passes three variables "VAR1", "VAR2", "VAR3" with the values set
1686 for those variables in PID1.
1687
1688 See environ(7) for details about environment variables.
1689
1690 UnsetEnvironment=
1691 Explicitly unset environment variable assignments that would
1692 normally be passed from the service manager to invoked processes of
1693 this unit. Takes a space-separated list of variable names or
1694 variable assignments. This option may be specified more than once,
1695 in which case all listed variables/assignments will be unset. If
1696 the empty string is assigned to this option, the list of
1697 environment variables/assignments to unset is reset. If a variable
1698 assignment is specified (that is: a variable name, followed by "=",
1699 followed by its value), then any environment variable matching this
1700 precise assignment is removed. If a variable name is specified
1701 (that is a variable name without any following "=" or value), then
1702 any assignment matching the variable name, regardless of its value
1703 is removed. Note that the effect of UnsetEnvironment= is applied as
1704 final step when the environment list passed to executed processes
1705 is compiled. That means it may undo assignments from any
1706 configuration source, including assignments made through
1707 Environment= or EnvironmentFile=, inherited from the system
1708 manager's global set of environment variables, inherited via
1709 PassEnvironment=, set by the service manager itself (such as
1710 $NOTIFY_SOCKET and such), or set by a PAM module (in case PAMName=
1711 is used).
1712
1713 See environ(7) for details about environment variables.
1714
1716 StandardInput=
1717 Controls where file descriptor 0 (STDIN) of the executed processes
1718 is connected to. Takes one of null, tty, tty-force, tty-fail, data,
1719 file:path, socket or fd:name.
1720
1721 If null is selected, standard input will be connected to /dev/null,
1722 i.e. all read attempts by the process will result in immediate EOF.
1723
1724 If tty is selected, standard input is connected to a TTY (as
1725 configured by TTYPath=, see below) and the executed process becomes
1726 the controlling process of the terminal. If the terminal is already
1727 being controlled by another process, the executed process waits
1728 until the current controlling process releases the terminal.
1729
1730 tty-force is similar to tty, but the executed process is forcefully
1731 and immediately made the controlling process of the terminal,
1732 potentially removing previous controlling processes from the
1733 terminal.
1734
1735 tty-fail is similar to tty, but if the terminal already has a
1736 controlling process start-up of the executed process fails.
1737
1738 The data option may be used to configure arbitrary textual or
1739 binary data to pass via standard input to the executed process. The
1740 data to pass is configured via
1741 StandardInputText=/StandardInputData= (see below). Note that the
1742 actual file descriptor type passed (memory file, regular file, UNIX
1743 pipe, ...) might depend on the kernel and available privileges. In
1744 any case, the file descriptor is read-only, and when read returns
1745 the specified data followed by EOF.
1746
1747 The file:path option may be used to connect a specific file system
1748 object to standard input. An absolute path following the ":"
1749 character is expected, which may refer to a regular file, a FIFO or
1750 special file. If an AF_UNIX socket in the file system is specified,
1751 a stream socket is connected to it. The latter is useful for
1752 connecting standard input of processes to arbitrary system
1753 services.
1754
1755 The socket option is valid in socket-activated services only, and
1756 requires the relevant socket unit file (see systemd.socket(5) for
1757 details) to have Accept=yes set, or to specify a single socket
1758 only. If this option is set, standard input will be connected to
1759 the socket the service was activated from, which is primarily
1760 useful for compatibility with daemons designed for use with the
1761 traditional inetd(8) socket activation daemon.
1762
1763 The fd:name option connects standard input to a specific, named
1764 file descriptor provided by a socket unit. The name may be
1765 specified as part of this option, following a ":" character (e.g.
1766 "fd:foobar"). If no name is specified, the name "stdin" is implied
1767 (i.e. "fd" is equivalent to "fd:stdin"). At least one socket unit
1768 defining the specified name must be provided via the Sockets=
1769 option, and the file descriptor name may differ from the name of
1770 its containing socket unit. If multiple matches are found, the
1771 first one will be used. See FileDescriptorName= in
1772 systemd.socket(5) for more details about named file descriptors and
1773 their ordering.
1774
1775 This setting defaults to null.
1776
1777 Note that services which specify DefaultDependencies=no and use
1778 StandardInput= or StandardOutput= with tty/tty-force/tty-fail,
1779 should specify After=systemd-vconsole-setup.service, to make sure
1780 that the tty intialization is finished before they start.
1781
1782 StandardOutput=
1783 Controls where file descriptor 1 (STDOUT) of the executed processes
1784 is connected to. Takes one of inherit, null, tty, journal, syslog,
1785 kmsg, journal+console, syslog+console, kmsg+console, file:path,
1786 append:path, socket or fd:name.
1787
1788 inherit duplicates the file descriptor of standard input for
1789 standard output.
1790
1791 null connects standard output to /dev/null, i.e. everything written
1792 to it will be lost.
1793
1794 tty connects standard output to a tty (as configured via TTYPath=,
1795 see below). If the TTY is used for output only, the executed
1796 process will not become the controlling process of the terminal,
1797 and will not fail or wait for other processes to release the
1798 terminal.
1799
1800 journal connects standard output with the journal which is
1801 accessible via journalctl(1). Note that everything that is written
1802 to syslog or kmsg (see below) is implicitly stored in the journal
1803 as well, the specific two options listed below are hence supersets
1804 of this one.
1805
1806 syslog connects standard output to the syslog(3) system syslog
1807 service, in addition to the journal. Note that the journal daemon
1808 is usually configured to forward everything it receives to syslog
1809 anyway, in which case this option is no different from journal.
1810
1811 kmsg connects standard output with the kernel log buffer which is
1812 accessible via dmesg(1), in addition to the journal. The journal
1813 daemon might be configured to send all logs to kmsg anyway, in
1814 which case this option is no different from journal.
1815
1816 journal+console, syslog+console and kmsg+console work in a similar
1817 way as the three options above but copy the output to the system
1818 console as well.
1819
1820 The file:path option may be used to connect a specific file system
1821 object to standard output. The semantics are similar to the same
1822 option of StandardInput=, see above. If path refers to a regular
1823 file on the filesystem, it is opened (created if it doesn't exist
1824 yet) for writing at the beginning of the file, but without
1825 truncating it. If standard input and output are directed to the
1826 same file path, it is opened only once, for reading as well as
1827 writing and duplicated. This is particularly useful when the
1828 specified path refers to an AF_UNIX socket in the file system, as
1829 in that case only a single stream connection is created for both
1830 input and output.
1831
1832 append:path is similar to file:path above, but it opens the file in
1833 append mode.
1834
1835 socket connects standard output to a socket acquired via socket
1836 activation. The semantics are similar to the same option of
1837 StandardInput=, see above.
1838
1839 The fd:name option connects standard output to a specific, named
1840 file descriptor provided by a socket unit. A name may be specified
1841 as part of this option, following a ":" character (e.g.
1842 "fd:foobar"). If no name is specified, the name "stdout" is implied
1843 (i.e. "fd" is equivalent to "fd:stdout"). At least one socket unit
1844 defining the specified name must be provided via the Sockets=
1845 option, and the file descriptor name may differ from the name of
1846 its containing socket unit. If multiple matches are found, the
1847 first one will be used. See FileDescriptorName= in
1848 systemd.socket(5) for more details about named descriptors and
1849 their ordering.
1850
1851 If the standard output (or error output, see below) of a unit is
1852 connected to the journal, syslog or the kernel log buffer, the unit
1853 will implicitly gain a dependency of type After= on
1854 systemd-journald.socket (also see the "Implicit Dependencies"
1855 section above). Also note that in this case stdout (or stderr, see
1856 below) will be an AF_UNIX stream socket, and not a pipe or FIFO
1857 that can be re-opened. This means when executing shell scripts the
1858 construct echo "hello" > /dev/stderr for writing text to stderr
1859 will not work. To mitigate this use the construct echo "hello" >&2
1860 instead, which is mostly equivalent and avoids this pitfall.
1861
1862 This setting defaults to the value set with DefaultStandardOutput=
1863 in systemd-system.conf(5), which defaults to journal. Note that
1864 setting this parameter might result in additional dependencies to
1865 be added to the unit (see above).
1866
1867 StandardError=
1868 Controls where file descriptor 2 (STDERR) of the executed processes
1869 is connected to. The available options are identical to those of
1870 StandardOutput=, with some exceptions: if set to inherit the file
1871 descriptor used for standard output is duplicated for standard
1872 error, while fd:name will use a default file descriptor name of
1873 "stderr".
1874
1875 This setting defaults to the value set with DefaultStandardError=
1876 in systemd-system.conf(5), which defaults to inherit. Note that
1877 setting this parameter might result in additional dependencies to
1878 be added to the unit (see above).
1879
1880 StandardInputText=, StandardInputData=
1881 Configures arbitrary textual or binary data to pass via file
1882 descriptor 0 (STDIN) to the executed processes. These settings have
1883 no effect unless StandardInput= is set to data. Use this option to
1884 embed process input data directly in the unit file.
1885
1886 StandardInputText= accepts arbitrary textual data. C-style escapes
1887 for special characters as well as the usual "%"-specifiers are
1888 resolved. Each time this setting is used the specified text is
1889 appended to the per-unit data buffer, followed by a newline
1890 character (thus every use appends a new line to the end of the
1891 buffer). Note that leading and trailing whitespace of lines
1892 configured with this option is removed. If an empty line is
1893 specified the buffer is cleared (hence, in order to insert an empty
1894 line, add an additional "\n" to the end or beginning of a line).
1895
1896 StandardInputData= accepts arbitrary binary data, encoded in
1897 Base64[4]. No escape sequences or specifiers are resolved. Any
1898 whitespace in the encoded version is ignored during decoding.
1899
1900 Note that StandardInputText= and StandardInputData= operate on the
1901 same data buffer, and may be mixed in order to configure both
1902 binary and textual data for the same input stream. The textual or
1903 binary data is joined strictly in the order the settings appear in
1904 the unit file. Assigning an empty string to either will reset the
1905 data buffer.
1906
1907 Please keep in mind that in order to maintain readability long unit
1908 file settings may be split into multiple lines, by suffixing each
1909 line (except for the last) with a "\" character (see
1910 systemd.unit(5) for details). This is particularly useful for large
1911 data configured with these two options. Example:
1912
1913 ...
1914 StandardInput=data
1915 StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy4KSWNrIGtpZWtl \
1916 LCBzdGF1bmUsIHd1bmRyZSBtaXIsCnVmZiBlZW1hbCBqZWh0IHNlIHVmZiBkaWUgVMO8ci4KTmFu \
1917 dSwgZGVuayBpY2ssIGljayBkZW5rIG5hbnUhCkpldHogaXNzZSB1ZmYsIGVyc2NodCB3YXIgc2Ug \
1918 enUhCkljayBqZWhlIHJhdXMgdW5kIGJsaWNrZSDigJQKdW5kIHdlciBzdGVodCBkcmF1w59lbj8g \
1919 SWNrZSEK
1920 ...
1921
1922 LogLevelMax=
1923 Configures filtering by log level of log messages generated by this
1924 unit. Takes a syslog log level, one of emerg (lowest log level,
1925 only highest priority messages), alert, crit, err, warning, notice,
1926 info, debug (highest log level, also lowest priority messages). See
1927 syslog(3) for details. By default no filtering is applied (i.e. the
1928 default maximum log level is debug). Use this option to configure
1929 the logging system to drop log messages of a specific service above
1930 the specified level. For example, set LogLevelMax=info in order to
1931 turn off debug logging of a particularly chatty unit. Note that the
1932 configured level is applied to any log messages written by any of
1933 the processes belonging to this unit, sent via any supported
1934 logging protocol. The filtering is applied early in the logging
1935 pipeline, before any kind of further processing is done. Moreover,
1936 messages which pass through this filter successfully might still be
1937 dropped by filters applied at a later stage in the logging
1938 subsystem. For example, MaxLevelStore= configured in
1939 journald.conf(5) might prohibit messages of higher log levels to be
1940 stored on disk, even though the per-unit LogLevelMax= permitted it
1941 to be processed.
1942
1943 LogExtraFields=
1944 Configures additional log metadata fields to include in all log
1945 records generated by processes associated with this unit. This
1946 setting takes one or more journal field assignments in the format
1947 "FIELD=VALUE" separated by whitespace. See systemd.journal-
1948 fields(7) for details on the journal field concept. Even though the
1949 underlying journal implementation permits binary field values, this
1950 setting accepts only valid UTF-8 values. To include space
1951 characters in a journal field value, enclose the assignment in
1952 double quotes ("). The usual specifiers are expanded in all
1953 assignments (see below). Note that this setting is not only useful
1954 for attaching additional metadata to log records of a unit, but
1955 given that all fields and values are indexed may also be used to
1956 implement cross-unit log record matching. Assign an empty string to
1957 reset the list.
1958
1959 LogRateLimitIntervalSec=, LogRateLimitBurst=
1960 Configures the rate limiting that is applied to messages generated
1961 by this unit. If, in the time interval defined by
1962 LogRateLimitIntervalSec=, more messages than specified in
1963 LogRateLimitBurst= are logged by a service, all further messages
1964 within the interval are dropped until the interval is over. A
1965 message about the number of dropped messages is generated. The time
1966 specification for LogRateLimitIntervalSec= may be specified in the
1967 following units: "s", "min", "h", "ms", "us" (see systemd.time(7)
1968 for details). The default settings are set by RateLimitIntervalSec=
1969 and RateLimitBurst= configured in journald.conf(5).
1970
1971 SyslogIdentifier=
1972 Sets the process name ("syslog tag") to prefix log lines sent to
1973 the logging system or the kernel log buffer with. If not set,
1974 defaults to the process name of the executed process. This option
1975 is only useful when StandardOutput= or StandardError= are set to
1976 journal, syslog or kmsg (or to the same settings in combination
1977 with +console) and only applies to log messages written to stdout
1978 or stderr.
1979
1980 SyslogFacility=
1981 Sets the syslog facility identifier to use when logging. One of
1982 kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron,
1983 authpriv, ftp, local0, local1, local2, local3, local4, local5,
1984 local6 or local7. See syslog(3) for details. This option is only
1985 useful when StandardOutput= or StandardError= are set to journal,
1986 syslog or kmsg (or to the same settings in combination with
1987 +console), and only applies to log messages written to stdout or
1988 stderr. Defaults to daemon.
1989
1990 SyslogLevel=
1991 The default syslog log level to use when logging to the logging
1992 system or the kernel log buffer. One of emerg, alert, crit, err,
1993 warning, notice, info, debug. See syslog(3) for details. This
1994 option is only useful when StandardOutput= or StandardError= are
1995 set to journal, syslog or kmsg (or to the same settings in
1996 combination with +console), and only applies to log messages
1997 written to stdout or stderr. Note that individual lines output by
1998 executed processes may be prefixed with a different log level which
1999 can be used to override the default log level specified here. The
2000 interpretation of these prefixes may be disabled with
2001 SyslogLevelPrefix=, see below. For details, see sd-daemon(3).
2002 Defaults to info.
2003
2004 SyslogLevelPrefix=
2005 Takes a boolean argument. If true and StandardOutput= or
2006 StandardError= are set to journal, syslog or kmsg (or to the same
2007 settings in combination with +console), log lines written by the
2008 executed process that are prefixed with a log level will be
2009 processed with this log level set but the prefix removed. If set to
2010 false, the interpretation of these prefixes is disabled and the
2011 logged lines are passed on as-is. This only applies to log messages
2012 written to stdout or stderr. For details about this prefixing see
2013 sd-daemon(3). Defaults to true.
2014
2015 TTYPath=
2016 Sets the terminal device node to use if standard input, output, or
2017 error are connected to a TTY (see above). Defaults to /dev/console.
2018
2019 TTYReset=
2020 Reset the terminal device specified with TTYPath= before and after
2021 execution. Defaults to "no".
2022
2023 TTYVHangup=
2024 Disconnect all clients which have opened the terminal device
2025 specified with TTYPath= before and after execution. Defaults to
2026 "no".
2027
2028 TTYVTDisallocate=
2029 If the terminal device specified with TTYPath= is a virtual console
2030 terminal, try to deallocate the TTY before and after execution.
2031 This ensures that the screen and scrollback buffer is cleared.
2032 Defaults to "no".
2033
2035 UtmpIdentifier=
2036 Takes a four character identifier string for an utmp(5) and wtmp
2037 entry for this service. This should only be set for services such
2038 as getty implementations (such as agetty(8)) where utmp/wtmp
2039 entries must be created and cleared before and after execution, or
2040 for services that shall be executed as if they were run by a getty
2041 process (see below). If the configured string is longer than four
2042 characters, it is truncated and the terminal four characters are
2043 used. This setting interprets %I style string replacements. This
2044 setting is unset by default, i.e. no utmp/wtmp entries are created
2045 or cleaned up for this service.
2046
2047 UtmpMode=
2048 Takes one of "init", "login" or "user". If UtmpIdentifier= is set,
2049 controls which type of utmp(5)/wtmp entries for this service are
2050 generated. This setting has no effect unless UtmpIdentifier= is set
2051 too. If "init" is set, only an INIT_PROCESS entry is generated and
2052 the invoked process must implement a getty-compatible utmp/wtmp
2053 logic. If "login" is set, first an INIT_PROCESS entry, followed by
2054 a LOGIN_PROCESS entry is generated. In this case, the invoked
2055 process must implement a login(1)-compatible utmp/wtmp logic. If
2056 "user" is set, first an INIT_PROCESS entry, then a LOGIN_PROCESS
2057 entry and finally a USER_PROCESS entry is generated. In this case,
2058 the invoked process may be any process that is suitable to be run
2059 as session leader. Defaults to "init".
2060
2062 Processes started by the service manager are executed with an
2063 environment variable block assembled from multiple sources. Processes
2064 started by the system service manager generally do not inherit
2065 environment variables set for the service manager itself (but this may
2066 be altered via PassEnvironment=), but processes started by the user
2067 service manager instances generally do inherit all environment
2068 variables set for the service manager itself.
2069
2070 For each invoked process the list of environment variables set is
2071 compiled from the following sources:
2072
2073 · Variables globally configured for the service manager, using the
2074 DefaultEnvironment= setting in systemd-system.conf(5), the kernel
2075 command line option systemd.setenv= (see systemd(1)) or via
2076 systemctl set-environment (see systemctl(1)).
2077
2078 · Variables defined by the service manager itself (see the list
2079 below)
2080
2081 · Variables set in the service manager's own environment variable
2082 block (subject to PassEnvironment= for the system service manager)
2083
2084 · Variables set via Environment= in the unit file
2085
2086 · Variables read from files specified via EnvironmentFile= in the
2087 unit file
2088
2089 · Variables set by any PAM modules in case PAMName= is in effect,
2090 cf. pam_env(8)
2091
2092 If the same environment variables are set by multiple of these sources,
2093 the later source — according to the order of the list above — wins.
2094 Note that as final step all variables listed in UnsetEnvironment= are
2095 removed again from the compiled environment variable list, immediately
2096 before it is passed to the executed process.
2097
2098 The following select environment variables are set or propagated by the
2099 service manager for each invoked process:
2100
2101 $PATH
2102 Colon-separated list of directories to use when launching
2103 executables. systemd uses a fixed value of
2104 /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin.
2105
2106 $LANG
2107 Locale. Can be set in locale.conf(5) or on the kernel command line
2108 (see systemd(1) and kernel-command-line(7)).
2109
2110 $USER, $LOGNAME, $HOME, $SHELL
2111 User name (twice), home directory, and the login shell. The
2112 variables are set for the units that have User= set, which includes
2113 user systemd instances. See passwd(5).
2114
2115 $INVOCATION_ID
2116 Contains a randomized, unique 128bit ID identifying each runtime
2117 cycle of the unit, formatted as 32 character hexadecimal string. A
2118 new ID is assigned each time the unit changes from an inactive
2119 state into an activating or active state, and may be used to
2120 identify this specific runtime cycle, in particular in data stored
2121 offline, such as the journal. The same ID is passed to all
2122 processes run as part of the unit.
2123
2124 $XDG_RUNTIME_DIR
2125 The directory to use for runtime objects (such as IPC objects) and
2126 volatile state. Set for all services run by the user systemd
2127 instance, as well as any system services that use PAMName= with a
2128 PAM stack that includes pam_systemd. See below and pam_systemd(8)
2129 for more information.
2130
2131 $MAINPID
2132 The PID of the unit's main process if it is known. This is only set
2133 for control processes as invoked by ExecReload= and similar.
2134
2135 $MANAGERPID
2136 The PID of the user systemd instance, set for processes spawned by
2137 it.
2138
2139 $LISTEN_FDS, $LISTEN_PID, $LISTEN_FDNAMES
2140 Information about file descriptors passed to a service for socket
2141 activation. See sd_listen_fds(3).
2142
2143 $NOTIFY_SOCKET
2144 The socket sd_notify() talks to. See sd_notify(3).
2145
2146 $WATCHDOG_PID, $WATCHDOG_USEC
2147 Information about watchdog keep-alive notifications. See
2148 sd_watchdog_enabled(3).
2149
2150 $TERM
2151 Terminal type, set only for units connected to a terminal
2152 (StandardInput=tty, StandardOutput=tty, or StandardError=tty). See
2153 termcap(5).
2154
2155 $JOURNAL_STREAM
2156 If the standard output or standard error output of the executed
2157 processes are connected to the journal (for example, by setting
2158 StandardError=journal) $JOURNAL_STREAM contains the device and
2159 inode numbers of the connection file descriptor, formatted in
2160 decimal, separated by a colon (":"). This permits invoked processes
2161 to safely detect whether their standard output or standard error
2162 output are connected to the journal. The device and inode numbers
2163 of the file descriptors should be compared with the values set in
2164 the environment variable to determine whether the process output is
2165 still connected to the journal. Note that it is generally not
2166 sufficient to only check whether $JOURNAL_STREAM is set at all as
2167 services might invoke external processes replacing their standard
2168 output or standard error output, without unsetting the environment
2169 variable.
2170
2171 If both standard output and standard error of the executed
2172 processes are connected to the journal via a stream socket, this
2173 environment variable will contain information about the standard
2174 error stream, as that's usually the preferred destination for log
2175 data. (Note that typically the same stream is used for both
2176 standard output and standard error, hence very likely the
2177 environment variable contains device and inode information matching
2178 both stream file descriptors.)
2179
2180 This environment variable is primarily useful to allow services to
2181 optionally upgrade their used log protocol to the native journal
2182 protocol (using sd_journal_print(3) and other functions) if their
2183 standard output or standard error output is connected to the
2184 journal anyway, thus enabling delivery of structured metadata along
2185 with logged messages.
2186
2187 $SERVICE_RESULT
2188 Only defined for the service unit type, this environment variable
2189 is passed to all ExecStop= and ExecStopPost= processes, and encodes
2190 the service "result". Currently, the following values are defined:
2191
2192 Table 4. Defined $SERVICE_RESULT values
2193 ┌──────────────────┬────────────────────────────┐
2194 │Value │ Meaning │
2195 ├──────────────────┼────────────────────────────┤
2196 │"success" │ The service ran │
2197 │ │ successfully and exited │
2198 │ │ cleanly. │
2199 ├──────────────────┼────────────────────────────┤
2200 │"protocol" │ A protocol violation │
2201 │ │ occurred: the service did │
2202 │ │ not take the steps │
2203 │ │ required by its unit │
2204 │ │ configuration │
2205 │ │ (specifically what is │
2206 │ │ configured in its Type= │
2207 │ │ setting). │
2208 ├──────────────────┼────────────────────────────┤
2209 │"timeout" │ One of the steps timed │
2210 │ │ out. │
2211 ├──────────────────┼────────────────────────────┤
2212 │"exit-code" │ Service process exited │
2213 │ │ with a non-zero exit code; │
2214 │ │ see $EXIT_CODE below for │
2215 │ │ the actual exit code │
2216 │ │ returned. │
2217 ├──────────────────┼────────────────────────────┤
2218 │"signal" │ A service process was │
2219 │ │ terminated abnormally by a │
2220 │ │ signal, without dumping │
2221 │ │ core. See $EXIT_CODE below │
2222 │ │ for the actual signal │
2223 │ │ causing the termination. │
2224 ├──────────────────┼────────────────────────────┤
2225 │"core-dump" │ A service process │
2226 │ │ terminated abnormally with │
2227 │ │ a signal and dumped core. │
2228 │ │ See $EXIT_CODE below for │
2229 │ │ the signal causing the │
2230 │ │ termination. │
2231 ├──────────────────┼────────────────────────────┤
2232 │"watchdog" │ Watchdog keep-alive ping │
2233 │ │ was enabled for the │
2234 │ │ service, but the deadline │
2235 │ │ was missed. │
2236 ├──────────────────┼────────────────────────────┤
2237 │"start-limit-hit" │ A start limit was defined │
2238 │ │ for the unit and it was │
2239 │ │ hit, causing the unit to │
2240 │ │ fail to start. See │
2241 │ │ systemd.unit(5)'s │
2242 │ │ StartLimitIntervalSec= and │
2243 │ │ StartLimitBurst= for │
2244 │ │ details. │
2245 ├──────────────────┼────────────────────────────┤
2246 │"resources" │ A catch-all condition in │
2247 │ │ case a system operation │
2248 │ │ failed. │
2249 └──────────────────┴────────────────────────────┘
2250 This environment variable is useful to monitor failure or
2251 successful termination of a service. Even though this variable is
2252 available in both ExecStop= and ExecStopPost=, it is usually a
2253 better choice to place monitoring tools in the latter, as the
2254 former is only invoked for services that managed to start up
2255 correctly, and the latter covers both services that failed during
2256 their start-up and those which failed during their runtime.
2257
2258 $EXIT_CODE, $EXIT_STATUS
2259 Only defined for the service unit type, these environment variables
2260 are passed to all ExecStop=, ExecStopPost= processes and contain
2261 exit status/code information of the main process of the service.
2262 For the precise definition of the exit code and status, see
2263 wait(2). $EXIT_CODE is one of "exited", "killed", "dumped".
2264 $EXIT_STATUS contains the numeric exit code formatted as string if
2265 $EXIT_CODE is "exited", and the signal name in all other cases.
2266 Note that these environment variables are only set if the service
2267 manager succeeded to start and identify the main process of the
2268 service.
2269
2270 Table 5. Summary of possible service result variable values
2271 ┌──────────────────┬──────────────────┬─────────────────────┐
2272 │$SERVICE_RESULT │ $EXIT_CODE │ $EXIT_STATUS │
2273 ├──────────────────┼──────────────────┼─────────────────────┤
2274 │"success" │ "exited" │ "0" │
2275 ├──────────────────┼──────────────────┼─────────────────────┤
2276 │"protocol" │ not set │ not set │
2277 │ ├──────────────────┼─────────────────────┤
2278 │ │ "exited" │ "0" │
2279 ├──────────────────┼──────────────────┼─────────────────────┤
2280 │"timeout" │ "killed" │ "TERM", "KILL" │
2281 │ ├──────────────────┼─────────────────────┤
2282 │ │ "exited" │ "0", "1", "2", "3", │
2283 │ │ │ ..., "255" │
2284 ├──────────────────┼──────────────────┼─────────────────────┤
2285 │"exit-code" │ "exited" │ "1", "2", "3", ..., │
2286 │ │ │ "255" │
2287 ├──────────────────┼──────────────────┼─────────────────────┤
2288 │"signal" │ "killed" │ "HUP", "INT", │
2289 │ │ │ "KILL", ... │
2290 ├──────────────────┼──────────────────┼─────────────────────┤
2291 │"core-dump" │ "dumped" │ "ABRT", "SEGV", │
2292 │ │ │ "QUIT", ... │
2293 ├──────────────────┼──────────────────┼─────────────────────┤
2294 │"watchdog" │ "dumped" │ "ABRT" │
2295 │ ├──────────────────┼─────────────────────┤
2296 │ │ "killed" │ "TERM", "KILL" │
2297 │ ├──────────────────┼─────────────────────┤
2298 │ │ "exited" │ "0", "1", "2", "3", │
2299 │ │ │ ..., "255" │
2300 ├──────────────────┼──────────────────┼─────────────────────┤
2301 │"start-limit-hit" │ not set │ not set │
2302 ├──────────────────┼──────────────────┼─────────────────────┤
2303 │"resources" │ any of the above │ any of the above │
2304 ├──────────────────┴──────────────────┴─────────────────────┤
2305 │Note: the process may be also terminated by a signal not │
2306 │sent by systemd. In particular the process may send an │
2307 │arbitrary signal to itself in a handler for any of the │
2308 │non-maskable signals. Nevertheless, in the "timeout" and │
2309 │"watchdog" rows above only the signals that systemd sends │
2310 │have been included. Moreover, using SuccessExitStatus= │
2311 │additional exit statuses may be declared to indicate clean │
2312 │termination, which is not reflected by this table. │
2313 └───────────────────────────────────────────────────────────┘
2314
2315 For system services, when PAMName= is enabled and pam_systemd is part
2316 of the selected PAM stack, additional environment variables defined by
2317 systemd may be set for services. Specifically, these are $XDG_SEAT,
2318 $XDG_VTNR, see pam_systemd(8) for details.
2319
2321 When invoking a unit process the service manager possibly fails to
2322 apply the execution parameters configured with the settings above. In
2323 that case the already created service process will exit with a non-zero
2324 exit code before the configured command line is executed. (Or in other
2325 words, the child process possibly exits with these error codes, after
2326 having been created by the fork(2) system call, but before the matching
2327 execve(2) system call is called.) Specifically, exit codes defined by
2328 the C library, by the LSB specification and by the systemd service
2329 manager itself are used.
2330
2331 The following basic service exit codes are defined by the C library.
2332
2333 Table 6. Basic C library exit codes
2334 ┌──────────┬───────────────┬────────────────────┐
2335 │Exit Code │ Symbolic Name │ Description │
2336 ├──────────┼───────────────┼────────────────────┤
2337 │0 │ EXIT_SUCCESS │ Generic success │
2338 │ │ │ code. │
2339 ├──────────┼───────────────┼────────────────────┤
2340 │1 │ EXIT_FAILURE │ Generic failure or │
2341 │ │ │ unspecified error. │
2342 └──────────┴───────────────┴────────────────────┘
2343
2344 The following service exit codes are defined by the LSB
2345 specification[5].
2346
2347 Table 7. LSB service exit codes
2348 ┌──────────┬──────────────────────┬────────────────────┐
2349 │Exit Code │ Symbolic Name │ Description │
2350 ├──────────┼──────────────────────┼────────────────────┤
2351 │2 │ EXIT_INVALIDARGUMENT │ Invalid or excess │
2352 │ │ │ arguments. │
2353 ├──────────┼──────────────────────┼────────────────────┤
2354 │3 │ EXIT_NOTIMPLEMENTED │ Unimplemented │
2355 │ │ │ feature. │
2356 ├──────────┼──────────────────────┼────────────────────┤
2357 │4 │ EXIT_NOPERMISSION │ The user has │
2358 │ │ │ insufficient │
2359 │ │ │ privileges. │
2360 ├──────────┼──────────────────────┼────────────────────┤
2361 │5 │ EXIT_NOTINSTALLED │ The program is not │
2362 │ │ │ installed. │
2363 ├──────────┼──────────────────────┼────────────────────┤
2364 │6 │ EXIT_NOTCONFIGURED │ The program is not │
2365 │ │ │ configured. │
2366 ├──────────┼──────────────────────┼────────────────────┤
2367 │7 │ EXIT_NOTRUNNING │ The program is not │
2368 │ │ │ running. │
2369 └──────────┴──────────────────────┴────────────────────┘
2370
2371 The LSB specification suggests that error codes 200 and above are
2372 reserved for implementations. Some of them are used by the service
2373 manager to indicate problems during process invocation:
2374
2375 Table 8. systemd-specific exit codes
2376 ┌──────────┬──────────────────────────────┬─────────────────────────────────────────────┐
2377 │Exit Code │ Symbolic Name │ Description │
2378 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2379 │200 │ EXIT_CHDIR │ Changing to the │
2380 │ │ │ requested working │
2381 │ │ │ directory failed. │
2382 │ │ │ See │
2383 │ │ │ WorkingDirectory= │
2384 │ │ │ above. │
2385 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2386 │201 │ EXIT_NICE │ Failed to set up │
2387 │ │ │ process scheduling │
2388 │ │ │ priority (nice │
2389 │ │ │ level). See Nice= │
2390 │ │ │ above. │
2391 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2392 │202 │ EXIT_FDS │ Failed to close │
2393 │ │ │ unwanted file │
2394 │ │ │ descriptors, or to │
2395 │ │ │ adjust passed file │
2396 │ │ │ descriptors. │
2397 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2398 │203 │ EXIT_EXEC │ The actual process │
2399 │ │ │ execution failed │
2400 │ │ │ (specifically, the │
2401 │ │ │ execve(2) system │
2402 │ │ │ call). Most likely │
2403 │ │ │ this is caused by a │
2404 │ │ │ missing or │
2405 │ │ │ non-accessible │
2406 │ │ │ executable file. │
2407 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2408 │204 │ EXIT_MEMORY │ Failed to perform │
2409 │ │ │ an action due to │
2410 │ │ │ memory shortage. │
2411 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2412 │205 │ EXIT_LIMITS │ Failed to adjust │
2413 │ │ │ resource limits. │
2414 │ │ │ See LimitCPU= and │
2415 │ │ │ related settings │
2416 │ │ │ above. │
2417 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2418 │206 │ EXIT_OOM_ADJUST │ Failed to adjust │
2419 │ │ │ the OOM setting. │
2420 │ │ │ See OOMScoreAdjust= │
2421 │ │ │ above. │
2422 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2423 │207 │ EXIT_SIGNAL_MASK │ Failed to set │
2424 │ │ │ process signal │
2425 │ │ │ mask. │
2426 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2427 │208 │ EXIT_STDIN │ Failed to set up │
2428 │ │ │ standard input. See │
2429 │ │ │ StandardInput= │
2430 │ │ │ above. │
2431 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2432 │209 │ EXIT_STDOUT │ Failed to set up │
2433 │ │ │ standard output. │
2434 │ │ │ See StandardOutput= │
2435 │ │ │ above. │
2436 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2437 │210 │ EXIT_CHROOT │ Failed to change │
2438 │ │ │ root directory │
2439 │ │ │ (chroot(2)). See │
2440 │ │ │ RootDirectory=/RootImage= │
2441 │ │ │ above. │
2442 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2443 │211 │ EXIT_IOPRIO │ Failed to set up IO │
2444 │ │ │ scheduling priority. See │
2445 │ │ │ IOSchedulingClass=/IOSchedulingPriority= │
2446 │ │ │ above. │
2447 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2448 │212 │ EXIT_TIMERSLACK │ Failed to set up timer slack. See │
2449 │ │ │ TimerSlackNSec= above. │
2450 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2451 │213 │ EXIT_SECUREBITS │ Failed to set process secure bits. See │
2452 │ │ │ SecureBits= above. │
2453 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2454 │214 │ EXIT_SETSCHEDULER │ Failed to set up CPU scheduling. See │
2455 │ │ │ CPUSchedulingPolicy=/CPUSchedulingPriority= │
2456 │ │ │ above. │
2457 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2458 │215 │ EXIT_CPUAFFINITY │ Failed to set up CPU affinity. See │
2459 │ │ │ CPUAffinity= above. │
2460 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2461 │216 │ EXIT_GROUP │ Failed to determine or change group │
2462 │ │ │ credentials. See │
2463 │ │ │ Group=/SupplementaryGroups= above. │
2464 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2465 │217 │ EXIT_USER │ Failed to determine or change user │
2466 │ │ │ credentials, or to set up user namespacing. │
2467 │ │ │ See User=/PrivateUsers= above. │
2468 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2469 │218 │ EXIT_CAPABILITIES │ Failed to drop capabilities, or apply │
2470 │ │ │ ambient capabilities. See │
2471 │ │ │ CapabilityBoundingSet=/AmbientCapabilities= │
2472 │ │ │ above. │
2473 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2474 │219 │ EXIT_CGROUP │ Setting up the service control group │
2475 │ │ │ failed. │
2476 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2477 │220 │ EXIT_SETSID │ Failed to create new process session. │
2478 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2479 │221 │ EXIT_CONFIRM │ Execution has been cancelled by the user. │
2480 │ │ │ See the systemd.confirm_spawn= kernel │
2481 │ │ │ command line setting on kernel-command- │
2482 │ │ │ line(7) for details. │
2483 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2484 │222 │ EXIT_STDERR │ Failed to set up standard error output. See │
2485 │ │ │ StandardError= above. │
2486 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2487 │224 │ EXIT_PAM │ Failed to set up PAM session. See PAMName= │
2488 │ │ │ above. │
2489 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2490 │225 │ EXIT_NETWORK │ Failed to set up network namespacing. See │
2491 │ │ │ PrivateNetwork= above. │
2492 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2493 │226 │ EXIT_NAMESPACE │ Failed to set up mount namespacing. See │
2494 │ │ │ ReadOnlyPaths= and related settings above. │
2495 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2496 │227 │ EXIT_NO_NEW_PRIVILEGES │ Failed to disable new privileges. See │
2497 │ │ │ NoNewPrivileges=yes above. │
2498 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2499 │228 │ EXIT_SECCOMP │ Failed to apply system call filters. See │
2500 │ │ │ SystemCallFilter= and related settings │
2501 │ │ │ above. │
2502 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2503 │229 │ EXIT_SELINUX_CONTEXT │ Determining or changing SELinux context │
2504 │ │ │ failed. See SELinuxContext= above. │
2505 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2506 │230 │ EXIT_PERSONALITY │ Failed to set up an execution domain │
2507 │ │ │ (personality). See Personality= above. │
2508 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2509 │231 │ EXIT_APPARMOR_PROFILE │ Failed to prepare changing AppArmor │
2510 │ │ │ profile. See AppArmorProfile= above. │
2511 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2512 │232 │ EXIT_ADDRESS_FAMILIES │ Failed to restrict address families. See │
2513 │ │ │ RestrictAddressFamilies= above. │
2514 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2515 │233 │ EXIT_RUNTIME_DIRECTORY │ Setting up runtime directory failed. See │
2516 │ │ │ RuntimeDirectory= and related settings │
2517 │ │ │ above. │
2518 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2519 │235 │ EXIT_CHOWN │ Failed to adjust socket ownership. Used for │
2520 │ │ │ socket units only. │
2521 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2522 │236 │ EXIT_SMACK_PROCESS_LABEL │ Failed to set SMACK label. See │
2523 │ │ │ SmackProcessLabel= above. │
2524 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2525 │237 │ EXIT_KEYRING │ Failed to set up kernel keyring. │
2526 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2527 │238 │ EXIT_STATE_DIRECTORY │ Failed to set up unit's state directory. │
2528 │ │ │ See StateDirectory= above. │
2529 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2530 │239 │ EXIT_CACHE_DIRECTORY │ Failed to set up unit's cache directory. │
2531 │ │ │ See CacheDirectory= above. │
2532 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2533 │240 │ EXIT_LOGS_DIRECTORY │ Failed to set up unit's logging directory. │
2534 │ │ │ See LogsDirectory= above. │
2535 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
2536 │241 │ EXIT_CONFIGURATION_DIRECTORY │ Failed to set up unit's configuration │
2537 │ │ │ directory. See ConfigurationDirectory= │
2538 │ │ │ above. │
2539 └──────────┴──────────────────────────────┴─────────────────────────────────────────────┘
2540
2541 Finally, the BSD operating systems define a set of exit codes,
2542 typically defined on Linux systems too:
2543
2544 Table 9. BSD exit codes
2545 ┌──────────┬────────────────┬─────────────────────┐
2546 │Exit Code │ Symbolic Name │ Description │
2547 ├──────────┼────────────────┼─────────────────────┤
2548 │64 │ EX_USAGE │ Command line usage │
2549 │ │ │ error │
2550 ├──────────┼────────────────┼─────────────────────┤
2551 │65 │ EX_DATAERR │ Data format error │
2552 ├──────────┼────────────────┼─────────────────────┤
2553 │66 │ EX_NOINPUT │ Cannot open input │
2554 ├──────────┼────────────────┼─────────────────────┤
2555 │67 │ EX_NOUSER │ Addressee unknown │
2556 ├──────────┼────────────────┼─────────────────────┤
2557 │68 │ EX_NOHOST │ Host name unknown │
2558 ├──────────┼────────────────┼─────────────────────┤
2559 │69 │ EX_UNAVAILABLE │ Service unavailable │
2560 ├──────────┼────────────────┼─────────────────────┤
2561 │70 │ EX_SOFTWARE │ internal software │
2562 │ │ │ error │
2563 ├──────────┼────────────────┼─────────────────────┤
2564 │71 │ EX_OSERR │ System error (e.g., │
2565 │ │ │ can't fork) │
2566 ├──────────┼────────────────┼─────────────────────┤
2567 │72 │ EX_OSFILE │ Critical OS file │
2568 │ │ │ missing │
2569 ├──────────┼────────────────┼─────────────────────┤
2570 │73 │ EX_CANTCREAT │ Can't create (user) │
2571 │ │ │ output file │
2572 ├──────────┼────────────────┼─────────────────────┤
2573 │74 │ EX_IOERR │ Input/output error │
2574 ├──────────┼────────────────┼─────────────────────┤
2575 │75 │ EX_TEMPFAIL │ Temporary failure; │
2576 │ │ │ user is invited to │
2577 │ │ │ retry │
2578 ├──────────┼────────────────┼─────────────────────┤
2579 │76 │ EX_PROTOCOL │ Remote error in │
2580 │ │ │ protocol │
2581 ├──────────┼────────────────┼─────────────────────┤
2582 │77 │ EX_NOPERM │ Permission denied │
2583 ├──────────┼────────────────┼─────────────────────┤
2584 │78 │ EX_CONFIG │ Configuration error │
2585 └──────────┴────────────────┴─────────────────────┘
2586
2588 systemd(1), systemctl(1), systemd-analyze(1), journalctl(1), systemd-
2589 system.conf(5), systemd.unit(5), systemd.service(5), systemd.socket(5),
2590 systemd.swap(5), systemd.mount(5), systemd.kill(5), systemd.resource-
2591 control(5), systemd.time(7), systemd.directives(7), tmpfiles.d(5),
2592 exec(3)
2593
2595 1. Discoverable Partitions Specification
2596 https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/
2597
2598 2. No New Privileges Flag
2599 https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html
2600
2601 3. proc.txt
2602 https://www.kernel.org/doc/Documentation/filesystems/proc.txt
2603
2604 4. Base64
2605 https://tools.ietf.org/html/rfc2045#section-6.8
2606
2607 5. LSB specification
2608 https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html
2609
2610
2611
2612systemd 241 SYSTEMD.EXEC(5)