1SYSTEMD.EXEC(5) systemd.exec SYSTEMD.EXEC(5)
2
3
4
6 systemd.exec - Execution environment configuration
7
9 service.service, socket.socket, mount.mount, swap.swap
10
12 Unit configuration files for services, sockets, mount points, and swap
13 devices share a subset of configuration options which define the
14 execution environment of spawned processes.
15
16 This man page lists the configuration options shared by these four unit
17 types. See systemd.unit(5) for the common options of all unit
18 configuration files, and systemd.service(5), systemd.socket(5),
19 systemd.swap(5), and systemd.mount(5) for more information on the
20 specific unit configuration files. The execution specific configuration
21 options are configured in the [Service], [Socket], [Mount], or [Swap]
22 sections, depending on the unit type.
23
24 In addition, options which control resources through Linux Control
25 Groups (cgroups) are listed in systemd.resource-control(5). Those
26 options complement options listed here.
27
29 A few execution parameters result in additional, automatic dependencies
30 to be added:
31
32 • Units with WorkingDirectory=, RootDirectory=, RootImage=,
33 RuntimeDirectory=, StateDirectory=, CacheDirectory=, LogsDirectory=
34 or ConfigurationDirectory= set automatically gain dependencies of
35 type Requires= and After= on all mount units required to access the
36 specified paths. This is equivalent to having them listed
37 explicitly in RequiresMountsFor=.
38
39 • Similarly, units with PrivateTmp= enabled automatically get mount
40 unit dependencies for all mounts required to access /tmp/ and
41 /var/tmp/. They will also gain an automatic After= dependency on
42 systemd-tmpfiles-setup.service(8).
43
44 • Units whose standard output or error output is connected to journal
45 or kmsg (or their combinations with console output, see below)
46 automatically acquire dependencies of type After= on
47 systemd-journald.socket.
48
49 • Units using LogNamespace= will automatically gain ordering and
50 requirement dependencies on the two socket units associated with
51 systemd-journald@.service instances.
52
54 The following settings may be used to change a service's view of the
55 filesystem. Please note that the paths must be absolute and must not
56 contain a ".." path component.
57
58 WorkingDirectory=
59 Takes a directory path relative to the service's root directory
60 specified by RootDirectory=, or the special value "~". Sets the
61 working directory for executed processes. If set to "~", the home
62 directory of the user specified in User= is used. If not set,
63 defaults to the root directory when systemd is running as a system
64 instance and the respective user's home directory if run as user.
65 If the setting is prefixed with the "-" character, a missing
66 working directory is not considered fatal. If
67 RootDirectory=/RootImage= is not set, then WorkingDirectory= is
68 relative to the root of the system running the service manager.
69 Note that setting this parameter might result in additional
70 dependencies to be added to the unit (see above).
71
72 RootDirectory=
73 Takes a directory path relative to the host's root directory (i.e.
74 the root of the system running the service manager). Sets the root
75 directory for executed processes, with the chroot(2) system call.
76 If this is used, it must be ensured that the process binary and all
77 its auxiliary files are available in the chroot() jail. Note that
78 setting this parameter might result in additional dependencies to
79 be added to the unit (see above).
80
81 The MountAPIVFS= and PrivateUsers= settings are particularly useful
82 in conjunction with RootDirectory=. For details, see below.
83
84 If RootDirectory=/RootImage= are used together with NotifyAccess=
85 the notification socket is automatically mounted from the host into
86 the root environment, to ensure the notification interface can work
87 correctly.
88
89 Note that services using RootDirectory=/RootImage= will not be able
90 to log via the syslog or journal protocols to the host logging
91 infrastructure, unless the relevant sockets are mounted from the
92 host, specifically:
93
94 Example 1. Mounting logging sockets into root environment
95
96 BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
97
98 This option is only available for system services and is not
99 supported for services running in per-user instances of the service
100 manager.
101
102 RootImage=
103 Takes a path to a block device node or regular file as argument.
104 This call is similar to RootDirectory= however mounts a file system
105 hierarchy from a block device node or loopback file instead of a
106 directory. The device node or file system image file needs to
107 contain a file system without a partition table, or a file system
108 within an MBR/MS-DOS or GPT partition table with only a single
109 Linux-compatible partition, or a set of file systems within a GPT
110 partition table that follows the Discoverable Partitions
111 Specification[1].
112
113 When DevicePolicy= is set to "closed" or "strict", or set to "auto"
114 and DeviceAllow= is set, then this setting adds /dev/loop-control
115 with rw mode, "block-loop" and "block-blkext" with rwm mode to
116 DeviceAllow=. See systemd.resource-control(5) for the details about
117 DevicePolicy= or DeviceAllow=. Also, see PrivateDevices= below, as
118 it may change the setting of DevicePolicy=.
119
120 Units making use of RootImage= automatically gain an After=
121 dependency on systemd-udevd.service.
122
123 This option is only available for system services and is not
124 supported for services running in per-user instances of the service
125 manager.
126
127 RootImageOptions=
128 Takes a comma-separated list of mount options that will be used on
129 disk images specified by RootImage=. Optionally a partition name
130 can be prefixed, followed by colon, in case the image has multiple
131 partitions, otherwise partition name "root" is implied. Options for
132 multiple partitions can be specified in a single line with space
133 separators. Assigning an empty string removes previous assignments.
134 Duplicated options are ignored. For a list of valid mount options,
135 please refer to mount(8).
136
137 Valid partition names follow the Discoverable Partitions
138 Specification[1]: root, usr, home, srv, esp, xbootldr, tmp, var.
139
140 This option is only available for system services and is not
141 supported for services running in per-user instances of the service
142 manager.
143
144 RootHash=
145 Takes a data integrity (dm-verity) root hash specified in
146 hexadecimal, or the path to a file containing a root hash in ASCII
147 hexadecimal format. This option enables data integrity checks using
148 dm-verity, if the used image contains the appropriate integrity
149 data (see above) or if RootVerity= is used. The specified hash must
150 match the root hash of integrity data, and is usually at least 256
151 bits (and hence 64 formatted hexadecimal characters) long (in case
152 of SHA256 for example). If this option is not specified, but the
153 image file carries the "user.verity.roothash" extended file
154 attribute (see xattr(7)), then the root hash is read from it, also
155 as formatted hexadecimal characters. If the extended file attribute
156 is not found (or is not supported by the underlying file system),
157 but a file with the .roothash suffix is found next to the image
158 file, bearing otherwise the same name (except if the image has the
159 .raw suffix, in which case the root hash file must not have it in
160 its name), the root hash is read from it and automatically used,
161 also as formatted hexadecimal characters.
162
163 If the disk image contains a separate /usr/ partition it may also
164 be Verity protected, in which case the root hash may configured via
165 an extended attribute "user.verity.usrhash" or a .usrhash file
166 adjacent to the disk image. There's currently no option to
167 configure the root hash for the /usr/ file system via the unit file
168 directly.
169
170 This option is only available for system services and is not
171 supported for services running in per-user instances of the service
172 manager.
173
174 RootHashSignature=
175 Takes a PKCS7 signature of the RootHash= option as a path to a
176 DER-encoded signature file, or as an ASCII base64 string encoding
177 of a DER-encoded signature prefixed by "base64:". The dm-verity
178 volume will only be opened if the signature of the root hash is
179 valid and signed by a public key present in the kernel keyring. If
180 this option is not specified, but a file with the .roothash.p7s
181 suffix is found next to the image file, bearing otherwise the same
182 name (except if the image has the .raw suffix, in which case the
183 signature file must not have it in its name), the signature is read
184 from it and automatically used.
185
186 If the disk image contains a separate /usr/ partition it may also
187 be Verity protected, in which case the signature for the root hash
188 may configured via a .usrhash.p7s file adjacent to the disk image.
189 There's currently no option to configure the root hash signature
190 for the /usr/ via the unit file directly.
191
192 This option is only available for system services and is not
193 supported for services running in per-user instances of the service
194 manager.
195
196 RootVerity=
197 Takes the path to a data integrity (dm-verity) file. This option
198 enables data integrity checks using dm-verity, if RootImage= is
199 used and a root-hash is passed and if the used image itself does
200 not contains the integrity data. The integrity data must be matched
201 by the root hash. If this option is not specified, but a file with
202 the .verity suffix is found next to the image file, bearing
203 otherwise the same name (except if the image has the .raw suffix,
204 in which case the verity data file must not have it in its name),
205 the verity data is read from it and automatically used.
206
207 This option is supported only for disk images that contain a single
208 file system, without an enveloping partition table. Images that
209 contain a GPT partition table should instead include both root file
210 system and matching Verity data in the same image, implementing the
211 Discoverable Partition Specification[1].
212
213 This option is only available for system services and is not
214 supported for services running in per-user instances of the service
215 manager.
216
217 MountAPIVFS=
218 Takes a boolean argument. If on, a private mount namespace for the
219 unit's processes is created and the API file systems /proc/, /sys/,
220 /dev/ and /run/ (as an empty "tmpfs") are mounted inside of it,
221 unless they are already mounted. Note that this option has no
222 effect unless used in conjunction with RootDirectory=/RootImage= as
223 these four mounts are generally mounted in the host anyway, and
224 unless the root directory is changed, the private mount namespace
225 will be a 1:1 copy of the host's, and include these four mounts.
226 Note that the /dev/ file system of the host is bind mounted if this
227 option is used without PrivateDevices=. To run the service with a
228 private, minimal version of /dev/, combine this option with
229 PrivateDevices=.
230
231 In order to allow propagating mounts at runtime in a safe manner,
232 /run/systemd/propagate on the host will be used to set up new
233 mounts, and /run/host/incoming/ in the private namespace will be
234 used as an intermediate step to store them before being moved to
235 the final mount point.
236
237 This option is only available for system services and is not
238 supported for services running in per-user instances of the service
239 manager.
240
241 ProtectProc=
242 Takes one of "noaccess", "invisible", "ptraceable" or "default"
243 (which it defaults to). When set, this controls the "hidepid="
244 mount option of the "procfs" instance for the unit that controls
245 which directories with process metainformation (/proc/PID) are
246 visible and accessible: when set to "noaccess" the ability to
247 access most of other users' process metadata in /proc/ is taken
248 away for processes of the service. When set to "invisible"
249 processes owned by other users are hidden from /proc/. If
250 "ptraceable" all processes that cannot be ptrace()'ed by a process
251 are hidden to it. If "default" no restrictions on /proc/ access or
252 visibility are made. For further details see The /proc
253 Filesystem[2]. It is generally recommended to run most system
254 services with this option set to "invisible". This option is
255 implemented via file system namespacing, and thus cannot be used
256 with services that shall be able to install mount points in the
257 host file system hierarchy. Note that the root user is unaffected
258 by this option, so to be effective it has to be used together with
259 User= or DynamicUser=yes, and also without the "CAP_SYS_PTRACE"
260 capability, which also allows a process to bypass this feature. It
261 cannot be used for services that need to access metainformation
262 about other users' processes. This option implies MountAPIVFS=.
263
264 If the kernel doesn't support per-mount point hidepid= mount
265 options this setting remains without effect, and the unit's
266 processes will be able to access and see other process as if the
267 option was not used.
268
269 This option is only available for system services and is not
270 supported for services running in per-user instances of the service
271 manager.
272
273 ProcSubset=
274 Takes one of "all" (the default) and "pid". If "pid", all files and
275 directories not directly associated with process management and
276 introspection are made invisible in the /proc/ file system
277 configured for the unit's processes. This controls the "subset="
278 mount option of the "procfs" instance for the unit. For further
279 details see The /proc Filesystem[2]. Note that Linux exposes
280 various kernel APIs via /proc/, which are made unavailable with
281 this setting. Since these APIs are used frequently this option is
282 useful only in a few, specific cases, and is not suitable for most
283 non-trivial programs.
284
285 Much like ProtectProc= above, this is implemented via file system
286 mount namespacing, and hence the same restrictions apply: it is
287 only available to system services, it disables mount propagation to
288 the host mount table, and it implies MountAPIVFS=. Also, like
289 ProtectProc= this setting is gracefully disabled if the used kernel
290 does not support the "subset=" mount option of "procfs".
291
292 BindPaths=, BindReadOnlyPaths=
293 Configures unit-specific bind mounts. A bind mount makes a
294 particular file or directory available at an additional place in
295 the unit's view of the file system. Any bind mounts created with
296 this option are specific to the unit, and are not visible in the
297 host's mount table. This option expects a whitespace separated list
298 of bind mount definitions. Each definition consists of a
299 colon-separated triple of source path, destination path and option
300 string, where the latter two are optional. If only a source path is
301 specified the source and destination is taken to be the same. The
302 option string may be either "rbind" or "norbind" for configuring a
303 recursive or non-recursive bind mount. If the destination path is
304 omitted, the option string must be omitted too. Each bind mount
305 definition may be prefixed with "-", in which case it will be
306 ignored when its source path does not exist.
307
308 BindPaths= creates regular writable bind mounts (unless the source
309 file system mount is already marked read-only), while
310 BindReadOnlyPaths= creates read-only bind mounts. These settings
311 may be used more than once, each usage appends to the unit's list
312 of bind mounts. If the empty string is assigned to either of these
313 two options the entire list of bind mounts defined prior to this is
314 reset. Note that in this case both read-only and regular bind
315 mounts are reset, regardless which of the two settings is used.
316
317 This option is particularly useful when RootDirectory=/RootImage=
318 is used. In this case the source path refers to a path on the host
319 file system, while the destination path refers to a path below the
320 root directory of the unit.
321
322 Note that the destination directory must exist or systemd must be
323 able to create it. Thus, it is not possible to use those options
324 for mount points nested underneath paths specified in
325 InaccessiblePaths=, or under /home/ and other protected directories
326 if ProtectHome=yes is specified. TemporaryFileSystem= with ":ro"
327 or ProtectHome=tmpfs should be used instead.
328
329 This option is only available for system services and is not
330 supported for services running in per-user instances of the service
331 manager.
332
333 MountImages=
334 This setting is similar to RootImage= in that it mounts a file
335 system hierarchy from a block device node or loopback file, but the
336 destination directory can be specified as well as mount options.
337 This option expects a whitespace separated list of mount
338 definitions. Each definition consists of a colon-separated tuple of
339 source path and destination definitions, optionally followed by
340 another colon and a list of mount options.
341
342 Mount options may be defined as a single comma-separated list of
343 options, in which case they will be implicitly applied to the root
344 partition on the image, or a series of colon-separated tuples of
345 partition name and mount options. Valid partition names and mount
346 options are the same as for RootImageOptions= setting described
347 above.
348
349 Each mount definition may be prefixed with "-", in which case it
350 will be ignored when its source path does not exist. The source
351 argument is a path to a block device node or regular file. If
352 source or destination contain a ":", it needs to be escaped as
353 "\:". The device node or file system image file needs to follow the
354 same rules as specified for RootImage=. Any mounts created with
355 this option are specific to the unit, and are not visible in the
356 host's mount table.
357
358 These settings may be used more than once, each usage appends to
359 the unit's list of mount paths. If the empty string is assigned,
360 the entire list of mount paths defined prior to this is reset.
361
362 Note that the destination directory must exist or systemd must be
363 able to create it. Thus, it is not possible to use those options
364 for mount points nested underneath paths specified in
365 InaccessiblePaths=, or under /home/ and other protected directories
366 if ProtectHome=yes is specified.
367
368 When DevicePolicy= is set to "closed" or "strict", or set to "auto"
369 and DeviceAllow= is set, then this setting adds /dev/loop-control
370 with rw mode, "block-loop" and "block-blkext" with rwm mode to
371 DeviceAllow=. See systemd.resource-control(5) for the details about
372 DevicePolicy= or DeviceAllow=. Also, see PrivateDevices= below, as
373 it may change the setting of DevicePolicy=.
374
375 This option is only available for system services and is not
376 supported for services running in per-user instances of the service
377 manager.
378
379 ExtensionImages=
380 This setting is similar to MountImages= in that it mounts a file
381 system hierarchy from a block device node or loopback file, but
382 instead of providing a destination path, an overlay will be set up.
383 This option expects a whitespace separated list of mount
384 definitions. Each definition consists of a source path, optionally
385 followed by a colon and a list of mount options.
386
387 A read-only OverlayFS will be set up on top of /usr/ and /opt/
388 hierarchies from the root. The order in which the images are listed
389 will determine the order in which the overlay is laid down: images
390 specified first to last will result in overlayfs layers bottom to
391 top.
392
393 Mount options may be defined as a single comma-separated list of
394 options, in which case they will be implicitly applied to the root
395 partition on the image, or a series of colon-separated tuples of
396 partition name and mount options. Valid partition names and mount
397 options are the same as for RootImageOptions= setting described
398 above.
399
400 Each mount definition may be prefixed with "-", in which case it
401 will be ignored when its source path does not exist. The source
402 argument is a path to a block device node or regular file. If the
403 source path contains a ":", it needs to be escaped as "\:". The
404 device node or file system image file needs to follow the same
405 rules as specified for RootImage=. Any mounts created with this
406 option are specific to the unit, and are not visible in the host's
407 mount table.
408
409 These settings may be used more than once, each usage appends to
410 the unit's list of image paths. If the empty string is assigned,
411 the entire list of mount paths defined prior to this is reset.
412
413 When DevicePolicy= is set to "closed" or "strict", or set to "auto"
414 and DeviceAllow= is set, then this setting adds /dev/loop-control
415 with rw mode, "block-loop" and "block-blkext" with rwm mode to
416 DeviceAllow=. See systemd.resource-control(5) for the details about
417 DevicePolicy= or DeviceAllow=. Also, see PrivateDevices= below, as
418 it may change the setting of DevicePolicy=.
419
420 This option is only available for system services and is not
421 supported for services running in per-user instances of the service
422 manager.
423
425 These options are only available for system services and are not
426 supported for services running in per-user instances of the service
427 manager.
428
429 User=, Group=
430 Set the UNIX user or group that the processes are executed as,
431 respectively. Takes a single user or group name, or a numeric ID as
432 argument. For system services (services run by the system service
433 manager, i.e. managed by PID 1) and for user services of the root
434 user (services managed by root's instance of systemd --user), the
435 default is "root", but User= may be used to specify a different
436 user. For user services of any other user, switching user identity
437 is not permitted, hence the only valid setting is the same user the
438 user's service manager is running as. If no group is set, the
439 default group of the user is used. This setting does not affect
440 commands whose command line is prefixed with "+".
441
442 Note that this enforces only weak restrictions on the user/group
443 name syntax, but will generate warnings in many cases where
444 user/group names do not adhere to the following rules: the
445 specified name should consist only of the characters a-z, A-Z, 0-9,
446 "_" and "-", except for the first character which must be one of
447 a-z, A-Z and "_" (i.e. digits and "-" are not permitted as first
448 character). The user/group name must have at least one character,
449 and at most 31. These restrictions are made in order to avoid
450 ambiguities and to ensure user/group names and unit files remain
451 portable among Linux systems. For further details on the names
452 accepted and the names warned about see User/Group Name Syntax[3].
453
454 When used in conjunction with DynamicUser= the user/group name
455 specified is dynamically allocated at the time the service is
456 started, and released at the time the service is stopped — unless
457 it is already allocated statically (see below). If DynamicUser= is
458 not used the specified user and group must have been created
459 statically in the user database no later than the moment the
460 service is started, for example using the sysusers.d(5) facility,
461 which is applied at boot or package install time. If the user does
462 not exist by then program invocation will fail.
463
464 If the User= setting is used the supplementary group list is
465 initialized from the specified user's default group list, as
466 defined in the system's user and group database. Additional groups
467 may be configured through the SupplementaryGroups= setting (see
468 below).
469
470 DynamicUser=
471 Takes a boolean parameter. If set, a UNIX user and group pair is
472 allocated dynamically when the unit is started, and released as
473 soon as it is stopped. The user and group will not be added to
474 /etc/passwd or /etc/group, but are managed transiently during
475 runtime. The nss-systemd(8) glibc NSS module provides integration
476 of these dynamic users/groups into the system's user and group
477 databases. The user and group name to use may be configured via
478 User= and Group= (see above). If these options are not used and
479 dynamic user/group allocation is enabled for a unit, the name of
480 the dynamic user/group is implicitly derived from the unit name. If
481 the unit name without the type suffix qualifies as valid user name
482 it is used directly, otherwise a name incorporating a hash of it is
483 used. If a statically allocated user or group of the configured
484 name already exists, it is used and no dynamic user/group is
485 allocated. Note that if User= is specified and the static group
486 with the name exists, then it is required that the static user with
487 the name already exists. Similarly, if Group= is specified and the
488 static user with the name exists, then it is required that the
489 static group with the name already exists. Dynamic users/groups are
490 allocated from the UID/GID range 61184...65519. It is recommended
491 to avoid this range for regular system or login users. At any point
492 in time each UID/GID from this range is only assigned to zero or
493 one dynamically allocated users/groups in use. However, UID/GIDs
494 are recycled after a unit is terminated. Care should be taken that
495 any processes running as part of a unit for which dynamic
496 users/groups are enabled do not leave files or directories owned by
497 these users/groups around, as a different unit might get the same
498 UID/GID assigned later on, and thus gain access to these files or
499 directories. If DynamicUser= is enabled, RemoveIPC= and PrivateTmp=
500 are implied (and cannot be turned off). This ensures that the
501 lifetime of IPC objects and temporary files created by the executed
502 processes is bound to the runtime of the service, and hence the
503 lifetime of the dynamic user/group. Since /tmp/ and /var/tmp/ are
504 usually the only world-writable directories on a system this
505 ensures that a unit making use of dynamic user/group allocation
506 cannot leave files around after unit termination. Furthermore
507 NoNewPrivileges= and RestrictSUIDSGID= are implicitly enabled (and
508 cannot be disabled), to ensure that processes invoked cannot take
509 benefit or create SUID/SGID files or directories. Moreover
510 ProtectSystem=strict and ProtectHome=read-only are implied, thus
511 prohibiting the service to write to arbitrary file system
512 locations. In order to allow the service to write to certain
513 directories, they have to be allow-listed using ReadWritePaths=,
514 but care must be taken so that UID/GID recycling doesn't create
515 security issues involving files created by the service. Use
516 RuntimeDirectory= (see below) in order to assign a writable runtime
517 directory to a service, owned by the dynamic user/group and removed
518 automatically when the unit is terminated. Use StateDirectory=,
519 CacheDirectory= and LogsDirectory= in order to assign a set of
520 writable directories for specific purposes to the service in a way
521 that they are protected from vulnerabilities due to UID reuse (see
522 below). If this option is enabled, care should be taken that the
523 unit's processes do not get access to directories outside of these
524 explicitly configured and managed ones. Specifically, do not use
525 BindPaths= and be careful with AF_UNIX file descriptor passing for
526 directory file descriptors, as this would permit processes to
527 create files or directories owned by the dynamic user/group that
528 are not subject to the lifecycle and access guarantees of the
529 service. Defaults to off.
530
531 SupplementaryGroups=
532 Sets the supplementary Unix groups the processes are executed as.
533 This takes a space-separated list of group names or IDs. This
534 option may be specified more than once, in which case all listed
535 groups are set as supplementary groups. When the empty string is
536 assigned, the list of supplementary groups is reset, and all
537 assignments prior to this one will have no effect. In any way, this
538 option does not override, but extends the list of supplementary
539 groups configured in the system group database for the user. This
540 does not affect commands prefixed with "+".
541
542 PAMName=
543 Sets the PAM service name to set up a session as. If set, the
544 executed process will be registered as a PAM session under the
545 specified service name. This is only useful in conjunction with the
546 User= setting, and is otherwise ignored. If not set, no PAM session
547 will be opened for the executed processes. See pam(8) for details.
548
549 Note that for each unit making use of this option a PAM session
550 handler process will be maintained as part of the unit and stays
551 around as long as the unit is active, to ensure that appropriate
552 actions can be taken when the unit and hence the PAM session
553 terminates. This process is named "(sd-pam)" and is an immediate
554 child process of the unit's main process.
555
556 Note that when this option is used for a unit it is very likely
557 (depending on PAM configuration) that the main unit process will be
558 migrated to its own session scope unit when it is activated. This
559 process will hence be associated with two units: the unit it was
560 originally started from (and for which PAMName= was configured),
561 and the session scope unit. Any child processes of that process
562 will however be associated with the session scope unit only. This
563 has implications when used in combination with NotifyAccess=all, as
564 these child processes will not be able to affect changes in the
565 original unit through notification messages. These messages will be
566 considered belonging to the session scope unit and not the original
567 unit. It is hence not recommended to use PAMName= in combination
568 with NotifyAccess=all.
569
571 These options are only available for system services and are not
572 supported for services running in per-user instances of the service
573 manager.
574
575 CapabilityBoundingSet=
576 Controls which capabilities to include in the capability bounding
577 set for the executed process. See capabilities(7) for details.
578 Takes a whitespace-separated list of capability names, e.g.
579 CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE. Capabilities
580 listed will be included in the bounding set, all others are
581 removed. If the list of capabilities is prefixed with "~", all but
582 the listed capabilities will be included, the effect of the
583 assignment inverted. Note that this option also affects the
584 respective capabilities in the effective, permitted and inheritable
585 capability sets. If this option is not used, the capability
586 bounding set is not modified on process execution, hence no limits
587 on the capabilities of the process are enforced. This option may
588 appear more than once, in which case the bounding sets are merged
589 by OR, or by AND if the lines are prefixed with "~" (see below). If
590 the empty string is assigned to this option, the bounding set is
591 reset to the empty capability set, and all prior settings have no
592 effect. If set to "~" (without any further argument), the bounding
593 set is reset to the full set of available capabilities, also
594 undoing any previous settings. This does not affect commands
595 prefixed with "+".
596
597 Use systemd-analyze(1)'s capability command to retrieve a list of
598 capabilities defined on the local system.
599
600 Example: if a unit has the following,
601
602 CapabilityBoundingSet=CAP_A CAP_B
603 CapabilityBoundingSet=CAP_B CAP_C
604
605 then CAP_A, CAP_B, and CAP_C are set. If the second line is
606 prefixed with "~", e.g.,
607
608 CapabilityBoundingSet=CAP_A CAP_B
609 CapabilityBoundingSet=~CAP_B CAP_C
610
611 then, only CAP_A is set.
612
613 AmbientCapabilities=
614 Controls which capabilities to include in the ambient capability
615 set for the executed process. Takes a whitespace-separated list of
616 capability names, e.g. CAP_SYS_ADMIN, CAP_DAC_OVERRIDE,
617 CAP_SYS_PTRACE. This option may appear more than once in which case
618 the ambient capability sets are merged (see the above examples in
619 CapabilityBoundingSet=). If the list of capabilities is prefixed
620 with "~", all but the listed capabilities will be included, the
621 effect of the assignment inverted. If the empty string is assigned
622 to this option, the ambient capability set is reset to the empty
623 capability set, and all prior settings have no effect. If set to
624 "~" (without any further argument), the ambient capability set is
625 reset to the full set of available capabilities, also undoing any
626 previous settings. Note that adding capabilities to ambient
627 capability set adds them to the process's inherited capability set.
628
629 Ambient capability sets are useful if you want to execute a process
630 as a non-privileged user but still want to give it some
631 capabilities. Note that in this case option keep-caps is
632 automatically added to SecureBits= to retain the capabilities over
633 the user change. AmbientCapabilities= does not affect commands
634 prefixed with "+".
635
637 NoNewPrivileges=
638 Takes a boolean argument. If true, ensures that the service process
639 and all its children can never gain new privileges through execve()
640 (e.g. via setuid or setgid bits, or filesystem capabilities). This
641 is the simplest and most effective way to ensure that a process and
642 its children can never elevate privileges again. Defaults to false,
643 but certain settings override this and ignore the value of this
644 setting. This is the case when DynamicUser=, LockPersonality=,
645 MemoryDenyWriteExecute=, PrivateDevices=, ProtectClock=,
646 ProtectHostname=, ProtectKernelLogs=, ProtectKernelModules=,
647 ProtectKernelTunables=, RestrictAddressFamilies=,
648 RestrictNamespaces=, RestrictRealtime=, RestrictSUIDSGID=,
649 SystemCallArchitectures=, SystemCallFilter=, or SystemCallLog= are
650 specified. Note that even if this setting is overridden by them,
651 systemctl show shows the original value of this setting. Also see
652 No New Privileges Flag[4].
653
654 SecureBits=
655 Controls the secure bits set for the executed process. Takes a
656 space-separated combination of options from the following list:
657 keep-caps, keep-caps-locked, no-setuid-fixup,
658 no-setuid-fixup-locked, noroot, and noroot-locked. This option may
659 appear more than once, in which case the secure bits are ORed. If
660 the empty string is assigned to this option, the bits are reset to
661 0. This does not affect commands prefixed with "+". See
662 capabilities(7) for details.
663
665 These options are only available for system services and are not
666 supported for services running in per-user instances of the service
667 manager.
668
669 SELinuxContext=
670 Set the SELinux security context of the executed process. If set,
671 this will override the automated domain transition. However, the
672 policy still needs to authorize the transition. This directive is
673 ignored if SELinux is disabled. If prefixed by "-", all errors will
674 be ignored. This does not affect commands prefixed with "+". See
675 setexeccon(3) for details.
676
677 AppArmorProfile=
678 Takes a profile name as argument. The process executed by the unit
679 will switch to this profile when started. Profiles must already be
680 loaded in the kernel, or the unit will fail. If prefixed by "-",
681 all errors will be ignored. This setting has no effect if AppArmor
682 is not enabled. This setting does not affect commands prefixed with
683 "+".
684
685 SmackProcessLabel=
686 Takes a SMACK64 security label as argument. The process executed by
687 the unit will be started under this label and SMACK will decide
688 whether the process is allowed to run or not, based on it. The
689 process will continue to run under the label specified here unless
690 the executable has its own SMACK64EXEC label, in which case the
691 process will transition to run under that label. When not
692 specified, the label that systemd is running under is used. This
693 directive is ignored if SMACK is disabled.
694
695 The value may be prefixed by "-", in which case all errors will be
696 ignored. An empty value may be specified to unset previous
697 assignments. This does not affect commands prefixed with "+".
698
700 LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=,
701 LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=,
702 LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=,
703 LimitRTTIME=
704 Set soft and hard limits on various resources for executed
705 processes. See setrlimit(2) for details on the resource limit
706 concept. Resource limits may be specified in two formats: either as
707 single value to set a specific soft and hard limit to the same
708 value, or as colon-separated pair soft:hard to set both limits
709 individually (e.g. "LimitAS=4G:16G"). Use the string infinity to
710 configure no limit on a specific resource. The multiplicative
711 suffixes K, M, G, T, P and E (to the base 1024) may be used for
712 resource limits measured in bytes (e.g. "LimitAS=16G"). For the
713 limits referring to time values, the usual time units ms, s, min, h
714 and so on may be used (see systemd.time(7) for details). Note that
715 if no time unit is specified for LimitCPU= the default unit of
716 seconds is implied, while for LimitRTTIME= the default unit of
717 microseconds is implied. Also, note that the effective granularity
718 of the limits might influence their enforcement. For example, time
719 limits specified for LimitCPU= will be rounded up implicitly to
720 multiples of 1s. For LimitNICE= the value may be specified in two
721 syntaxes: if prefixed with "+" or "-", the value is understood as
722 regular Linux nice value in the range -20...19. If not prefixed
723 like this the value is understood as raw resource limit parameter
724 in the range 0...40 (with 0 being equivalent to 1).
725
726 Note that most process resource limits configured with these
727 options are per-process, and processes may fork in order to acquire
728 a new set of resources that are accounted independently of the
729 original process, and may thus escape limits set. Also note that
730 LimitRSS= is not implemented on Linux, and setting it has no
731 effect. Often it is advisable to prefer the resource controls
732 listed in systemd.resource-control(5) over these per-process
733 limits, as they apply to services as a whole, may be altered
734 dynamically at runtime, and are generally more expressive. For
735 example, MemoryMax= is a more powerful (and working) replacement
736 for LimitRSS=.
737
738 Resource limits not configured explicitly for a unit default to the
739 value configured in the various DefaultLimitCPU=,
740 DefaultLimitFSIZE=, ... options available in systemd-
741 system.conf(5), and – if not configured there – the kernel or
742 per-user defaults, as defined by the OS (the latter only for user
743 services, see below).
744
745 For system units these resource limits may be chosen freely. When
746 these settings are configured in a user service (i.e. a service run
747 by the per-user instance of the service manager) they cannot be
748 used to raise the limits above those set for the user manager
749 itself when it was first invoked, as the user's service manager
750 generally lacks the privileges to do so. In user context these
751 configuration options are hence only useful to lower the limits
752 passed in or to raise the soft limit to the maximum of the hard
753 limit as configured for the user. To raise the user's limits
754 further, the available configuration mechanisms differ between
755 operating systems, but typically require privileges. In most cases
756 it is possible to configure higher per-user resource limits via PAM
757 or by setting limits on the system service encapsulating the user's
758 service manager, i.e. the user's instance of user@.service. After
759 making such changes, make sure to restart the user's service
760 manager.
761
762 Table 1. Resource limit directives, their equivalent ulimit shell
763 commands and the unit used
764 ┌─────────────────┬───────────────────┬─────────────────────┐
765 │Directive │ ulimit equivalent │ Unit │
766 ├─────────────────┼───────────────────┼─────────────────────┤
767 │LimitCPU= │ ulimit -t │ Seconds │
768 ├─────────────────┼───────────────────┼─────────────────────┤
769 │LimitFSIZE= │ ulimit -f │ Bytes │
770 ├─────────────────┼───────────────────┼─────────────────────┤
771 │LimitDATA= │ ulimit -d │ Bytes │
772 ├─────────────────┼───────────────────┼─────────────────────┤
773 │LimitSTACK= │ ulimit -s │ Bytes │
774 ├─────────────────┼───────────────────┼─────────────────────┤
775 │LimitCORE= │ ulimit -c │ Bytes │
776 ├─────────────────┼───────────────────┼─────────────────────┤
777 │LimitRSS= │ ulimit -m │ Bytes │
778 ├─────────────────┼───────────────────┼─────────────────────┤
779 │LimitNOFILE= │ ulimit -n │ Number of File │
780 │ │ │ Descriptors │
781 ├─────────────────┼───────────────────┼─────────────────────┤
782 │LimitAS= │ ulimit -v │ Bytes │
783 ├─────────────────┼───────────────────┼─────────────────────┤
784 │LimitNPROC= │ ulimit -u │ Number of Processes │
785 ├─────────────────┼───────────────────┼─────────────────────┤
786 │LimitMEMLOCK= │ ulimit -l │ Bytes │
787 ├─────────────────┼───────────────────┼─────────────────────┤
788 │LimitLOCKS= │ ulimit -x │ Number of Locks │
789 ├─────────────────┼───────────────────┼─────────────────────┤
790 │LimitSIGPENDING= │ ulimit -i │ Number of Queued │
791 │ │ │ Signals │
792 ├─────────────────┼───────────────────┼─────────────────────┤
793 │LimitMSGQUEUE= │ ulimit -q │ Bytes │
794 ├─────────────────┼───────────────────┼─────────────────────┤
795 │LimitNICE= │ ulimit -e │ Nice Level │
796 ├─────────────────┼───────────────────┼─────────────────────┤
797 │LimitRTPRIO= │ ulimit -r │ Realtime Priority │
798 ├─────────────────┼───────────────────┼─────────────────────┤
799 │LimitRTTIME= │ No equivalent │ Microseconds │
800 └─────────────────┴───────────────────┴─────────────────────┘
801
802 UMask=
803 Controls the file mode creation mask. Takes an access mode in octal
804 notation. See umask(2) for details. Defaults to 0022 for system
805 units. For user units the default value is inherited from the
806 per-user service manager (whose default is in turn inherited from
807 the system service manager, and thus typically also is 0022 —
808 unless overridden by a PAM module). In order to change the per-user
809 mask for all user services, consider setting the UMask= setting of
810 the user's user@.service system service instance. The per-user
811 umask may also be set via the umask field of a user's JSON User
812 Record[5] (for users managed by systemd-homed.service(8) this field
813 may be controlled via homectl --umask=). It may also be set via a
814 PAM module, such as pam_umask(8).
815
816 CoredumpFilter=
817 Controls which types of memory mappings will be saved if the
818 process dumps core (using the /proc/pid/coredump_filter file).
819 Takes a whitespace-separated combination of mapping type names or
820 numbers (with the default base 16). Mapping type names are
821 private-anonymous, shared-anonymous, private-file-backed,
822 shared-file-backed, elf-headers, private-huge, shared-huge,
823 private-dax, shared-dax, and the special values all (all types) and
824 default (the kernel default of "private-anonymous shared-anonymous
825 elf-headers private-huge"). See core(5) for the meaning of the
826 mapping types. When specified multiple times, all specified masks
827 are ORed. When not set, or if the empty value is assigned, the
828 inherited value is not changed.
829
830 Example 2. Add DAX pages to the dump filter
831
832 CoredumpFilter=default private-dax shared-dax
833
834 KeyringMode=
835 Controls how the kernel session keyring is set up for the service
836 (see session-keyring(7) for details on the session keyring). Takes
837 one of inherit, private, shared. If set to inherit no special
838 keyring setup is done, and the kernel's default behaviour is
839 applied. If private is used a new session keyring is allocated when
840 a service process is invoked, and it is not linked up with any user
841 keyring. This is the recommended setting for system services, as
842 this ensures that multiple services running under the same system
843 user ID (in particular the root user) do not share their key
844 material among each other. If shared is used a new session keyring
845 is allocated as for private, but the user keyring of the user
846 configured with User= is linked into it, so that keys assigned to
847 the user may be requested by the unit's processes. In this modes
848 multiple units running processes under the same user ID may share
849 key material. Unless inherit is selected the unique invocation ID
850 for the unit (see below) is added as a protected key by the name
851 "invocation_id" to the newly created session keyring. Defaults to
852 private for services of the system service manager and to inherit
853 for non-service units and for services of the user service manager.
854
855 OOMScoreAdjust=
856 Sets the adjustment value for the Linux kernel's Out-Of-Memory
857 (OOM) killer score for executed processes. Takes an integer between
858 -1000 (to disable OOM killing of processes of this unit) and 1000
859 (to make killing of processes of this unit under memory pressure
860 very likely). See proc.txt[6] for details. If not specified
861 defaults to the OOM score adjustment level of the service manager
862 itself, which is normally at 0.
863
864 Use the OOMPolicy= setting of service units to configure how the
865 service manager shall react to the kernel OOM killer terminating a
866 process of the service. See systemd.service(5) for details.
867
868 TimerSlackNSec=
869 Sets the timer slack in nanoseconds for the executed processes. The
870 timer slack controls the accuracy of wake-ups triggered by timers.
871 See prctl(2) for more information. Note that in contrast to most
872 other time span definitions this parameter takes an integer value
873 in nano-seconds if no unit is specified. The usual time units are
874 understood too.
875
876 Personality=
877 Controls which kernel architecture uname(2) shall report, when
878 invoked by unit processes. Takes one of the architecture
879 identifiers x86, x86-64, ppc, ppc-le, ppc64, ppc64-le, s390 or
880 s390x. Which personality architectures are supported depends on the
881 system architecture. Usually the 64bit versions of the various
882 system architectures support their immediate 32bit personality
883 architecture counterpart, but no others. For example, x86-64
884 systems support the x86-64 and x86 personalities but no others. The
885 personality feature is useful when running 32-bit services on a
886 64-bit host system. If not specified, the personality is left
887 unmodified and thus reflects the personality of the host system's
888 kernel.
889
890 IgnoreSIGPIPE=
891 Takes a boolean argument. If true, causes SIGPIPE to be ignored in
892 the executed process. Defaults to true because SIGPIPE generally is
893 useful only in shell pipelines.
894
896 Nice=
897 Sets the default nice level (scheduling priority) for executed
898 processes. Takes an integer between -20 (highest priority) and 19
899 (lowest priority). See setpriority(2) for details.
900
901 CPUSchedulingPolicy=
902 Sets the CPU scheduling policy for executed processes. Takes one of
903 other, batch, idle, fifo or rr. See sched_setscheduler(2) for
904 details.
905
906 CPUSchedulingPriority=
907 Sets the CPU scheduling priority for executed processes. The
908 available priority range depends on the selected CPU scheduling
909 policy (see above). For real-time scheduling policies an integer
910 between 1 (lowest priority) and 99 (highest priority) can be used.
911 See sched_setscheduler(2) for details.
912
913 CPUSchedulingResetOnFork=
914 Takes a boolean argument. If true, elevated CPU scheduling
915 priorities and policies will be reset when the executed processes
916 call fork(2), and can hence not leak into child processes. See
917 sched_setscheduler(2) for details. Defaults to false.
918
919 CPUAffinity=
920 Controls the CPU affinity of the executed processes. Takes a list
921 of CPU indices or ranges separated by either whitespace or commas.
922 Alternatively, takes a special "numa" value in which case systemd
923 automatically derives allowed CPU range based on the value of
924 NUMAMask= option. CPU ranges are specified by the lower and upper
925 CPU indices separated by a dash. This option may be specified more
926 than once, in which case the specified CPU affinity masks are
927 merged. If the empty string is assigned, the mask is reset, all
928 assignments prior to this will have no effect. See
929 sched_setaffinity(2) for details.
930
931 NUMAPolicy=
932 Controls the NUMA memory policy of the executed processes. Takes a
933 policy type, one of: default, preferred, bind, interleave and
934 local. A list of NUMA nodes that should be associated with the
935 policy must be specified in NUMAMask=. For more details on each
936 policy please see, set_mempolicy(2). For overall overview of NUMA
937 support in Linux see, numa(7).
938
939 NUMAMask=
940 Controls the NUMA node list which will be applied alongside with
941 selected NUMA policy. Takes a list of NUMA nodes and has the same
942 syntax as a list of CPUs for CPUAffinity= option or special "all"
943 value which will include all available NUMA nodes in the mask. Note
944 that the list of NUMA nodes is not required for default and local
945 policies and for preferred policy we expect a single NUMA node.
946
947 IOSchedulingClass=
948 Sets the I/O scheduling class for executed processes. Takes an
949 integer between 0 and 3 or one of the strings none, realtime,
950 best-effort or idle. If the empty string is assigned to this
951 option, all prior assignments to both IOSchedulingClass= and
952 IOSchedulingPriority= have no effect. See ioprio_set(2) for
953 details.
954
955 IOSchedulingPriority=
956 Sets the I/O scheduling priority for executed processes. Takes an
957 integer between 0 (highest priority) and 7 (lowest priority). The
958 available priorities depend on the selected I/O scheduling class
959 (see above). If the empty string is assigned to this option, all
960 prior assignments to both IOSchedulingClass= and
961 IOSchedulingPriority= have no effect. See ioprio_set(2) for
962 details.
963
965 The following sandboxing options are an effective way to limit the
966 exposure of the system towards the unit's processes. It is recommended
967 to turn on as many of these options for each unit as is possible
968 without negatively affecting the process' ability to operate. Note that
969 many of these sandboxing features are gracefully turned off on systems
970 where the underlying security mechanism is not available. For example,
971 ProtectSystem= has no effect if the kernel is built without file system
972 namespacing or if the service manager runs in a container manager that
973 makes file system namespacing unavailable to its payload. Similar,
974 RestrictRealtime= has no effect on systems that lack support for
975 SECCOMP system call filtering, or in containers where support for this
976 is turned off.
977
978 Also note that some sandboxing functionality is generally not available
979 in user services (i.e. services run by the per-user service manager).
980 Specifically, the various settings requiring file system namespacing
981 support (such as ProtectSystem=) are not available, as the underlying
982 kernel functionality is only accessible to privileged processes.
983 However, most namespacing settings, that will not work on their own in
984 user services, will work when used in conjunction with
985 PrivateUsers=true.
986
987 ProtectSystem=
988 Takes a boolean argument or the special values "full" or "strict".
989 If true, mounts the /usr/ and the boot loader directories (/boot
990 and /efi) read-only for processes invoked by this unit. If set to
991 "full", the /etc/ directory is mounted read-only, too. If set to
992 "strict" the entire file system hierarchy is mounted read-only,
993 except for the API file system subtrees /dev/, /proc/ and /sys/
994 (protect these directories using PrivateDevices=,
995 ProtectKernelTunables=, ProtectControlGroups=). This setting
996 ensures that any modification of the vendor-supplied operating
997 system (and optionally its configuration, and local mounts) is
998 prohibited for the service. It is recommended to enable this
999 setting for all long-running services, unless they are involved
1000 with system updates or need to modify the operating system in other
1001 ways. If this option is used, ReadWritePaths= may be used to
1002 exclude specific directories from being made read-only. This
1003 setting is implied if DynamicUser= is set. This setting cannot
1004 ensure protection in all cases. In general it has the same
1005 limitations as ReadOnlyPaths=, see below. Defaults to off.
1006
1007 ProtectHome=
1008 Takes a boolean argument or the special values "read-only" or
1009 "tmpfs". If true, the directories /home/, /root, and /run/user are
1010 made inaccessible and empty for processes invoked by this unit. If
1011 set to "read-only", the three directories are made read-only
1012 instead. If set to "tmpfs", temporary file systems are mounted on
1013 the three directories in read-only mode. The value "tmpfs" is
1014 useful to hide home directories not relevant to the processes
1015 invoked by the unit, while still allowing necessary directories to
1016 be made visible when listed in BindPaths= or BindReadOnlyPaths=.
1017
1018 Setting this to "yes" is mostly equivalent to set the three
1019 directories in InaccessiblePaths=. Similarly, "read-only" is mostly
1020 equivalent to ReadOnlyPaths=, and "tmpfs" is mostly equivalent to
1021 TemporaryFileSystem= with ":ro".
1022
1023 It is recommended to enable this setting for all long-running
1024 services (in particular network-facing ones), to ensure they cannot
1025 get access to private user data, unless the services actually
1026 require access to the user's private data. This setting is implied
1027 if DynamicUser= is set. This setting cannot ensure protection in
1028 all cases. In general it has the same limitations as
1029 ReadOnlyPaths=, see below.
1030
1031 This option is only available for system services and is not
1032 supported for services running in per-user instances of the service
1033 manager.
1034
1035 RuntimeDirectory=, StateDirectory=, CacheDirectory=, LogsDirectory=,
1036 ConfigurationDirectory=
1037 These options take a whitespace-separated list of directory names.
1038 The specified directory names must be relative, and may not include
1039 "..". If set, when the unit is started, one or more directories by
1040 the specified names will be created (including their parents) below
1041 the locations defined in the following table. Also, the
1042 corresponding environment variable will be defined with the full
1043 paths of the directories. If multiple directories are set, then in
1044 the environment variable the paths are concatenated with colon
1045 (":").
1046
1047 Table 2. Automatic directory creation and environment variables
1048 ┌────────────────────────┬────────────────┬───────────────────────┬──────────────────────────┐
1049 │Directory │ Below path for │ Below path for │ Environment │
1050 │ │ system units │ user units │ variable set │
1051 ├────────────────────────┼────────────────┼───────────────────────┼──────────────────────────┤
1052 │RuntimeDirectory= │ /run/ │ $XDG_RUNTIME_DIR │ $RUNTIME_DIRECTORY │
1053 ├────────────────────────┼────────────────┼───────────────────────┼──────────────────────────┤
1054 │StateDirectory= │ /var/lib/ │ $XDG_CONFIG_HOME │ $STATE_DIRECTORY │
1055 ├────────────────────────┼────────────────┼───────────────────────┼──────────────────────────┤
1056 │CacheDirectory= │ /var/cache/ │ $XDG_CACHE_HOME │ $CACHE_DIRECTORY │
1057 ├────────────────────────┼────────────────┼───────────────────────┼──────────────────────────┤
1058 │LogsDirectory= │ /var/log/ │ $XDG_CONFIG_HOME/log/ │ $LOGS_DIRECTORY │
1059 ├────────────────────────┼────────────────┼───────────────────────┼──────────────────────────┤
1060 │ConfigurationDirectory= │ /etc/ │ $XDG_CONFIG_HOME │ $CONFIGURATION_DIRECTORY │
1061 └────────────────────────┴────────────────┴───────────────────────┴──────────────────────────┘
1062 In case of RuntimeDirectory= the innermost subdirectories are
1063 removed when the unit is stopped. It is possible to preserve the
1064 specified directories in this case if RuntimeDirectoryPreserve= is
1065 configured to restart or yes (see below). The directories specified
1066 with StateDirectory=, CacheDirectory=, LogsDirectory=,
1067 ConfigurationDirectory= are not removed when the unit is stopped.
1068
1069 Except in case of ConfigurationDirectory=, the innermost specified
1070 directories will be owned by the user and group specified in User=
1071 and Group=. If the specified directories already exist and their
1072 owning user or group do not match the configured ones, all files
1073 and directories below the specified directories as well as the
1074 directories themselves will have their file ownership recursively
1075 changed to match what is configured. As an optimization, if the
1076 specified directories are already owned by the right user and
1077 group, files and directories below of them are left as-is, even if
1078 they do not match what is requested. The innermost specified
1079 directories will have their access mode adjusted to the what is
1080 specified in RuntimeDirectoryMode=, StateDirectoryMode=,
1081 CacheDirectoryMode=, LogsDirectoryMode= and
1082 ConfigurationDirectoryMode=.
1083
1084 These options imply BindPaths= for the specified paths. When
1085 combined with RootDirectory= or RootImage= these paths always
1086 reside on the host and are mounted from there into the unit's file
1087 system namespace.
1088
1089 If DynamicUser= is used in conjunction with StateDirectory=, the
1090 logic for CacheDirectory= and LogsDirectory= is slightly altered:
1091 the directories are created below /var/lib/private,
1092 /var/cache/private and /var/log/private, respectively, which are
1093 host directories made inaccessible to unprivileged users, which
1094 ensures that access to these directories cannot be gained through
1095 dynamic user ID recycling. Symbolic links are created to hide this
1096 difference in behaviour. Both from perspective of the host and from
1097 inside the unit, the relevant directories hence always appear
1098 directly below /var/lib, /var/cache and /var/log.
1099
1100 Use RuntimeDirectory= to manage one or more runtime directories for
1101 the unit and bind their lifetime to the daemon runtime. This is
1102 particularly useful for unprivileged daemons that cannot create
1103 runtime directories in /run/ due to lack of privileges, and to make
1104 sure the runtime directory is cleaned up automatically after use.
1105 For runtime directories that require more complex or different
1106 configuration or lifetime guarantees, please consider using
1107 tmpfiles.d(5).
1108
1109 The directories defined by these options are always created under
1110 the standard paths used by systemd (/var/, /run/, /etc/, ...). If
1111 the service needs directories in a different location, a different
1112 mechanism has to be used to create them.
1113
1114 tmpfiles.d(5) provides functionality that overlaps with these
1115 options. Using these options is recommended, because the lifetime
1116 of the directories is tied directly to the lifetime of the unit,
1117 and it is not necessary to ensure that the tmpfiles.d configuration
1118 is executed before the unit is started.
1119
1120 To remove any of the directories created by these settings, use the
1121 systemctl clean ... command on the relevant units, see
1122 systemctl(1) for details.
1123
1124 Example: if a system service unit has the following,
1125
1126 RuntimeDirectory=foo/bar baz
1127
1128 the service manager creates /run/foo (if it does not exist),
1129 /run/foo/bar, and /run/baz. The directories /run/foo/bar and
1130 /run/baz except /run/foo are owned by the user and group specified
1131 in User= and Group=, and removed when the service is stopped.
1132
1133 Example: if a system service unit has the following,
1134
1135 RuntimeDirectory=foo/bar
1136 StateDirectory=aaa/bbb ccc
1137
1138 then the environment variable "RUNTIME_DIRECTORY" is set with
1139 "/run/foo/bar", and "STATE_DIRECTORY" is set with
1140 "/var/lib/aaa/bbb:/var/lib/ccc".
1141
1142 RuntimeDirectoryMode=, StateDirectoryMode=, CacheDirectoryMode=,
1143 LogsDirectoryMode=, ConfigurationDirectoryMode=
1144 Specifies the access mode of the directories specified in
1145 RuntimeDirectory=, StateDirectory=, CacheDirectory=,
1146 LogsDirectory=, or ConfigurationDirectory=, respectively, as an
1147 octal number. Defaults to 0755. See "Permissions" in
1148 path_resolution(7) for a discussion of the meaning of permission
1149 bits.
1150
1151 RuntimeDirectoryPreserve=
1152 Takes a boolean argument or restart. If set to no (the default),
1153 the directories specified in RuntimeDirectory= are always removed
1154 when the service stops. If set to restart the directories are
1155 preserved when the service is both automatically and manually
1156 restarted. Here, the automatic restart means the operation
1157 specified in Restart=, and manual restart means the one triggered
1158 by systemctl restart foo.service. If set to yes, then the
1159 directories are not removed when the service is stopped. Note that
1160 since the runtime directory /run/ is a mount point of "tmpfs", then
1161 for system services the directories specified in RuntimeDirectory=
1162 are removed when the system is rebooted.
1163
1164 TimeoutCleanSec=
1165 Configures a timeout on the clean-up operation requested through
1166 systemctl clean ..., see systemctl(1) for details. Takes the usual
1167 time values and defaults to infinity, i.e. by default no timeout is
1168 applied. If a timeout is configured the clean operation will be
1169 aborted forcibly when the timeout is reached, potentially leaving
1170 resources on disk.
1171
1172 ReadWritePaths=, ReadOnlyPaths=, InaccessiblePaths=, ExecPaths=,
1173 NoExecPaths=
1174 Sets up a new file system namespace for executed processes. These
1175 options may be used to limit access a process has to the file
1176 system. Each setting takes a space-separated list of paths relative
1177 to the host's root directory (i.e. the system running the service
1178 manager). Note that if paths contain symlinks, they are resolved
1179 relative to the root directory set with RootDirectory=/RootImage=.
1180
1181 Paths listed in ReadWritePaths= are accessible from within the
1182 namespace with the same access modes as from outside of it. Paths
1183 listed in ReadOnlyPaths= are accessible for reading only, writing
1184 will be refused even if the usual file access controls would permit
1185 this. Nest ReadWritePaths= inside of ReadOnlyPaths= in order to
1186 provide writable subdirectories within read-only directories. Use
1187 ReadWritePaths= in order to allow-list specific paths for write
1188 access if ProtectSystem=strict is used.
1189
1190 Paths listed in InaccessiblePaths= will be made inaccessible for
1191 processes inside the namespace along with everything below them in
1192 the file system hierarchy. This may be more restrictive than
1193 desired, because it is not possible to nest ReadWritePaths=,
1194 ReadOnlyPaths=, BindPaths=, or BindReadOnlyPaths= inside it. For a
1195 more flexible option, see TemporaryFileSystem=.
1196
1197 Content in paths listed in NoExecPaths= are not executable even if
1198 the usual file access controls would permit this. Nest ExecPaths=
1199 inside of NoExecPaths= in order to provide executable content
1200 within non-executable directories.
1201
1202 Non-directory paths may be specified as well. These options may be
1203 specified more than once, in which case all paths listed will have
1204 limited access from within the namespace. If the empty string is
1205 assigned to this option, the specific list is reset, and all prior
1206 assignments have no effect.
1207
1208 Paths in ReadWritePaths=, ReadOnlyPaths=, InaccessiblePaths=,
1209 ExecPaths= and NoExecPaths= may be prefixed with "-", in which case
1210 they will be ignored when they do not exist. If prefixed with "+"
1211 the paths are taken relative to the root directory of the unit, as
1212 configured with RootDirectory=/RootImage=, instead of relative to
1213 the root directory of the host (see above). When combining "-" and
1214 "+" on the same path make sure to specify "-" first, and "+"
1215 second.
1216
1217 Note that these settings will disconnect propagation of mounts from
1218 the unit's processes to the host. This means that this setting may
1219 not be used for services which shall be able to install mount
1220 points in the main mount namespace. For ReadWritePaths= and
1221 ReadOnlyPaths= propagation in the other direction is not affected,
1222 i.e. mounts created on the host generally appear in the unit
1223 processes' namespace, and mounts removed on the host also disappear
1224 there too. In particular, note that mount propagation from host to
1225 unit will result in unmodified mounts to be created in the unit's
1226 namespace, i.e. writable mounts appearing on the host will be
1227 writable in the unit's namespace too, even when propagated below a
1228 path marked with ReadOnlyPaths=! Restricting access with these
1229 options hence does not extend to submounts of a directory that are
1230 created later on. This means the lock-down offered by that setting
1231 is not complete, and does not offer full protection.
1232
1233 Note that the effect of these settings may be undone by privileged
1234 processes. In order to set up an effective sandboxed environment
1235 for a unit it is thus recommended to combine these settings with
1236 either CapabilityBoundingSet=~CAP_SYS_ADMIN or
1237 SystemCallFilter=~@mount.
1238
1239 Simple allow-list example using these directives:
1240
1241 [Service]
1242 ReadOnlyPaths=/
1243 ReadWritePaths=/var /run
1244 InaccessiblePaths=-/lost+found
1245 NoExecPaths=/
1246 ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
1247
1248 These options are only available for system services and are not
1249 supported for services running in per-user instances of the service
1250 manager.
1251
1252 TemporaryFileSystem=
1253 Takes a space-separated list of mount points for temporary file
1254 systems (tmpfs). If set, a new file system namespace is set up for
1255 executed processes, and a temporary file system is mounted on each
1256 mount point. This option may be specified more than once, in which
1257 case temporary file systems are mounted on all listed mount points.
1258 If the empty string is assigned to this option, the list is reset,
1259 and all prior assignments have no effect. Each mount point may
1260 optionally be suffixed with a colon (":") and mount options such as
1261 "size=10%" or "ro". By default, each temporary file system is
1262 mounted with "nodev,strictatime,mode=0755". These can be disabled
1263 by explicitly specifying the corresponding mount options, e.g.,
1264 "dev" or "nostrictatime".
1265
1266 This is useful to hide files or directories not relevant to the
1267 processes invoked by the unit, while necessary files or directories
1268 can be still accessed by combining with BindPaths= or
1269 BindReadOnlyPaths=:
1270
1271 Example: if a unit has the following,
1272
1273 TemporaryFileSystem=/var:ro
1274 BindReadOnlyPaths=/var/lib/systemd
1275
1276 then the invoked processes by the unit cannot see any files or
1277 directories under /var/ except for /var/lib/systemd or its
1278 contents.
1279
1280 This option is only available for system services and is not
1281 supported for services running in per-user instances of the service
1282 manager.
1283
1284 PrivateTmp=
1285 Takes a boolean argument. If true, sets up a new file system
1286 namespace for the executed processes and mounts private /tmp/ and
1287 /var/tmp/ directories inside it that are not shared by processes
1288 outside of the namespace. This is useful to secure access to
1289 temporary files of the process, but makes sharing between processes
1290 via /tmp/ or /var/tmp/ impossible. If true, all temporary files
1291 created by a service in these directories will be removed after the
1292 service is stopped. Defaults to false. It is possible to run two or
1293 more units within the same private /tmp/ and /var/tmp/ namespace by
1294 using the JoinsNamespaceOf= directive, see systemd.unit(5) for
1295 details. This setting is implied if DynamicUser= is set. For this
1296 setting the same restrictions regarding mount propagation and
1297 privileges apply as for ReadOnlyPaths= and related calls, see
1298 above. Enabling this setting has the side effect of adding
1299 Requires= and After= dependencies on all mount units necessary to
1300 access /tmp/ and /var/tmp/. Moreover an implicitly After= ordering
1301 on systemd-tmpfiles-setup.service(8) is added.
1302
1303 Note that the implementation of this setting might be impossible
1304 (for example if mount namespaces are not available), and the unit
1305 should be written in a way that does not solely rely on this
1306 setting for security.
1307
1308 This option is only available for system services and is not
1309 supported for services running in per-user instances of the service
1310 manager.
1311
1312 PrivateDevices=
1313 Takes a boolean argument. If true, sets up a new /dev/ mount for
1314 the executed processes and only adds API pseudo devices such as
1315 /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY
1316 subsystem) to it, but no physical devices such as /dev/sda, system
1317 memory /dev/mem, system ports /dev/port and others. This is useful
1318 to securely turn off physical device access by the executed
1319 process. Defaults to false. Enabling this option will install a
1320 system call filter to block low-level I/O system calls that are
1321 grouped in the @raw-io set, will also remove CAP_MKNOD and
1322 CAP_SYS_RAWIO from the capability bounding set for the unit (see
1323 above), and set DevicePolicy=closed (see systemd.resource-
1324 control(5) for details). Note that using this setting will
1325 disconnect propagation of mounts from the service to the host
1326 (propagation in the opposite direction continues to work). This
1327 means that this setting may not be used for services which shall be
1328 able to install mount points in the main mount namespace. The new
1329 /dev/ will be mounted read-only and 'noexec'. The latter may break
1330 old programs which try to set up executable memory by using mmap(2)
1331 of /dev/zero instead of using MAP_ANON. For this setting the same
1332 restrictions regarding mount propagation and privileges apply as
1333 for ReadOnlyPaths= and related calls, see above. If turned on and
1334 if running in user mode, or in system mode, but without the
1335 CAP_SYS_ADMIN capability (e.g. setting User=), NoNewPrivileges=yes
1336 is implied.
1337
1338 Note that the implementation of this setting might be impossible
1339 (for example if mount namespaces are not available), and the unit
1340 should be written in a way that does not solely rely on this
1341 setting for security.
1342
1343 This option is only available for system services and is not
1344 supported for services running in per-user instances of the service
1345 manager.
1346
1347 PrivateNetwork=
1348 Takes a boolean argument. If true, sets up a new network namespace
1349 for the executed processes and configures only the loopback network
1350 device "lo" inside it. No other network devices will be available
1351 to the executed process. This is useful to turn off network access
1352 by the executed process. Defaults to false. It is possible to run
1353 two or more units within the same private network namespace by
1354 using the JoinsNamespaceOf= directive, see systemd.unit(5) for
1355 details. Note that this option will disconnect all socket families
1356 from the host, including AF_NETLINK and AF_UNIX. Effectively, for
1357 AF_NETLINK this means that device configuration events received
1358 from systemd-udevd.service(8) are not delivered to the unit's
1359 processes. And for AF_UNIX this has the effect that AF_UNIX sockets
1360 in the abstract socket namespace of the host will become
1361 unavailable to the unit's processes (however, those located in the
1362 file system will continue to be accessible).
1363
1364 Note that the implementation of this setting might be impossible
1365 (for example if network namespaces are not available), and the unit
1366 should be written in a way that does not solely rely on this
1367 setting for security.
1368
1369 When this option is used on a socket unit any sockets bound on
1370 behalf of this unit will be bound within a private network
1371 namespace. This may be combined with JoinsNamespaceOf= to listen on
1372 sockets inside of network namespaces of other services.
1373
1374 This option is only available for system services and is not
1375 supported for services running in per-user instances of the service
1376 manager.
1377
1378 NetworkNamespacePath=
1379 Takes an absolute file system path refererring to a Linux network
1380 namespace pseudo-file (i.e. a file like /proc/$PID/ns/net or a bind
1381 mount or symlink to one). When set the invoked processes are added
1382 to the network namespace referenced by that path. The path has to
1383 point to a valid namespace file at the moment the processes are
1384 forked off. If this option is used PrivateNetwork= has no effect.
1385 If this option is used together with JoinsNamespaceOf= then it only
1386 has an effect if this unit is started before any of the listed
1387 units that have PrivateNetwork= or NetworkNamespacePath=
1388 configured, as otherwise the network namespace of those units is
1389 reused.
1390
1391 When this option is used on a socket unit any sockets bound on
1392 behalf of this unit will be bound within the specified network
1393 namespace.
1394
1395 This option is only available for system services and is not
1396 supported for services running in per-user instances of the service
1397 manager.
1398
1399 PrivateIPC=
1400 Takes a boolean argument. If true, sets up a new IPC namespace for
1401 the executed processes. Each IPC namespace has its own set of
1402 System V IPC identifiers and its own POSIX message queue file
1403 system. This is useful to avoid name clash of IPC identifiers.
1404 Defaults to false. It is possible to run two or more units within
1405 the same private IPC namespace by using the JoinsNamespaceOf=
1406 directive, see systemd.unit(5) for details.
1407
1408 Note that IPC namespacing does not have an effect on AF_UNIX
1409 sockets, which are the most common form of IPC used on Linux.
1410 Instead, AF_UNIX sockets in the file system are subject to mount
1411 namespacing, and those in the abstract namespace are subject to
1412 network namespacing. IPC namespacing only has an effect on SysV IPC
1413 (which is mostly legacy) as well as POSIX message queues (for which
1414 AF_UNIX/SOCK_SEQPACKET sockets are typically a better replacement).
1415 IPC namespacing also has no effect on POSIX shared memory (which is
1416 subject to mount namespacing) either. See ipc_namespaces(7) for the
1417 details.
1418
1419 Note that the implementation of this setting might be impossible
1420 (for example if IPC namespaces are not available), and the unit
1421 should be written in a way that does not solely rely on this
1422 setting for security.
1423
1424 This option is only available for system services and is not
1425 supported for services running in per-user instances of the service
1426 manager.
1427
1428 IPCNamespacePath=
1429 Takes an absolute file system path refererring to a Linux IPC
1430 namespace pseudo-file (i.e. a file like /proc/$PID/ns/ipc or a bind
1431 mount or symlink to one). When set the invoked processes are added
1432 to the network namespace referenced by that path. The path has to
1433 point to a valid namespace file at the moment the processes are
1434 forked off. If this option is used PrivateIPC= has no effect. If
1435 this option is used together with JoinsNamespaceOf= then it only
1436 has an effect if this unit is started before any of the listed
1437 units that have PrivateIPC= or IPCNamespacePath= configured, as
1438 otherwise the network namespace of those units is reused.
1439
1440 This option is only available for system services and is not
1441 supported for services running in per-user instances of the service
1442 manager.
1443
1444 PrivateUsers=
1445 Takes a boolean argument. If true, sets up a new user namespace for
1446 the executed processes and configures a minimal user and group
1447 mapping, that maps the "root" user and group as well as the unit's
1448 own user and group to themselves and everything else to the
1449 "nobody" user and group. This is useful to securely detach the user
1450 and group databases used by the unit from the rest of the system,
1451 and thus to create an effective sandbox environment. All files,
1452 directories, processes, IPC objects and other resources owned by
1453 users/groups not equaling "root" or the unit's own will stay
1454 visible from within the unit but appear owned by the "nobody" user
1455 and group. If this mode is enabled, all unit processes are run
1456 without privileges in the host user namespace (regardless if the
1457 unit's own user/group is "root" or not). Specifically this means
1458 that the process will have zero process capabilities on the host's
1459 user namespace, but full capabilities within the service's user
1460 namespace. Settings such as CapabilityBoundingSet= will affect only
1461 the latter, and there's no way to acquire additional capabilities
1462 in the host's user namespace. Defaults to off.
1463
1464 When this setting is set up by a per-user instance of the service
1465 manager, the mapping of the "root" user and group to itself is
1466 omitted (unless the user manager is root). Additionally, in the
1467 per-user instance manager case, the user namespace will be set up
1468 before most other namespaces. This means that combining
1469 PrivateUsers=true with other namespaces will enable use of features
1470 not normally supported by the per-user instances of the service
1471 manager.
1472
1473 This setting is particularly useful in conjunction with
1474 RootDirectory=/RootImage=, as the need to synchronize the user and
1475 group databases in the root directory and on the host is reduced,
1476 as the only users and groups who need to be matched are "root",
1477 "nobody" and the unit's own user and group.
1478
1479 Note that the implementation of this setting might be impossible
1480 (for example if user namespaces are not available), and the unit
1481 should be written in a way that does not solely rely on this
1482 setting for security.
1483
1484 ProtectHostname=
1485 Takes a boolean argument. When set, sets up a new UTS namespace for
1486 the executed processes. In addition, changing hostname or
1487 domainname is prevented. Defaults to off.
1488
1489 Note that the implementation of this setting might be impossible
1490 (for example if UTS namespaces are not available), and the unit
1491 should be written in a way that does not solely rely on this
1492 setting for security.
1493
1494 Note that when this option is enabled for a service hostname
1495 changes no longer propagate from the system into the service, it is
1496 hence not suitable for services that need to take notice of system
1497 hostname changes dynamically.
1498
1499 If this setting is on, but the unit doesn't have the CAP_SYS_ADMIN
1500 capability (e.g. services for which User= is set),
1501 NoNewPrivileges=yes is implied.
1502
1503 This option is only available for system services and is not
1504 supported for services running in per-user instances of the service
1505 manager.
1506
1507 ProtectClock=
1508 Takes a boolean argument. If set, writes to the hardware clock or
1509 system clock will be denied. It is recommended to turn this on for
1510 most services that do not need modify the clock. Defaults to off.
1511 Enabling this option removes CAP_SYS_TIME and CAP_WAKE_ALARM from
1512 the capability bounding set for this unit, installs a system call
1513 filter to block calls that can set the clock, and
1514 DeviceAllow=char-rtc r is implied. This ensures /dev/rtc0,
1515 /dev/rtc1, etc. are made read-only to the service. See
1516 systemd.resource-control(5) for the details about DeviceAllow=. If
1517 this setting is on, but the unit doesn't have the CAP_SYS_ADMIN
1518 capability (e.g. services for which User= is set),
1519 NoNewPrivileges=yes is implied.
1520
1521 This option is only available for system services and is not
1522 supported for services running in per-user instances of the service
1523 manager.
1524
1525 ProtectKernelTunables=
1526 Takes a boolean argument. If true, kernel variables accessible
1527 through /proc/sys/, /sys/, /proc/sysrq-trigger,
1528 /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and
1529 /proc/irq will be made read-only to all processes of the unit.
1530 Usually, tunable kernel variables should be initialized only at
1531 boot-time, for example with the sysctl.d(5) mechanism. Few services
1532 need to write to these at runtime; it is hence recommended to turn
1533 this on for most services. For this setting the same restrictions
1534 regarding mount propagation and privileges apply as for
1535 ReadOnlyPaths= and related calls, see above. Defaults to off. If
1536 this setting is on, but the unit doesn't have the CAP_SYS_ADMIN
1537 capability (e.g. services for which User= is set),
1538 NoNewPrivileges=yes is implied. Note that this option does not
1539 prevent indirect changes to kernel tunables effected by IPC calls
1540 to other processes. However, InaccessiblePaths= may be used to make
1541 relevant IPC file system objects inaccessible. If
1542 ProtectKernelTunables= is set, MountAPIVFS=yes is implied.
1543
1544 This option is only available for system services and is not
1545 supported for services running in per-user instances of the service
1546 manager.
1547
1548 ProtectKernelModules=
1549 Takes a boolean argument. If true, explicit module loading will be
1550 denied. This allows module load and unload operations to be turned
1551 off on modular kernels. It is recommended to turn this on for most
1552 services that do not need special file systems or extra kernel
1553 modules to work. Defaults to off. Enabling this option removes
1554 CAP_SYS_MODULE from the capability bounding set for the unit, and
1555 installs a system call filter to block module system calls, also
1556 /usr/lib/modules is made inaccessible. For this setting the same
1557 restrictions regarding mount propagation and privileges apply as
1558 for ReadOnlyPaths= and related calls, see above. Note that limited
1559 automatic module loading due to user configuration or kernel
1560 mapping tables might still happen as side effect of requested user
1561 operations, both privileged and unprivileged. To disable module
1562 auto-load feature please see sysctl.d(5) kernel.modules_disabled
1563 mechanism and /proc/sys/kernel/modules_disabled documentation. If
1564 this setting is on, but the unit doesn't have the CAP_SYS_ADMIN
1565 capability (e.g. services for which User= is set),
1566 NoNewPrivileges=yes is implied.
1567
1568 This option is only available for system services and is not
1569 supported for services running in per-user instances of the service
1570 manager.
1571
1572 ProtectKernelLogs=
1573 Takes a boolean argument. If true, access to the kernel log ring
1574 buffer will be denied. It is recommended to turn this on for most
1575 services that do not need to read from or write to the kernel log
1576 ring buffer. Enabling this option removes CAP_SYSLOG from the
1577 capability bounding set for this unit, and installs a system call
1578 filter to block the syslog(2) system call (not to be confused with
1579 the libc API syslog(3) for userspace logging). The kernel exposes
1580 its log buffer to userspace via /dev/kmsg and /proc/kmsg. If
1581 enabled, these are made inaccessible to all the processes in the
1582 unit. If this setting is on, but the unit doesn't have the
1583 CAP_SYS_ADMIN capability (e.g. services for which User= is set),
1584 NoNewPrivileges=yes is implied.
1585
1586 This option is only available for system services and is not
1587 supported for services running in per-user instances of the service
1588 manager.
1589
1590 ProtectControlGroups=
1591 Takes a boolean argument. If true, the Linux Control Groups
1592 (cgroups(7)) hierarchies accessible through /sys/fs/cgroup/ will be
1593 made read-only to all processes of the unit. Except for container
1594 managers no services should require write access to the control
1595 groups hierarchies; it is hence recommended to turn this on for
1596 most services. For this setting the same restrictions regarding
1597 mount propagation and privileges apply as for ReadOnlyPaths= and
1598 related calls, see above. Defaults to off. If ProtectControlGroups=
1599 is set, MountAPIVFS=yes is implied.
1600
1601 This option is only available for system services and is not
1602 supported for services running in per-user instances of the service
1603 manager.
1604
1605 RestrictAddressFamilies=
1606 Restricts the set of socket address families accessible to the
1607 processes of this unit. Takes a space-separated list of address
1608 family names to allow-list, such as AF_UNIX, AF_INET or AF_INET6.
1609 When prefixed with ~ the listed address families will be applied as
1610 deny list, otherwise as allow list. Note that this restricts access
1611 to the socket(2) system call only. Sockets passed into the process
1612 by other means (for example, by using socket activation with socket
1613 units, see systemd.socket(5)) are unaffected. Also, sockets created
1614 with socketpair() (which creates connected AF_UNIX sockets only)
1615 are unaffected. Note that this option has no effect on 32-bit x86,
1616 s390, s390x, mips, mips-le, ppc, ppc-le, ppc64, ppc64-le and is
1617 ignored (but works correctly on other ABIs, including x86-64). Note
1618 that on systems supporting multiple ABIs (such as x86/x86-64) it is
1619 recommended to turn off alternative ABIs for services, so that they
1620 cannot be used to circumvent the restrictions of this option.
1621 Specifically, it is recommended to combine this option with
1622 SystemCallArchitectures=native or similar. If running in user mode,
1623 or in system mode, but without the CAP_SYS_ADMIN capability (e.g.
1624 setting User=), NoNewPrivileges=yes is implied. By default, no
1625 restrictions apply, all address families are accessible to
1626 processes. If assigned the empty string, any previous address
1627 family restriction changes are undone. This setting does not affect
1628 commands prefixed with "+".
1629
1630 Use this option to limit exposure of processes to remote access, in
1631 particular via exotic and sensitive network protocols, such as
1632 AF_PACKET. Note that in most cases, the local AF_UNIX address
1633 family should be included in the configured allow list as it is
1634 frequently used for local communication, including for syslog(2)
1635 logging.
1636
1637 RestrictNamespaces=
1638 Restricts access to Linux namespace functionality for the processes
1639 of this unit. For details about Linux namespaces, see
1640 namespaces(7). Either takes a boolean argument, or a
1641 space-separated list of namespace type identifiers. If false (the
1642 default), no restrictions on namespace creation and switching are
1643 made. If true, access to any kind of namespacing is prohibited.
1644 Otherwise, a space-separated list of namespace type identifiers
1645 must be specified, consisting of any combination of: cgroup, ipc,
1646 net, mnt, pid, user and uts. Any namespace type listed is made
1647 accessible to the unit's processes, access to namespace types not
1648 listed is prohibited (allow-listing). By prepending the list with a
1649 single tilde character ("~") the effect may be inverted: only the
1650 listed namespace types will be made inaccessible, all unlisted ones
1651 are permitted (deny-listing). If the empty string is assigned, the
1652 default namespace restrictions are applied, which is equivalent to
1653 false. This option may appear more than once, in which case the
1654 namespace types are merged by OR, or by AND if the lines are
1655 prefixed with "~" (see examples below). Internally, this setting
1656 limits access to the unshare(2), clone(2) and setns(2) system
1657 calls, taking the specified flags parameters into account. Note
1658 that — if this option is used — in addition to restricting creation
1659 and switching of the specified types of namespaces (or all of them,
1660 if true) access to the setns() system call with a zero flags
1661 parameter is prohibited. This setting is only supported on x86,
1662 x86-64, mips, mips-le, mips64, mips64-le, mips64-n32,
1663 mips64-le-n32, ppc64, ppc64-le, s390 and s390x, and enforces no
1664 restrictions on other architectures. If running in user mode, or in
1665 system mode, but without the CAP_SYS_ADMIN capability (e.g. setting
1666 User=), NoNewPrivileges=yes is implied.
1667
1668 Example: if a unit has the following,
1669
1670 RestrictNamespaces=cgroup ipc
1671 RestrictNamespaces=cgroup net
1672
1673 then cgroup, ipc, and net are set. If the second line is prefixed
1674 with "~", e.g.,
1675
1676 RestrictNamespaces=cgroup ipc
1677 RestrictNamespaces=~cgroup net
1678
1679 then, only ipc is set.
1680
1681 LockPersonality=
1682 Takes a boolean argument. If set, locks down the personality(2)
1683 system call so that the kernel execution domain may not be changed
1684 from the default or the personality selected with Personality=
1685 directive. This may be useful to improve security, because odd
1686 personality emulations may be poorly tested and source of
1687 vulnerabilities. If running in user mode, or in system mode, but
1688 without the CAP_SYS_ADMIN capability (e.g. setting User=),
1689 NoNewPrivileges=yes is implied.
1690
1691 MemoryDenyWriteExecute=
1692 Takes a boolean argument. If set, attempts to create memory
1693 mappings that are writable and executable at the same time, or to
1694 change existing memory mappings to become executable, or mapping
1695 shared memory segments as executable are prohibited. Specifically,
1696 a system call filter is added that rejects mmap(2) system calls
1697 with both PROT_EXEC and PROT_WRITE set, mprotect(2) or
1698 pkey_mprotect(2) system calls with PROT_EXEC set and shmat(2)
1699 system calls with SHM_EXEC set. Note that this option is
1700 incompatible with programs and libraries that generate program code
1701 dynamically at runtime, including JIT execution engines, executable
1702 stacks, and code "trampoline" feature of various C compilers. This
1703 option improves service security, as it makes harder for software
1704 exploits to change running code dynamically. However, the
1705 protection can be circumvented, if the service can write to a
1706 filesystem, which is not mounted with noexec (such as /dev/shm), or
1707 it can use memfd_create(). This can be prevented by making such
1708 file systems inaccessible to the service (e.g.
1709 InaccessiblePaths=/dev/shm) and installing further system call
1710 filters (SystemCallFilter=~memfd_create). Note that this feature is
1711 fully available on x86-64, and partially on x86. Specifically, the
1712 shmat() protection is not available on x86. Note that on systems
1713 supporting multiple ABIs (such as x86/x86-64) it is recommended to
1714 turn off alternative ABIs for services, so that they cannot be used
1715 to circumvent the restrictions of this option. Specifically, it is
1716 recommended to combine this option with
1717 SystemCallArchitectures=native or similar. If running in user mode,
1718 or in system mode, but without the CAP_SYS_ADMIN capability (e.g.
1719 setting User=), NoNewPrivileges=yes is implied.
1720
1721 RestrictRealtime=
1722 Takes a boolean argument. If set, any attempts to enable realtime
1723 scheduling in a process of the unit are refused. This restricts
1724 access to realtime task scheduling policies such as SCHED_FIFO,
1725 SCHED_RR or SCHED_DEADLINE. See sched(7) for details about these
1726 scheduling policies. If running in user mode, or in system mode,
1727 but without the CAP_SYS_ADMIN capability (e.g. setting User=),
1728 NoNewPrivileges=yes is implied. Realtime scheduling policies may be
1729 used to monopolize CPU time for longer periods of time, and may
1730 hence be used to lock up or otherwise trigger Denial-of-Service
1731 situations on the system. It is hence recommended to restrict
1732 access to realtime scheduling to the few programs that actually
1733 require them. Defaults to off.
1734
1735 RestrictSUIDSGID=
1736 Takes a boolean argument. If set, any attempts to set the
1737 set-user-ID (SUID) or set-group-ID (SGID) bits on files or
1738 directories will be denied (for details on these bits see
1739 inode(7)). If running in user mode, or in system mode, but without
1740 the CAP_SYS_ADMIN capability (e.g. setting User=),
1741 NoNewPrivileges=yes is implied. As the SUID/SGID bits are
1742 mechanisms to elevate privileges, and allows users to acquire the
1743 identity of other users, it is recommended to restrict creation of
1744 SUID/SGID files to the few programs that actually require them.
1745 Note that this restricts marking of any type of file system object
1746 with these bits, including both regular files and directories
1747 (where the SGID is a different meaning than for files, see
1748 documentation). This option is implied if DynamicUser= is enabled.
1749 Defaults to off.
1750
1751 RemoveIPC=
1752 Takes a boolean parameter. If set, all System V and POSIX IPC
1753 objects owned by the user and group the processes of this unit are
1754 run as are removed when the unit is stopped. This setting only has
1755 an effect if at least one of User=, Group= and DynamicUser= are
1756 used. It has no effect on IPC objects owned by the root user.
1757 Specifically, this removes System V semaphores, as well as System V
1758 and POSIX shared memory segments and message queues. If multiple
1759 units use the same user or group the IPC objects are removed when
1760 the last of these units is stopped. This setting is implied if
1761 DynamicUser= is set.
1762
1763 This option is only available for system services and is not
1764 supported for services running in per-user instances of the service
1765 manager.
1766
1767 PrivateMounts=
1768 Takes a boolean parameter. If set, the processes of this unit will
1769 be run in their own private file system (mount) namespace with all
1770 mount propagation from the processes towards the host's main file
1771 system namespace turned off. This means any file system mount
1772 points established or removed by the unit's processes will be
1773 private to them and not be visible to the host. However, file
1774 system mount points established or removed on the host will be
1775 propagated to the unit's processes. See mount_namespaces(7) for
1776 details on file system namespaces. Defaults to off.
1777
1778 When turned on, this executes three operations for each invoked
1779 process: a new CLONE_NEWNS namespace is created, after which all
1780 existing mounts are remounted to MS_SLAVE to disable propagation
1781 from the unit's processes to the host (but leaving propagation in
1782 the opposite direction in effect). Finally, the mounts are
1783 remounted again to the propagation mode configured with
1784 MountFlags=, see below.
1785
1786 File system namespaces are set up individually for each process
1787 forked off by the service manager. Mounts established in the
1788 namespace of the process created by ExecStartPre= will hence be
1789 cleaned up automatically as soon as that process exits and will not
1790 be available to subsequent processes forked off for ExecStart= (and
1791 similar applies to the various other commands configured for
1792 units). Similarly, JoinsNamespaceOf= does not permit sharing kernel
1793 mount namespaces between units, it only enables sharing of the
1794 /tmp/ and /var/tmp/ directories.
1795
1796 Other file system namespace unit settings — PrivateMounts=,
1797 PrivateTmp=, PrivateDevices=, ProtectSystem=, ProtectHome=,
1798 ReadOnlyPaths=, InaccessiblePaths=, ReadWritePaths=, ... — also
1799 enable file system namespacing in a fashion equivalent to this
1800 option. Hence it is primarily useful to explicitly request this
1801 behaviour if none of the other settings are used.
1802
1803 This option is only available for system services and is not
1804 supported for services running in per-user instances of the service
1805 manager.
1806
1807 MountFlags=
1808 Takes a mount propagation setting: shared, slave or private, which
1809 controls whether file system mount points in the file system
1810 namespaces set up for this unit's processes will receive or
1811 propagate mounts and unmounts from other file system namespaces.
1812 See mount(2) for details on mount propagation, and the three
1813 propagation flags in particular.
1814
1815 This setting only controls the final propagation setting in effect
1816 on all mount points of the file system namespace created for each
1817 process of this unit. Other file system namespacing unit settings
1818 (see the discussion in PrivateMounts= above) will implicitly
1819 disable mount and unmount propagation from the unit's processes
1820 towards the host by changing the propagation setting of all mount
1821 points in the unit's file system namespace to slave first. Setting
1822 this option to shared does not reestablish propagation in that
1823 case.
1824
1825 If not set – but file system namespaces are enabled through another
1826 file system namespace unit setting – shared mount propagation is
1827 used, but — as mentioned — as slave is applied first, propagation
1828 from the unit's processes to the host is still turned off.
1829
1830 It is not recommended to use private mount propagation for units,
1831 as this means temporary mounts (such as removable media) of the
1832 host will stay mounted and thus indefinitely busy in forked off
1833 processes, as unmount propagation events won't be received by the
1834 file system namespace of the unit.
1835
1836 Usually, it is best to leave this setting unmodified, and use
1837 higher level file system namespacing options instead, in particular
1838 PrivateMounts=, see above.
1839
1840 This option is only available for system services and is not
1841 supported for services running in per-user instances of the service
1842 manager.
1843
1845 SystemCallFilter=
1846 Takes a space-separated list of system call names. If this setting
1847 is used, all system calls executed by the unit processes except for
1848 the listed ones will result in immediate process termination with
1849 the SIGSYS signal (allow-listing). (See SystemCallErrorNumber=
1850 below for changing the default action). If the first character of
1851 the list is "~", the effect is inverted: only the listed system
1852 calls will result in immediate process termination (deny-listing).
1853 Deny-listed system calls and system call groups may optionally be
1854 suffixed with a colon (":") and "errno" error number (between 0 and
1855 4095) or errno name such as EPERM, EACCES or EUCLEAN (see errno(3)
1856 for a full list). This value will be returned when a deny-listed
1857 system call is triggered, instead of terminating the processes
1858 immediately. Special setting "kill" can be used to explicitly
1859 specify killing. This value takes precedence over the one given in
1860 SystemCallErrorNumber=, see below. If running in user mode, or in
1861 system mode, but without the CAP_SYS_ADMIN capability (e.g. setting
1862 User=), NoNewPrivileges=yes is implied. This feature makes use of
1863 the Secure Computing Mode 2 interfaces of the kernel ('seccomp
1864 filtering') and is useful for enforcing a minimal sandboxing
1865 environment. Note that the execve(), exit(), exit_group(),
1866 getrlimit(), rt_sigreturn(), sigreturn() system calls and the
1867 system calls for querying time and sleeping are implicitly
1868 allow-listed and do not need to be listed explicitly. This option
1869 may be specified more than once, in which case the filter masks are
1870 merged. If the empty string is assigned, the filter is reset, all
1871 prior assignments will have no effect. This does not affect
1872 commands prefixed with "+".
1873
1874 Note that on systems supporting multiple ABIs (such as x86/x86-64)
1875 it is recommended to turn off alternative ABIs for services, so
1876 that they cannot be used to circumvent the restrictions of this
1877 option. Specifically, it is recommended to combine this option with
1878 SystemCallArchitectures=native or similar.
1879
1880 Note that strict system call filters may impact execution and error
1881 handling code paths of the service invocation. Specifically, access
1882 to the execve() system call is required for the execution of the
1883 service binary — if it is blocked service invocation will
1884 necessarily fail. Also, if execution of the service binary fails
1885 for some reason (for example: missing service executable), the
1886 error handling logic might require access to an additional set of
1887 system calls in order to process and log this failure correctly. It
1888 might be necessary to temporarily disable system call filters in
1889 order to simplify debugging of such failures.
1890
1891 If you specify both types of this option (i.e. allow-listing and
1892 deny-listing), the first encountered will take precedence and will
1893 dictate the default action (termination or approval of a system
1894 call). Then the next occurrences of this option will add or delete
1895 the listed system calls from the set of the filtered system calls,
1896 depending of its type and the default action. (For example, if you
1897 have started with an allow list rule for read() and write(), and
1898 right after it add a deny list rule for write(), then write() will
1899 be removed from the set.)
1900
1901 As the number of possible system calls is large, predefined sets of
1902 system calls are provided. A set starts with "@" character,
1903 followed by name of the set.
1904
1905 Table 3. Currently predefined system call sets
1906 ┌────────────────┬────────────────────────────┐
1907 │Set │ Description │
1908 ├────────────────┼────────────────────────────┤
1909 │@aio │ Asynchronous I/O │
1910 │ │ (io_setup(2), │
1911 │ │ io_submit(2), and related │
1912 │ │ calls) │
1913 ├────────────────┼────────────────────────────┤
1914 │@basic-io │ System calls for basic │
1915 │ │ I/O: reading, writing, │
1916 │ │ seeking, file descriptor │
1917 │ │ duplication and closing │
1918 │ │ (read(2), write(2), and │
1919 │ │ related calls) │
1920 ├────────────────┼────────────────────────────┤
1921 │@chown │ Changing file ownership │
1922 │ │ (chown(2), fchownat(2), │
1923 │ │ and related calls) │
1924 ├────────────────┼────────────────────────────┤
1925 │@clock │ System calls for changing │
1926 │ │ the system clock │
1927 │ │ (adjtimex(2), │
1928 │ │ settimeofday(2), and │
1929 │ │ related calls) │
1930 ├────────────────┼────────────────────────────┤
1931 │@cpu-emulation │ System calls for CPU │
1932 │ │ emulation functionality │
1933 │ │ (vm86(2) and related │
1934 │ │ calls) │
1935 ├────────────────┼────────────────────────────┤
1936 │@debug │ Debugging, performance │
1937 │ │ monitoring and tracing │
1938 │ │ functionality (ptrace(2), │
1939 │ │ perf_event_open(2) and │
1940 │ │ related calls) │
1941 ├────────────────┼────────────────────────────┤
1942 │@file-system │ File system operations: │
1943 │ │ opening, creating files │
1944 │ │ and directories for read │
1945 │ │ and write, renaming and │
1946 │ │ removing them, reading │
1947 │ │ file properties, or │
1948 │ │ creating hard and symbolic │
1949 │ │ links │
1950 ├────────────────┼────────────────────────────┤
1951 │@io-event │ Event loop system calls │
1952 │ │ (poll(2), select(2), │
1953 │ │ epoll(7), eventfd(2) and │
1954 │ │ related calls) │
1955 ├────────────────┼────────────────────────────┤
1956 │@ipc │ Pipes, SysV IPC, POSIX │
1957 │ │ Message Queues and other │
1958 │ │ IPC (mq_overview(7), │
1959 │ │ svipc(7)) │
1960 ├────────────────┼────────────────────────────┤
1961 │@keyring │ Kernel keyring access │
1962 │ │ (keyctl(2) and related │
1963 │ │ calls) │
1964 ├────────────────┼────────────────────────────┤
1965 │@memlock │ Locking of memory in RAM │
1966 │ │ (mlock(2), mlockall(2) and │
1967 │ │ related calls) │
1968 ├────────────────┼────────────────────────────┤
1969 │@module │ Loading and unloading of │
1970 │ │ kernel modules │
1971 │ │ (init_module(2), │
1972 │ │ delete_module(2) and │
1973 │ │ related calls) │
1974 ├────────────────┼────────────────────────────┤
1975 │@mount │ Mounting and unmounting of │
1976 │ │ file systems (mount(2), │
1977 │ │ chroot(2), and related │
1978 │ │ calls) │
1979 ├────────────────┼────────────────────────────┤
1980 │@network-io │ Socket I/O (including │
1981 │ │ local AF_UNIX): socket(7), │
1982 │ │ unix(7) │
1983 ├────────────────┼────────────────────────────┤
1984 │@obsolete │ Unusual, obsolete or │
1985 │ │ unimplemented │
1986 │ │ (create_module(2), │
1987 │ │ gtty(2), ...) │
1988 ├────────────────┼────────────────────────────┤
1989 │@privileged │ All system calls which │
1990 │ │ need super-user │
1991 │ │ capabilities │
1992 │ │ (capabilities(7)) │
1993 ├────────────────┼────────────────────────────┤
1994 │@process │ Process control, │
1995 │ │ execution, namespacing │
1996 │ │ operations (clone(2), │
1997 │ │ kill(2), namespaces(7), │
1998 │ │ ...) │
1999 ├────────────────┼────────────────────────────┤
2000 │@raw-io │ Raw I/O port access │
2001 │ │ (ioperm(2), iopl(2), │
2002 │ │ pciconfig_read(), ...) │
2003 ├────────────────┼────────────────────────────┤
2004 │@reboot │ System calls for rebooting │
2005 │ │ and reboot preparation │
2006 │ │ (reboot(2), kexec(), ...) │
2007 ├────────────────┼────────────────────────────┤
2008 │@resources │ System calls for changing │
2009 │ │ resource limits, memory │
2010 │ │ and scheduling parameters │
2011 │ │ (setrlimit(2), │
2012 │ │ setpriority(2), ...) │
2013 ├────────────────┼────────────────────────────┤
2014 │@setuid │ System calls for changing │
2015 │ │ user ID and group ID │
2016 │ │ credentials, (setuid(2), │
2017 │ │ setgid(2), setresuid(2), │
2018 │ │ ...) │
2019 ├────────────────┼────────────────────────────┤
2020 │@signal │ System calls for │
2021 │ │ manipulating and handling │
2022 │ │ process signals │
2023 │ │ (signal(2), │
2024 │ │ sigprocmask(2), ...) │
2025 ├────────────────┼────────────────────────────┤
2026 │@swap │ System calls for │
2027 │ │ enabling/disabling swap │
2028 │ │ devices (swapon(2), │
2029 │ │ swapoff(2)) │
2030 ├────────────────┼────────────────────────────┤
2031 │@sync │ Synchronizing files and │
2032 │ │ memory to disk (fsync(2), │
2033 │ │ msync(2), and related │
2034 │ │ calls) │
2035 ├────────────────┼────────────────────────────┤
2036 │@system-service │ A reasonable set of system │
2037 │ │ calls used by common │
2038 │ │ system services, excluding │
2039 │ │ any special purpose calls. │
2040 │ │ This is the recommended │
2041 │ │ starting point for │
2042 │ │ allow-listing system calls │
2043 │ │ for system services, as it │
2044 │ │ contains what is typically │
2045 │ │ needed by system services, │
2046 │ │ but excludes overly │
2047 │ │ specific interfaces. For │
2048 │ │ example, the following │
2049 │ │ APIs are excluded: │
2050 │ │ "@clock", "@mount", │
2051 │ │ "@swap", "@reboot". │
2052 ├────────────────┼────────────────────────────┤
2053 │@timer │ System calls for │
2054 │ │ scheduling operations by │
2055 │ │ time (alarm(2), │
2056 │ │ timer_create(2), ...) │
2057 ├────────────────┼────────────────────────────┤
2058 │@known │ All system calls defined │
2059 │ │ by the kernel. This list │
2060 │ │ is defined statically in │
2061 │ │ systemd based on a kernel │
2062 │ │ version that was available │
2063 │ │ when this systemd version │
2064 │ │ was released. It will │
2065 │ │ become progressively more │
2066 │ │ out-of-date as the kernel │
2067 │ │ is updated. │
2068 └────────────────┴────────────────────────────┘
2069 Note, that as new system calls are added to the kernel, additional
2070 system calls might be added to the groups above. Contents of the
2071 sets may also change between systemd versions. In addition, the
2072 list of system calls depends on the kernel version and architecture
2073 for which systemd was compiled. Use systemd-analyze syscall-filter
2074 to list the actual list of system calls in each filter.
2075
2076 Generally, allow-listing system calls (rather than deny-listing) is
2077 the safer mode of operation. It is recommended to enforce system
2078 call allow lists for all long-running system services.
2079 Specifically, the following lines are a relatively safe basic
2080 choice for the majority of system services:
2081
2082 [Service]
2083 SystemCallFilter=@system-service
2084 SystemCallErrorNumber=EPERM
2085
2086 Note that various kernel system calls are defined redundantly:
2087 there are multiple system calls for executing the same operation.
2088 For example, the pidfd_send_signal() system call may be used to
2089 execute operations similar to what can be done with the older
2090 kill() system call, hence blocking the latter without the former
2091 only provides weak protection. Since new system calls are added
2092 regularly to the kernel as development progresses, keeping system
2093 call deny lists comprehensive requires constant work. It is thus
2094 recommended to use allow-listing instead, which offers the benefit
2095 that new system calls are by default implicitly blocked until the
2096 allow list is updated.
2097
2098 Also note that a number of system calls are required to be
2099 accessible for the dynamic linker to work. The dynamic linker is
2100 required for running most regular programs (specifically: all
2101 dynamic ELF binaries, which is how most distributions build
2102 packaged programs). This means that blocking these system calls
2103 (which include open(), openat() or mmap()) will make most programs
2104 typically shipped with generic distributions unusable.
2105
2106 It is recommended to combine the file system namespacing related
2107 options with SystemCallFilter=~@mount, in order to prohibit the
2108 unit's processes to undo the mappings. Specifically these are the
2109 options PrivateTmp=, PrivateDevices=, ProtectSystem=, ProtectHome=,
2110 ProtectKernelTunables=, ProtectControlGroups=, ProtectKernelLogs=,
2111 ProtectClock=, ReadOnlyPaths=, InaccessiblePaths= and
2112 ReadWritePaths=.
2113
2114 SystemCallErrorNumber=
2115 Takes an "errno" error number (between 1 and 4095) or errno name
2116 such as EPERM, EACCES or EUCLEAN, to return when the system call
2117 filter configured with SystemCallFilter= is triggered, instead of
2118 terminating the process immediately. See errno(3) for a full list
2119 of error codes. When this setting is not used, or when the empty
2120 string or the special setting "kill" is assigned, the process will
2121 be terminated immediately when the filter is triggered.
2122
2123 SystemCallArchitectures=
2124 Takes a space-separated list of architecture identifiers to include
2125 in the system call filter. The known architecture identifiers are
2126 the same as for ConditionArchitecture= described in
2127 systemd.unit(5), as well as x32, mips64-n32, mips64-le-n32, and the
2128 special identifier native. The special identifier native implicitly
2129 maps to the native architecture of the system (or more precisely:
2130 to the architecture the system manager is compiled for). If running
2131 in user mode, or in system mode, but without the CAP_SYS_ADMIN
2132 capability (e.g. setting User=), NoNewPrivileges=yes is implied. By
2133 default, this option is set to the empty list, i.e. no filtering is
2134 applied.
2135
2136 If this setting is used, processes of this unit will only be
2137 permitted to call native system calls, and system calls of the
2138 specified architectures. For the purposes of this option, the x32
2139 architecture is treated as including x86-64 system calls. However,
2140 this setting still fulfills its purpose, as explained below, on
2141 x32.
2142
2143 System call filtering is not equally effective on all
2144 architectures. For example, on x86 filtering of network
2145 socket-related calls is not possible, due to ABI limitations — a
2146 limitation that x86-64 does not have, however. On systems
2147 supporting multiple ABIs at the same time — such as x86/x86-64 — it
2148 is hence recommended to limit the set of permitted system call
2149 architectures so that secondary ABIs may not be used to circumvent
2150 the restrictions applied to the native ABI of the system. In
2151 particular, setting SystemCallArchitectures=native is a good choice
2152 for disabling non-native ABIs.
2153
2154 System call architectures may also be restricted system-wide via
2155 the SystemCallArchitectures= option in the global configuration.
2156 See systemd-system.conf(5) for details.
2157
2158 SystemCallLog=
2159 Takes a space-separated list of system call names. If this setting
2160 is used, all system calls executed by the unit processes for the
2161 listed ones will be logged. If the first character of the list is
2162 "~", the effect is inverted: all system calls except the listed
2163 system calls will be logged. If running in user mode, or in system
2164 mode, but without the CAP_SYS_ADMIN capability (e.g. setting
2165 User=), NoNewPrivileges=yes is implied. This feature makes use of
2166 the Secure Computing Mode 2 interfaces of the kernel ('seccomp
2167 filtering') and is useful for auditing or setting up a minimal
2168 sandboxing environment. This option may be specified more than
2169 once, in which case the filter masks are merged. If the empty
2170 string is assigned, the filter is reset, all prior assignments will
2171 have no effect. This does not affect commands prefixed with "+".
2172
2174 Environment=
2175 Sets environment variables for executed processes. Each line is
2176 unquoted using the rules described in "Quoting" section in
2177 systemd.syntax(5) and becomes a list of variable assignments. If
2178 you need to assign a value containing spaces or the equals sign to
2179 a variable, put quotes around the whole assignment. Variable
2180 expansion is not performed inside the strings and the "$" character
2181 has no special meaning. Specifier expansion is performed, see the
2182 "Specifiers" section in systemd.unit(5).
2183
2184 This option may be specified more than once, in which case all
2185 listed variables will be set. If the same variable is listed twice,
2186 the later setting will override the earlier setting. If the empty
2187 string is assigned to this option, the list of environment
2188 variables is reset, all prior assignments have no effect.
2189
2190 The names of the variables can contain ASCII letters, digits, and
2191 the underscore character. Variable names cannot be empty or start
2192 with a digit. In variable values, most characters are allowed, but
2193 non-printable characters are currently rejected.
2194
2195 Example:
2196
2197 Environment="VAR1=word1 word2" VAR2=word3 "VAR3=$word 5 6"
2198
2199 gives three variables "VAR1", "VAR2", "VAR3" with the values "word1
2200 word2", "word3", "$word 5 6".
2201
2202 See environ(7) for details about environment variables.
2203
2204 Note that environment variables are not suitable for passing
2205 secrets (such as passwords, key material, ...) to service
2206 processes. Environment variables set for a unit are exposed to
2207 unprivileged clients via D-Bus IPC, and generally not understood as
2208 being data that requires protection. Moreover, environment
2209 variables are propagated down the process tree, including across
2210 security boundaries (such as setuid/setgid executables), and hence
2211 might leak to processes that should not have access to the secret
2212 data. Use LoadCredential= (see below) to pass data to unit
2213 processes securely.
2214
2215 EnvironmentFile=
2216 Similar to Environment= but reads the environment variables from a
2217 text file. The text file should contain new-line-separated variable
2218 assignments. Empty lines, lines without an "=" separator, or lines
2219 starting with ; or # will be ignored, which may be used for
2220 commenting. A line ending with a backslash will be concatenated
2221 with the following one, allowing multiline variable definitions.
2222 The parser strips leading and trailing whitespace from the values
2223 of assignments, unless you use double quotes (").
2224
2225 C escapes[7] are supported, but not most control characters[8].
2226 "\t" and "\n" can be used to insert tabs and newlines within
2227 EnvironmentFile=.
2228
2229 The argument passed should be an absolute filename or wildcard
2230 expression, optionally prefixed with "-", which indicates that if
2231 the file does not exist, it will not be read and no error or
2232 warning message is logged. This option may be specified more than
2233 once in which case all specified files are read. If the empty
2234 string is assigned to this option, the list of file to read is
2235 reset, all prior assignments have no effect.
2236
2237 The files listed with this directive will be read shortly before
2238 the process is executed (more specifically, after all processes
2239 from a previous unit state terminated. This means you can generate
2240 these files in one unit state, and read it with this option in the
2241 next. The files are read from the file system of the service
2242 manager, before any file system changes like bind mounts take
2243 place).
2244
2245 Settings from these files override settings made with Environment=.
2246 If the same variable is set twice from these files, the files will
2247 be read in the order they are specified and the later setting will
2248 override the earlier setting.
2249
2250 PassEnvironment=
2251 Pass environment variables set for the system service manager to
2252 executed processes. Takes a space-separated list of variable names.
2253 This option may be specified more than once, in which case all
2254 listed variables will be passed. If the empty string is assigned to
2255 this option, the list of environment variables to pass is reset,
2256 all prior assignments have no effect. Variables specified that are
2257 not set for the system manager will not be passed and will be
2258 silently ignored. Note that this option is only relevant for the
2259 system service manager, as system services by default do not
2260 automatically inherit any environment variables set for the service
2261 manager itself. However, in case of the user service manager all
2262 environment variables are passed to the executed processes anyway,
2263 hence this option is without effect for the user service manager.
2264
2265 Variables set for invoked processes due to this setting are subject
2266 to being overridden by those configured with Environment= or
2267 EnvironmentFile=.
2268
2269 C escapes[7] are supported, but not most control characters[8].
2270 "\t" and "\n" can be used to insert tabs and newlines within
2271 EnvironmentFile=.
2272
2273 Example:
2274
2275 PassEnvironment=VAR1 VAR2 VAR3
2276
2277 passes three variables "VAR1", "VAR2", "VAR3" with the values set
2278 for those variables in PID1.
2279
2280 See environ(7) for details about environment variables.
2281
2282 UnsetEnvironment=
2283 Explicitly unset environment variable assignments that would
2284 normally be passed from the service manager to invoked processes of
2285 this unit. Takes a space-separated list of variable names or
2286 variable assignments. This option may be specified more than once,
2287 in which case all listed variables/assignments will be unset. If
2288 the empty string is assigned to this option, the list of
2289 environment variables/assignments to unset is reset. If a variable
2290 assignment is specified (that is: a variable name, followed by "=",
2291 followed by its value), then any environment variable matching this
2292 precise assignment is removed. If a variable name is specified
2293 (that is a variable name without any following "=" or value), then
2294 any assignment matching the variable name, regardless of its value
2295 is removed. Note that the effect of UnsetEnvironment= is applied as
2296 final step when the environment list passed to executed processes
2297 is compiled. That means it may undo assignments from any
2298 configuration source, including assignments made through
2299 Environment= or EnvironmentFile=, inherited from the system
2300 manager's global set of environment variables, inherited via
2301 PassEnvironment=, set by the service manager itself (such as
2302 $NOTIFY_SOCKET and such), or set by a PAM module (in case PAMName=
2303 is used).
2304
2305 See "Environment Variables in Spawned Processes" below for a
2306 description of how those settings combine to form the inherited
2307 environment. See environ(7) for general information about
2308 environment variables.
2309
2311 StandardInput=
2312 Controls where file descriptor 0 (STDIN) of the executed processes
2313 is connected to. Takes one of null, tty, tty-force, tty-fail, data,
2314 file:path, socket or fd:name.
2315
2316 If null is selected, standard input will be connected to /dev/null,
2317 i.e. all read attempts by the process will result in immediate EOF.
2318
2319 If tty is selected, standard input is connected to a TTY (as
2320 configured by TTYPath=, see below) and the executed process becomes
2321 the controlling process of the terminal. If the terminal is already
2322 being controlled by another process, the executed process waits
2323 until the current controlling process releases the terminal.
2324
2325 tty-force is similar to tty, but the executed process is forcefully
2326 and immediately made the controlling process of the terminal,
2327 potentially removing previous controlling processes from the
2328 terminal.
2329
2330 tty-fail is similar to tty, but if the terminal already has a
2331 controlling process start-up of the executed process fails.
2332
2333 The data option may be used to configure arbitrary textual or
2334 binary data to pass via standard input to the executed process. The
2335 data to pass is configured via
2336 StandardInputText=/StandardInputData= (see below). Note that the
2337 actual file descriptor type passed (memory file, regular file, UNIX
2338 pipe, ...) might depend on the kernel and available privileges. In
2339 any case, the file descriptor is read-only, and when read returns
2340 the specified data followed by EOF.
2341
2342 The file:path option may be used to connect a specific file system
2343 object to standard input. An absolute path following the ":"
2344 character is expected, which may refer to a regular file, a FIFO or
2345 special file. If an AF_UNIX socket in the file system is specified,
2346 a stream socket is connected to it. The latter is useful for
2347 connecting standard input of processes to arbitrary system
2348 services.
2349
2350 The socket option is valid in socket-activated services only, and
2351 requires the relevant socket unit file (see systemd.socket(5) for
2352 details) to have Accept=yes set, or to specify a single socket
2353 only. If this option is set, standard input will be connected to
2354 the socket the service was activated from, which is primarily
2355 useful for compatibility with daemons designed for use with the
2356 traditional inetd(8) socket activation daemon.
2357
2358 The fd:name option connects standard input to a specific, named
2359 file descriptor provided by a socket unit. The name may be
2360 specified as part of this option, following a ":" character (e.g.
2361 "fd:foobar"). If no name is specified, the name "stdin" is implied
2362 (i.e. "fd" is equivalent to "fd:stdin"). At least one socket unit
2363 defining the specified name must be provided via the Sockets=
2364 option, and the file descriptor name may differ from the name of
2365 its containing socket unit. If multiple matches are found, the
2366 first one will be used. See FileDescriptorName= in
2367 systemd.socket(5) for more details about named file descriptors and
2368 their ordering.
2369
2370 This setting defaults to null, unless
2371 StandardInputText=/StandardInputData= are set, in which case it
2372 defaults to data.
2373
2374 StandardOutput=
2375 Controls where file descriptor 1 (stdout) of the executed processes
2376 is connected to. Takes one of inherit, null, tty, journal, kmsg,
2377 journal+console, kmsg+console, file:path, append:path,
2378 truncate:path, socket or fd:name.
2379
2380 inherit duplicates the file descriptor of standard input for
2381 standard output.
2382
2383 null connects standard output to /dev/null, i.e. everything written
2384 to it will be lost.
2385
2386 tty connects standard output to a tty (as configured via TTYPath=,
2387 see below). If the TTY is used for output only, the executed
2388 process will not become the controlling process of the terminal,
2389 and will not fail or wait for other processes to release the
2390 terminal.
2391
2392 journal connects standard output with the journal, which is
2393 accessible via journalctl(1). Note that everything that is written
2394 to kmsg (see below) is implicitly stored in the journal as well,
2395 the specific option listed below is hence a superset of this one.
2396 (Also note that any external, additional syslog daemons receive
2397 their log data from the journal, too, hence this is the option to
2398 use when logging shall be processed with such a daemon.)
2399
2400 kmsg connects standard output with the kernel log buffer which is
2401 accessible via dmesg(1), in addition to the journal. The journal
2402 daemon might be configured to send all logs to kmsg anyway, in
2403 which case this option is no different from journal.
2404
2405 journal+console and kmsg+console work in a similar way as the two
2406 options above but copy the output to the system console as well.
2407
2408 The file:path option may be used to connect a specific file system
2409 object to standard output. The semantics are similar to the same
2410 option of StandardInput=, see above. If path refers to a regular
2411 file on the filesystem, it is opened (created if it doesn't exist
2412 yet) for writing at the beginning of the file, but without
2413 truncating it. If standard input and output are directed to the
2414 same file path, it is opened only once, for reading as well as
2415 writing and duplicated. This is particularly useful when the
2416 specified path refers to an AF_UNIX socket in the file system, as
2417 in that case only a single stream connection is created for both
2418 input and output.
2419
2420 append:path is similar to file:path above, but it opens the file in
2421 append mode.
2422
2423 truncate:path is similar to file:path above, but it truncates the
2424 file when opening it. For units with multiple command lines, e.g.
2425 Type=oneshot services with multiple ExecStart=, or services with
2426 ExecCondition=, ExecStartPre= or ExecStartPost=, the output file is
2427 reopened and therefore re-truncated for each command line. If the
2428 output file is truncated while another process still has the file
2429 open, e.g. by an ExecReload= running concurrently with an
2430 ExecStart=, and the other process continues writing to the file
2431 without adjusting its offset, then the space between the file
2432 pointers of the two processes may be filled with NUL bytes,
2433 producing a sparse file. Thus, truncate:path is typically only
2434 useful for units where only one process runs at a time, such as
2435 services with a single ExecStart= and no ExecStartPost=,
2436 ExecReload=, ExecStop= or similar.
2437
2438 socket connects standard output to a socket acquired via socket
2439 activation. The semantics are similar to the same option of
2440 StandardInput=, see above.
2441
2442 The fd:name option connects standard output to a specific, named
2443 file descriptor provided by a socket unit. A name may be specified
2444 as part of this option, following a ":" character (e.g.
2445 "fd:foobar"). If no name is specified, the name "stdout" is implied
2446 (i.e. "fd" is equivalent to "fd:stdout"). At least one socket unit
2447 defining the specified name must be provided via the Sockets=
2448 option, and the file descriptor name may differ from the name of
2449 its containing socket unit. If multiple matches are found, the
2450 first one will be used. See FileDescriptorName= in
2451 systemd.socket(5) for more details about named descriptors and
2452 their ordering.
2453
2454 If the standard output (or error output, see below) of a unit is
2455 connected to the journal or the kernel log buffer, the unit will
2456 implicitly gain a dependency of type After= on
2457 systemd-journald.socket (also see the "Implicit Dependencies"
2458 section above). Also note that in this case stdout (or stderr, see
2459 below) will be an AF_UNIX stream socket, and not a pipe or FIFO
2460 that can be re-opened. This means when executing shell scripts the
2461 construct echo "hello" > /dev/stderr for writing text to stderr
2462 will not work. To mitigate this use the construct echo "hello" >&2
2463 instead, which is mostly equivalent and avoids this pitfall.
2464
2465 This setting defaults to the value set with DefaultStandardOutput=
2466 in systemd-system.conf(5), which defaults to journal. Note that
2467 setting this parameter might result in additional dependencies to
2468 be added to the unit (see above).
2469
2470 StandardError=
2471 Controls where file descriptor 2 (stderr) of the executed processes
2472 is connected to. The available options are identical to those of
2473 StandardOutput=, with some exceptions: if set to inherit the file
2474 descriptor used for standard output is duplicated for standard
2475 error, while fd:name will use a default file descriptor name of
2476 "stderr".
2477
2478 This setting defaults to the value set with DefaultStandardError=
2479 in systemd-system.conf(5), which defaults to inherit. Note that
2480 setting this parameter might result in additional dependencies to
2481 be added to the unit (see above).
2482
2483 StandardInputText=, StandardInputData=
2484 Configures arbitrary textual or binary data to pass via file
2485 descriptor 0 (STDIN) to the executed processes. These settings have
2486 no effect unless StandardInput= is set to data (which is the
2487 default if StandardInput= is not set otherwise, but
2488 StandardInputText=/StandardInputData= is). Use this option to embed
2489 process input data directly in the unit file.
2490
2491 StandardInputText= accepts arbitrary textual data. C-style escapes
2492 for special characters as well as the usual "%"-specifiers are
2493 resolved. Each time this setting is used the specified text is
2494 appended to the per-unit data buffer, followed by a newline
2495 character (thus every use appends a new line to the end of the
2496 buffer). Note that leading and trailing whitespace of lines
2497 configured with this option is removed. If an empty line is
2498 specified the buffer is cleared (hence, in order to insert an empty
2499 line, add an additional "\n" to the end or beginning of a line).
2500
2501 StandardInputData= accepts arbitrary binary data, encoded in
2502 Base64[9]. No escape sequences or specifiers are resolved. Any
2503 whitespace in the encoded version is ignored during decoding.
2504
2505 Note that StandardInputText= and StandardInputData= operate on the
2506 same data buffer, and may be mixed in order to configure both
2507 binary and textual data for the same input stream. The textual or
2508 binary data is joined strictly in the order the settings appear in
2509 the unit file. Assigning an empty string to either will reset the
2510 data buffer.
2511
2512 Please keep in mind that in order to maintain readability long unit
2513 file settings may be split into multiple lines, by suffixing each
2514 line (except for the last) with a "\" character (see
2515 systemd.unit(5) for details). This is particularly useful for large
2516 data configured with these two options. Example:
2517
2518 ...
2519 StandardInput=data
2520 StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy4KSWNrIGtpZWtl \
2521 LCBzdGF1bmUsIHd1bmRyZSBtaXIsCnVmZiBlZW1hbCBqZWh0IHNlIHVmZiBkaWUgVMO8ci4KTmFu \
2522 dSwgZGVuayBpY2ssIGljayBkZW5rIG5hbnUhCkpldHogaXNzZSB1ZmYsIGVyc2NodCB3YXIgc2Ug \
2523 enUhCkljayBqZWhlIHJhdXMgdW5kIGJsaWNrZSDigJQKdW5kIHdlciBzdGVodCBkcmF1w59lbj8g \
2524 SWNrZSEK
2525 ...
2526
2527 LogLevelMax=
2528 Configures filtering by log level of log messages generated by this
2529 unit. Takes a syslog log level, one of emerg (lowest log level,
2530 only highest priority messages), alert, crit, err, warning, notice,
2531 info, debug (highest log level, also lowest priority messages). See
2532 syslog(3) for details. By default no filtering is applied (i.e. the
2533 default maximum log level is debug). Use this option to configure
2534 the logging system to drop log messages of a specific service above
2535 the specified level. For example, set LogLevelMax=info in order to
2536 turn off debug logging of a particularly chatty unit. Note that the
2537 configured level is applied to any log messages written by any of
2538 the processes belonging to this unit, as well as any log messages
2539 written by the system manager process (PID 1) in reference to this
2540 unit, sent via any supported logging protocol. The filtering is
2541 applied early in the logging pipeline, before any kind of further
2542 processing is done. Moreover, messages which pass through this
2543 filter successfully might still be dropped by filters applied at a
2544 later stage in the logging subsystem. For example, MaxLevelStore=
2545 configured in journald.conf(5) might prohibit messages of higher
2546 log levels to be stored on disk, even though the per-unit
2547 LogLevelMax= permitted it to be processed.
2548
2549 LogExtraFields=
2550 Configures additional log metadata fields to include in all log
2551 records generated by processes associated with this unit. This
2552 setting takes one or more journal field assignments in the format
2553 "FIELD=VALUE" separated by whitespace. See systemd.journal-
2554 fields(7) for details on the journal field concept. Even though the
2555 underlying journal implementation permits binary field values, this
2556 setting accepts only valid UTF-8 values. To include space
2557 characters in a journal field value, enclose the assignment in
2558 double quotes ("). The usual specifiers are expanded in all
2559 assignments (see below). Note that this setting is not only useful
2560 for attaching additional metadata to log records of a unit, but
2561 given that all fields and values are indexed may also be used to
2562 implement cross-unit log record matching. Assign an empty string to
2563 reset the list.
2564
2565 LogRateLimitIntervalSec=, LogRateLimitBurst=
2566 Configures the rate limiting that is applied to messages generated
2567 by this unit. If, in the time interval defined by
2568 LogRateLimitIntervalSec=, more messages than specified in
2569 LogRateLimitBurst= are logged by a service, all further messages
2570 within the interval are dropped until the interval is over. A
2571 message about the number of dropped messages is generated. The time
2572 specification for LogRateLimitIntervalSec= may be specified in the
2573 following units: "s", "min", "h", "ms", "us" (see systemd.time(7)
2574 for details). The default settings are set by RateLimitIntervalSec=
2575 and RateLimitBurst= configured in journald.conf(5).
2576
2577 LogNamespace=
2578 Run the unit's processes in the specified journal namespace.
2579 Expects a short user-defined string identifying the namespace. If
2580 not used the processes of the service are run in the default
2581 journal namespace, i.e. their log stream is collected and processed
2582 by systemd-journald.service. If this option is used any log data
2583 generated by processes of this unit (regardless if via the
2584 syslog(), journal native logging or stdout/stderr logging) is
2585 collected and processed by an instance of the
2586 systemd-journald@.service template unit, which manages the
2587 specified namespace. The log data is stored in a data store
2588 independent from the default log namespace's data store. See
2589 systemd-journald.service(8) for details about journal namespaces.
2590
2591 Internally, journal namespaces are implemented through Linux mount
2592 namespacing and over-mounting the directory that contains the
2593 relevant AF_UNIX sockets used for logging in the unit's mount
2594 namespace. Since mount namespaces are used this setting disconnects
2595 propagation of mounts from the unit's processes to the host,
2596 similar to how ReadOnlyPaths= and similar settings (see above)
2597 work. Journal namespaces may hence not be used for services that
2598 need to establish mount points on the host.
2599
2600 When this option is used the unit will automatically gain ordering
2601 and requirement dependencies on the two socket units associated
2602 with the systemd-journald@.service instance so that they are
2603 automatically established prior to the unit starting up. Note that
2604 when this option is used log output of this service does not appear
2605 in the regular journalctl(1) output, unless the --namespace= option
2606 is used.
2607
2608 This option is only available for system services and is not
2609 supported for services running in per-user instances of the service
2610 manager.
2611
2612 SyslogIdentifier=
2613 Sets the process name ("syslog tag") to prefix log lines sent to
2614 the logging system or the kernel log buffer with. If not set,
2615 defaults to the process name of the executed process. This option
2616 is only useful when StandardOutput= or StandardError= are set to
2617 journal or kmsg (or to the same settings in combination with
2618 +console) and only applies to log messages written to stdout or
2619 stderr.
2620
2621 SyslogFacility=
2622 Sets the syslog facility identifier to use when logging. One of
2623 kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron,
2624 authpriv, ftp, local0, local1, local2, local3, local4, local5,
2625 local6 or local7. See syslog(3) for details. This option is only
2626 useful when StandardOutput= or StandardError= are set to journal or
2627 kmsg (or to the same settings in combination with +console), and
2628 only applies to log messages written to stdout or stderr. Defaults
2629 to daemon.
2630
2631 SyslogLevel=
2632 The default syslog log level to use when logging to the logging
2633 system or the kernel log buffer. One of emerg, alert, crit, err,
2634 warning, notice, info, debug. See syslog(3) for details. This
2635 option is only useful when StandardOutput= or StandardError= are
2636 set to journal or kmsg (or to the same settings in combination with
2637 +console), and only applies to log messages written to stdout or
2638 stderr. Note that individual lines output by executed processes may
2639 be prefixed with a different log level which can be used to
2640 override the default log level specified here. The interpretation
2641 of these prefixes may be disabled with SyslogLevelPrefix=, see
2642 below. For details, see sd-daemon(3). Defaults to info.
2643
2644 SyslogLevelPrefix=
2645 Takes a boolean argument. If true and StandardOutput= or
2646 StandardError= are set to journal or kmsg (or to the same settings
2647 in combination with +console), log lines written by the executed
2648 process that are prefixed with a log level will be processed with
2649 this log level set but the prefix removed. If set to false, the
2650 interpretation of these prefixes is disabled and the logged lines
2651 are passed on as-is. This only applies to log messages written to
2652 stdout or stderr. For details about this prefixing see sd-
2653 daemon(3). Defaults to true.
2654
2655 TTYPath=
2656 Sets the terminal device node to use if standard input, output, or
2657 error are connected to a TTY (see above). Defaults to /dev/console.
2658
2659 TTYReset=
2660 Reset the terminal device specified with TTYPath= before and after
2661 execution. Defaults to "no".
2662
2663 TTYVHangup=
2664 Disconnect all clients which have opened the terminal device
2665 specified with TTYPath= before and after execution. Defaults to
2666 "no".
2667
2668 TTYVTDisallocate=
2669 If the terminal device specified with TTYPath= is a virtual console
2670 terminal, try to deallocate the TTY before and after execution.
2671 This ensures that the screen and scrollback buffer is cleared.
2672 Defaults to "no".
2673
2675 LoadCredential=ID:PATH
2676 Pass a credential to the unit. Credentials are limited-size binary
2677 or textual objects that may be passed to unit processes. They are
2678 primarily used for passing cryptographic keys (both public and
2679 private) or certificates, user account information or identity
2680 information from host to services. The data is accessible from the
2681 unit's processes via the file system, at a read-only location that
2682 (if possible and permitted) is backed by non-swappable memory. The
2683 data is only accessible to the user associated with the unit, via
2684 the User=/DynamicUser= settings (as well as the superuser). When
2685 available, the location of credentials is exported as the
2686 $CREDENTIALS_DIRECTORY environment variable to the unit's
2687 processes.
2688
2689 The LoadCredential= setting takes a textual ID to use as name for a
2690 credential plus a file system path. The ID must be a short ASCII
2691 string suitable as filename in the filesystem, and may be chosen
2692 freely by the user. If the specified path is absolute it is opened
2693 as regular file and the credential data is read from it. If the
2694 absolute path refers to an AF_UNIX stream socket in the file system
2695 a connection is made to it (only once at unit start-up) and the
2696 credential data read from the connection, providing an easy IPC
2697 integration point for dynamically providing credentials from other
2698 services. If the specified path is not absolute and itself
2699 qualifies as valid credential identifier it is understood to refer
2700 to a credential that the service manager itself received via the
2701 $CREDENTIALS_DIRECTORY environment variable, which may be used to
2702 propagate credentials from an invoking environment (e.g. a
2703 container manager that invoked the service manager) into a service.
2704 The contents of the file/socket may be arbitrary binary or textual
2705 data, including newline characters and NUL bytes. This option may
2706 be used multiple times, each time defining an additional credential
2707 to pass to the unit.
2708
2709 The credential files/IPC sockets must be accessible to the service
2710 manager, but don't have to be directly accessible to the unit's
2711 processes: the credential data is read and copied into separate,
2712 read-only copies for the unit that are accessible to appropriately
2713 privileged processes. This is particularly useful in combination
2714 with DynamicUser= as this way privileged data can be made available
2715 to processes running under a dynamic UID (i.e. not a previously
2716 known one) without having to open up access to all users.
2717
2718 In order to reference the path a credential may be read from within
2719 a ExecStart= command line use "${CREDENTIALS_DIRECTORY}/mycred",
2720 e.g. "ExecStart=cat ${CREDENTIALS_DIRECTORY}/mycred".
2721
2722 Currently, an accumulated credential size limit of 1 MB per unit is
2723 enforced.
2724
2725 If referencing an AF_UNIX stream socket to connect to, the
2726 connection will originate from an abstract namespace socket, that
2727 includes information about the unit and the credential ID in its
2728 socket name. Use getpeername(2) to query this information. The
2729 returned socket name is formatted as NUL RANDOM "/unit/" UNIT "/"
2730 ID, i.e. a NUL byte (as required for abstract namespace socket
2731 names), followed by a random string (consisting of alphadecimal
2732 characters), followed by the literal string "/unit/", followed by
2733 the requesting unit name, followed by the literal character "/",
2734 followed by the textual credential ID requested. Example:
2735 "\0adf9d86b6eda275e/unit/foobar.service/credx" in case the
2736 credential "credx" is requested for a unit "foobar.service". This
2737 functionality is useful for using a single listening socket to
2738 serve credentials to multiple consumers.
2739
2740 SetCredential=ID:VALUE
2741 The SetCredential= setting is similar to LoadCredential= but
2742 accepts a literal value to use as data for the credential, instead
2743 of a file system path to read the data from. Do not use this option
2744 for data that is supposed to be secret, as it is accessible to
2745 unprivileged processes via IPC. It's only safe to use this for user
2746 IDs, public key material and similar non-sensitive data. For
2747 everything else use LoadCredential=. In order to embed binary data
2748 into the credential data use C-style escaping (i.e. "\n" to embed
2749 a newline, or "\x00" to embed a NUL byte).
2750
2751 If a credential of the same ID is listed in both LoadCredential=
2752 and SetCredential=, the latter will act as default if the former
2753 cannot be retrieved. In this case not being able to retrieve the
2754 credential from the path specified in LoadCredential= is not
2755 considered fatal.
2756
2758 UtmpIdentifier=
2759 Takes a four character identifier string for an utmp(5) and wtmp
2760 entry for this service. This should only be set for services such
2761 as getty implementations (such as agetty(8)) where utmp/wtmp
2762 entries must be created and cleared before and after execution, or
2763 for services that shall be executed as if they were run by a getty
2764 process (see below). If the configured string is longer than four
2765 characters, it is truncated and the terminal four characters are
2766 used. This setting interprets %I style string replacements. This
2767 setting is unset by default, i.e. no utmp/wtmp entries are created
2768 or cleaned up for this service.
2769
2770 UtmpMode=
2771 Takes one of "init", "login" or "user". If UtmpIdentifier= is set,
2772 controls which type of utmp(5)/wtmp entries for this service are
2773 generated. This setting has no effect unless UtmpIdentifier= is set
2774 too. If "init" is set, only an INIT_PROCESS entry is generated and
2775 the invoked process must implement a getty-compatible utmp/wtmp
2776 logic. If "login" is set, first an INIT_PROCESS entry, followed by
2777 a LOGIN_PROCESS entry is generated. In this case, the invoked
2778 process must implement a login(1)-compatible utmp/wtmp logic. If
2779 "user" is set, first an INIT_PROCESS entry, then a LOGIN_PROCESS
2780 entry and finally a USER_PROCESS entry is generated. In this case,
2781 the invoked process may be any process that is suitable to be run
2782 as session leader. Defaults to "init".
2783
2785 Processes started by the service manager are executed with an
2786 environment variable block assembled from multiple sources. Processes
2787 started by the system service manager generally do not inherit
2788 environment variables set for the service manager itself (but this may
2789 be altered via PassEnvironment=), but processes started by the user
2790 service manager instances generally do inherit all environment
2791 variables set for the service manager itself.
2792
2793 For each invoked process the list of environment variables set is
2794 compiled from the following sources:
2795
2796 • Variables globally configured for the service manager, using the
2797 DefaultEnvironment= setting in systemd-system.conf(5), the kernel
2798 command line option systemd.setenv= understood by systemd(1), or
2799 via systemctl(1) set-environment verb.
2800
2801 • Variables defined by the service manager itself (see the list
2802 below).
2803
2804 • Variables set in the service manager's own environment variable
2805 block (subject to PassEnvironment= for the system service manager).
2806
2807 • Variables set via Environment= in the unit file.
2808
2809 • Variables read from files specified via EnvironmentFile= in the
2810 unit file.
2811
2812 • Variables set by any PAM modules in case PAMName= is in effect,
2813 cf. pam_env(8).
2814
2815 If the same environment variable is set by multiple of these sources,
2816 the later source — according to the order of the list above — wins.
2817 Note that as the final step all variables listed in UnsetEnvironment=
2818 are removed from the compiled environment variable list, immediately
2819 before it is passed to the executed process.
2820
2821 The general philosophy is to expose a small curated list of environment
2822 variables to processes. Services started by the system manager (PID 1)
2823 will be started, without additional service-specific configuration,
2824 with just a few environment variables. The user manager inherits
2825 environment variables as any other system service, but in addition may
2826 receive additional environment variables from PAM, and, typically,
2827 additional imported variables when the user starts a graphical session.
2828 It is recommended to keep the environment blocks in both the system and
2829 user managers managers lean. Importing all variables inherited by the
2830 graphical session or by one of the user shells is strongly discouraged.
2831
2832 Hint: systemd-run -P env and systemd-run --user -P env print the
2833 effective system and user service environment blocks.
2834
2835 Environment Variables Set or Propagated by the Service Manager
2836 The following environment variables are propagated by the service
2837 manager or generated internally for each invoked process:
2838
2839 $PATH
2840 Colon-separated list of directories to use when launching
2841 executables. systemd uses a fixed value of
2842 "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin" in the system
2843 manager. When compiled for systems with "unmerged /usr/" (/bin is
2844 not a symlink to /usr/bin), ":/sbin:/bin" is appended. In case of
2845 the the user manager, a different path may be configured by the
2846 distribution. It is recommended to not rely on the order of
2847 entries, and have only one program with a given name in $PATH.
2848
2849 $LANG
2850 Locale. Can be set in locale.conf(5) or on the kernel command line
2851 (see systemd(1) and kernel-command-line(7)).
2852
2853 $USER, $LOGNAME, $HOME, $SHELL
2854 User name (twice), home directory, and the login shell. The
2855 variables are set for the units that have User= set, which includes
2856 user systemd instances. See passwd(5).
2857
2858 $INVOCATION_ID
2859 Contains a randomized, unique 128bit ID identifying each runtime
2860 cycle of the unit, formatted as 32 character hexadecimal string. A
2861 new ID is assigned each time the unit changes from an inactive
2862 state into an activating or active state, and may be used to
2863 identify this specific runtime cycle, in particular in data stored
2864 offline, such as the journal. The same ID is passed to all
2865 processes run as part of the unit.
2866
2867 $XDG_RUNTIME_DIR
2868 The directory to use for runtime objects (such as IPC objects) and
2869 volatile state. Set for all services run by the user systemd
2870 instance, as well as any system services that use PAMName= with a
2871 PAM stack that includes pam_systemd. See below and pam_systemd(8)
2872 for more information.
2873
2874 $RUNTIME_DIRECTORY, $STATE_DIRECTORY, $CACHE_DIRECTORY,
2875 $LOGS_DIRECTORY, $CONFIGURATION_DIRECTORY
2876 Absolute paths to the directories defined with RuntimeDirectory=,
2877 StateDirectory=, CacheDirectory=, LogsDirectory=, and
2878 ConfigurationDirectory= when those settings are used.
2879
2880 $CREDENTIALS_DIRECTORY
2881 An absolute path to the per-unit directory with credentials
2882 configured via LoadCredential=/SetCredential=. The directory is
2883 marked read-only and is placed in unswappable memory (if supported
2884 and permitted), and is only accessible to the UID associated with
2885 the unit via User= or DynamicUser= (and the superuser).
2886
2887 $MAINPID
2888 The PID of the unit's main process if it is known. This is only set
2889 for control processes as invoked by ExecReload= and similar.
2890
2891 $MANAGERPID
2892 The PID of the user systemd instance, set for processes spawned by
2893 it.
2894
2895 $LISTEN_FDS, $LISTEN_PID, $LISTEN_FDNAMES
2896 Information about file descriptors passed to a service for socket
2897 activation. See sd_listen_fds(3).
2898
2899 $NOTIFY_SOCKET
2900 The socket sd_notify() talks to. See sd_notify(3).
2901
2902 $WATCHDOG_PID, $WATCHDOG_USEC
2903 Information about watchdog keep-alive notifications. See
2904 sd_watchdog_enabled(3).
2905
2906 $SYSTEMD_EXEC_PID
2907 The PID of the unit process (e.g. process invoked by ExecStart=).
2908 The child process can use this information to determine whether the
2909 process is directly invoked by the service manager or indirectly as
2910 a child of another process by comparing this value with the current
2911 PID (as similar to the scheme used in sd_listen_fds(3) with
2912 $LISTEN_PID and $LISTEN_FDS).
2913
2914 $TERM
2915 Terminal type, set only for units connected to a terminal
2916 (StandardInput=tty, StandardOutput=tty, or StandardError=tty). See
2917 termcap(5).
2918
2919 $LOG_NAMESPACE
2920 Contains the name of the selected logging namespace when the
2921 LogNamespace= service setting is used.
2922
2923 $JOURNAL_STREAM
2924 If the standard output or standard error output of the executed
2925 processes are connected to the journal (for example, by setting
2926 StandardError=journal) $JOURNAL_STREAM contains the device and
2927 inode numbers of the connection file descriptor, formatted in
2928 decimal, separated by a colon (":"). This permits invoked processes
2929 to safely detect whether their standard output or standard error
2930 output are connected to the journal. The device and inode numbers
2931 of the file descriptors should be compared with the values set in
2932 the environment variable to determine whether the process output is
2933 still connected to the journal. Note that it is generally not
2934 sufficient to only check whether $JOURNAL_STREAM is set at all as
2935 services might invoke external processes replacing their standard
2936 output or standard error output, without unsetting the environment
2937 variable.
2938
2939 If both standard output and standard error of the executed
2940 processes are connected to the journal via a stream socket, this
2941 environment variable will contain information about the standard
2942 error stream, as that's usually the preferred destination for log
2943 data. (Note that typically the same stream is used for both
2944 standard output and standard error, hence very likely the
2945 environment variable contains device and inode information matching
2946 both stream file descriptors.)
2947
2948 This environment variable is primarily useful to allow services to
2949 optionally upgrade their used log protocol to the native journal
2950 protocol (using sd_journal_print(3) and other functions) if their
2951 standard output or standard error output is connected to the
2952 journal anyway, thus enabling delivery of structured metadata along
2953 with logged messages.
2954
2955 $SERVICE_RESULT
2956 Only defined for the service unit type, this environment variable
2957 is passed to all ExecStop= and ExecStopPost= processes, and encodes
2958 the service "result". Currently, the following values are defined:
2959
2960 Table 4. Defined $SERVICE_RESULT values
2961 ┌──────────────────┬────────────────────────────┐
2962 │Value │ Meaning │
2963 ├──────────────────┼────────────────────────────┤
2964 │"success" │ The service ran │
2965 │ │ successfully and exited │
2966 │ │ cleanly. │
2967 ├──────────────────┼────────────────────────────┤
2968 │"protocol" │ A protocol violation │
2969 │ │ occurred: the service did │
2970 │ │ not take the steps │
2971 │ │ required by its unit │
2972 │ │ configuration │
2973 │ │ (specifically what is │
2974 │ │ configured in its Type= │
2975 │ │ setting). │
2976 ├──────────────────┼────────────────────────────┤
2977 │"timeout" │ One of the steps timed │
2978 │ │ out. │
2979 ├──────────────────┼────────────────────────────┤
2980 │"exit-code" │ Service process exited │
2981 │ │ with a non-zero exit code; │
2982 │ │ see $EXIT_CODE below for │
2983 │ │ the actual exit code │
2984 │ │ returned. │
2985 ├──────────────────┼────────────────────────────┤
2986 │"signal" │ A service process was │
2987 │ │ terminated abnormally by a │
2988 │ │ signal, without dumping │
2989 │ │ core. See $EXIT_CODE below │
2990 │ │ for the actual signal │
2991 │ │ causing the termination. │
2992 ├──────────────────┼────────────────────────────┤
2993 │"core-dump" │ A service process │
2994 │ │ terminated abnormally with │
2995 │ │ a signal and dumped core. │
2996 │ │ See $EXIT_CODE below for │
2997 │ │ the signal causing the │
2998 │ │ termination. │
2999 ├──────────────────┼────────────────────────────┤
3000 │"watchdog" │ Watchdog keep-alive ping │
3001 │ │ was enabled for the │
3002 │ │ service, but the deadline │
3003 │ │ was missed. │
3004 ├──────────────────┼────────────────────────────┤
3005 │"start-limit-hit" │ A start limit was defined │
3006 │ │ for the unit and it was │
3007 │ │ hit, causing the unit to │
3008 │ │ fail to start. See │
3009 │ │ systemd.unit(5)'s │
3010 │ │ StartLimitIntervalSec= and │
3011 │ │ StartLimitBurst= for │
3012 │ │ details. │
3013 ├──────────────────┼────────────────────────────┤
3014 │"resources" │ A catch-all condition in │
3015 │ │ case a system operation │
3016 │ │ failed. │
3017 └──────────────────┴────────────────────────────┘
3018 This environment variable is useful to monitor failure or
3019 successful termination of a service. Even though this variable is
3020 available in both ExecStop= and ExecStopPost=, it is usually a
3021 better choice to place monitoring tools in the latter, as the
3022 former is only invoked for services that managed to start up
3023 correctly, and the latter covers both services that failed during
3024 their start-up and those which failed during their runtime.
3025
3026 $EXIT_CODE, $EXIT_STATUS
3027 Only defined for the service unit type, these environment variables
3028 are passed to all ExecStop=, ExecStopPost= processes and contain
3029 exit status/code information of the main process of the service.
3030 For the precise definition of the exit code and status, see
3031 wait(2). $EXIT_CODE is one of "exited", "killed", "dumped".
3032 $EXIT_STATUS contains the numeric exit code formatted as string if
3033 $EXIT_CODE is "exited", and the signal name in all other cases.
3034 Note that these environment variables are only set if the service
3035 manager succeeded to start and identify the main process of the
3036 service.
3037
3038 Table 5. Summary of possible service result variable values
3039 ┌──────────────────┬──────────────────┬─────────────────────┐
3040 │$SERVICE_RESULT │ $EXIT_CODE │ $EXIT_STATUS │
3041 ├──────────────────┼──────────────────┼─────────────────────┤
3042 │"success" │ "killed" │ "HUP", "INT", │
3043 │ │ │ "TERM", "PIPE" │
3044 │ ├──────────────────┼─────────────────────┤
3045 │ │ "exited" │ "0" │
3046 ├──────────────────┼──────────────────┼─────────────────────┤
3047 │"protocol" │ not set │ not set │
3048 │ ├──────────────────┼─────────────────────┤
3049 │ │ "exited" │ "0" │
3050 ├──────────────────┼──────────────────┼─────────────────────┤
3051 │"timeout" │ "killed" │ "TERM", "KILL" │
3052 │ ├──────────────────┼─────────────────────┤
3053 │ │ "exited" │ "0", "1", "2", "3", │
3054 │ │ │ ..., "255" │
3055 ├──────────────────┼──────────────────┼─────────────────────┤
3056 │"exit-code" │ "exited" │ "1", "2", "3", ..., │
3057 │ │ │ "255" │
3058 ├──────────────────┼──────────────────┼─────────────────────┤
3059 │"signal" │ "killed" │ "HUP", "INT", │
3060 │ │ │ "KILL", ... │
3061 ├──────────────────┼──────────────────┼─────────────────────┤
3062 │"core-dump" │ "dumped" │ "ABRT", "SEGV", │
3063 │ │ │ "QUIT", ... │
3064 ├──────────────────┼──────────────────┼─────────────────────┤
3065 │"watchdog" │ "dumped" │ "ABRT" │
3066 │ ├──────────────────┼─────────────────────┤
3067 │ │ "killed" │ "TERM", "KILL" │
3068 │ ├──────────────────┼─────────────────────┤
3069 │ │ "exited" │ "0", "1", "2", "3", │
3070 │ │ │ ..., "255" │
3071 ├──────────────────┼──────────────────┼─────────────────────┤
3072 │"exec-condition" │ "exited" │ "1", "2", "3", "4", │
3073 │ │ │ ..., "254" │
3074 ├──────────────────┼──────────────────┼─────────────────────┤
3075 │"oom-kill" │ "killed" │ "TERM", "KILL" │
3076 ├──────────────────┼──────────────────┼─────────────────────┤
3077 │"start-limit-hit" │ not set │ not set │
3078 ├──────────────────┼──────────────────┼─────────────────────┤
3079 │"resources" │ any of the above │ any of the above │
3080 ├──────────────────┴──────────────────┴─────────────────────┤
3081 │Note: the process may be also terminated by a signal not │
3082 │sent by systemd. In particular the process may send an │
3083 │arbitrary signal to itself in a handler for any of the │
3084 │non-maskable signals. Nevertheless, in the "timeout" and │
3085 │"watchdog" rows above only the signals that systemd sends │
3086 │have been included. Moreover, using SuccessExitStatus= │
3087 │additional exit statuses may be declared to indicate clean │
3088 │termination, which is not reflected by this table. │
3089 └───────────────────────────────────────────────────────────┘
3090
3091 $PIDFILE
3092 The path to the configured PID file, in case the process is forked
3093 off on behalf of a service that uses the PIDFile= setting, see
3094 systemd.service(5) for details. Service code may use this
3095 environment variable to automatically generate a PID file at the
3096 location configured in the unit file. This field is set to an
3097 absolute path in the file system.
3098
3099 For system services, when PAMName= is enabled and pam_systemd is part
3100 of the selected PAM stack, additional environment variables defined by
3101 systemd may be set for services. Specifically, these are $XDG_SEAT,
3102 $XDG_VTNR, see pam_systemd(8) for details.
3103
3105 When invoking a unit process the service manager possibly fails to
3106 apply the execution parameters configured with the settings above. In
3107 that case the already created service process will exit with a non-zero
3108 exit code before the configured command line is executed. (Or in other
3109 words, the child process possibly exits with these error codes, after
3110 having been created by the fork(2) system call, but before the matching
3111 execve(2) system call is called.) Specifically, exit codes defined by
3112 the C library, by the LSB specification and by the systemd service
3113 manager itself are used.
3114
3115 The following basic service exit codes are defined by the C library.
3116
3117 Table 6. Basic C library exit codes
3118 ┌──────────┬───────────────┬────────────────────┐
3119 │Exit Code │ Symbolic Name │ Description │
3120 ├──────────┼───────────────┼────────────────────┤
3121 │0 │ EXIT_SUCCESS │ Generic success │
3122 │ │ │ code. │
3123 ├──────────┼───────────────┼────────────────────┤
3124 │1 │ EXIT_FAILURE │ Generic failure or │
3125 │ │ │ unspecified error. │
3126 └──────────┴───────────────┴────────────────────┘
3127
3128 The following service exit codes are defined by the LSB
3129 specification[10].
3130
3131 Table 7. LSB service exit codes
3132 ┌──────────┬──────────────────────┬────────────────────┐
3133 │Exit Code │ Symbolic Name │ Description │
3134 ├──────────┼──────────────────────┼────────────────────┤
3135 │2 │ EXIT_INVALIDARGUMENT │ Invalid or excess │
3136 │ │ │ arguments. │
3137 ├──────────┼──────────────────────┼────────────────────┤
3138 │3 │ EXIT_NOTIMPLEMENTED │ Unimplemented │
3139 │ │ │ feature. │
3140 ├──────────┼──────────────────────┼────────────────────┤
3141 │4 │ EXIT_NOPERMISSION │ The user has │
3142 │ │ │ insufficient │
3143 │ │ │ privileges. │
3144 ├──────────┼──────────────────────┼────────────────────┤
3145 │5 │ EXIT_NOTINSTALLED │ The program is not │
3146 │ │ │ installed. │
3147 ├──────────┼──────────────────────┼────────────────────┤
3148 │6 │ EXIT_NOTCONFIGURED │ The program is not │
3149 │ │ │ configured. │
3150 ├──────────┼──────────────────────┼────────────────────┤
3151 │7 │ EXIT_NOTRUNNING │ The program is not │
3152 │ │ │ running. │
3153 └──────────┴──────────────────────┴────────────────────┘
3154
3155 The LSB specification suggests that error codes 200 and above are
3156 reserved for implementations. Some of them are used by the service
3157 manager to indicate problems during process invocation:
3158
3159 Table 8. systemd-specific exit codes
3160 ┌──────────┬──────────────────────────────┬─────────────────────────────────────────────┐
3161 │Exit Code │ Symbolic Name │ Description │
3162 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3163 │200 │ EXIT_CHDIR │ Changing to the │
3164 │ │ │ requested working │
3165 │ │ │ directory failed. │
3166 │ │ │ See │
3167 │ │ │ WorkingDirectory= │
3168 │ │ │ above. │
3169 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3170 │201 │ EXIT_NICE │ Failed to set up │
3171 │ │ │ process scheduling │
3172 │ │ │ priority (nice │
3173 │ │ │ level). See Nice= │
3174 │ │ │ above. │
3175 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3176 │202 │ EXIT_FDS │ Failed to close │
3177 │ │ │ unwanted file │
3178 │ │ │ descriptors, or to │
3179 │ │ │ adjust passed file │
3180 │ │ │ descriptors. │
3181 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3182 │203 │ EXIT_EXEC │ The actual process │
3183 │ │ │ execution failed │
3184 │ │ │ (specifically, the │
3185 │ │ │ execve(2) system │
3186 │ │ │ call). Most likely │
3187 │ │ │ this is caused by a │
3188 │ │ │ missing or │
3189 │ │ │ non-accessible │
3190 │ │ │ executable file. │
3191 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3192 │204 │ EXIT_MEMORY │ Failed to perform │
3193 │ │ │ an action due to │
3194 │ │ │ memory shortage. │
3195 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3196 │205 │ EXIT_LIMITS │ Failed to adjust │
3197 │ │ │ resource limits. │
3198 │ │ │ See LimitCPU= and │
3199 │ │ │ related settings │
3200 │ │ │ above. │
3201 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3202 │206 │ EXIT_OOM_ADJUST │ Failed to adjust │
3203 │ │ │ the OOM setting. │
3204 │ │ │ See OOMScoreAdjust= │
3205 │ │ │ above. │
3206 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3207 │207 │ EXIT_SIGNAL_MASK │ Failed to set │
3208 │ │ │ process signal │
3209 │ │ │ mask. │
3210 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3211 │208 │ EXIT_STDIN │ Failed to set up │
3212 │ │ │ standard input. See │
3213 │ │ │ StandardInput= │
3214 │ │ │ above. │
3215 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3216 │209 │ EXIT_STDOUT │ Failed to set up │
3217 │ │ │ standard output. │
3218 │ │ │ See StandardOutput= │
3219 │ │ │ above. │
3220 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3221 │210 │ EXIT_CHROOT │ Failed to change │
3222 │ │ │ root directory │
3223 │ │ │ (chroot(2)). See │
3224 │ │ │ RootDirectory=/RootImage= │
3225 │ │ │ above. │
3226 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3227 │211 │ EXIT_IOPRIO │ Failed to set up IO │
3228 │ │ │ scheduling priority. See │
3229 │ │ │ IOSchedulingClass=/IOSchedulingPriority= │
3230 │ │ │ above. │
3231 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3232 │212 │ EXIT_TIMERSLACK │ Failed to set up timer slack. See │
3233 │ │ │ TimerSlackNSec= above. │
3234 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3235 │213 │ EXIT_SECUREBITS │ Failed to set process secure bits. See │
3236 │ │ │ SecureBits= above. │
3237 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3238 │214 │ EXIT_SETSCHEDULER │ Failed to set up CPU scheduling. See │
3239 │ │ │ CPUSchedulingPolicy=/CPUSchedulingPriority= │
3240 │ │ │ above. │
3241 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3242 │215 │ EXIT_CPUAFFINITY │ Failed to set up CPU affinity. See │
3243 │ │ │ CPUAffinity= above. │
3244 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3245 │216 │ EXIT_GROUP │ Failed to determine or change group │
3246 │ │ │ credentials. See │
3247 │ │ │ Group=/SupplementaryGroups= above. │
3248 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3249 │217 │ EXIT_USER │ Failed to determine or change user │
3250 │ │ │ credentials, or to set up user namespacing. │
3251 │ │ │ See User=/PrivateUsers= above. │
3252 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3253 │218 │ EXIT_CAPABILITIES │ Failed to drop capabilities, or apply │
3254 │ │ │ ambient capabilities. See │
3255 │ │ │ CapabilityBoundingSet=/AmbientCapabilities= │
3256 │ │ │ above. │
3257 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3258 │219 │ EXIT_CGROUP │ Setting up the service control group │
3259 │ │ │ failed. │
3260 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3261 │220 │ EXIT_SETSID │ Failed to create new process session. │
3262 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3263 │221 │ EXIT_CONFIRM │ Execution has been cancelled by the user. │
3264 │ │ │ See the systemd.confirm_spawn= kernel │
3265 │ │ │ command line setting on kernel-command- │
3266 │ │ │ line(7) for details. │
3267 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3268 │222 │ EXIT_STDERR │ Failed to set up standard error output. See │
3269 │ │ │ StandardError= above. │
3270 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3271 │224 │ EXIT_PAM │ Failed to set up PAM session. See PAMName= │
3272 │ │ │ above. │
3273 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3274 │225 │ EXIT_NETWORK │ Failed to set up network namespacing. See │
3275 │ │ │ PrivateNetwork= above. │
3276 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3277 │226 │ EXIT_NAMESPACE │ Failed to set up mount, UTS, or IPC │
3278 │ │ │ namespacing. See ReadOnlyPaths=, │
3279 │ │ │ ProtectHostname=, PrivateIPC=, and related │
3280 │ │ │ settings above. │
3281 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3282 │227 │ EXIT_NO_NEW_PRIVILEGES │ Failed to disable new privileges. See │
3283 │ │ │ NoNewPrivileges=yes above. │
3284 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3285 │228 │ EXIT_SECCOMP │ Failed to apply system call filters. See │
3286 │ │ │ SystemCallFilter= and related settings │
3287 │ │ │ above. │
3288 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3289 │229 │ EXIT_SELINUX_CONTEXT │ Determining or changing SELinux context │
3290 │ │ │ failed. See SELinuxContext= above. │
3291 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3292 │230 │ EXIT_PERSONALITY │ Failed to set up an execution domain │
3293 │ │ │ (personality). See Personality= above. │
3294 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3295 │231 │ EXIT_APPARMOR_PROFILE │ Failed to prepare changing AppArmor │
3296 │ │ │ profile. See AppArmorProfile= above. │
3297 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3298 │232 │ EXIT_ADDRESS_FAMILIES │ Failed to restrict address families. See │
3299 │ │ │ RestrictAddressFamilies= above. │
3300 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3301 │233 │ EXIT_RUNTIME_DIRECTORY │ Setting up runtime directory failed. See │
3302 │ │ │ RuntimeDirectory= and related settings │
3303 │ │ │ above. │
3304 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3305 │235 │ EXIT_CHOWN │ Failed to adjust socket ownership. Used for │
3306 │ │ │ socket units only. │
3307 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3308 │236 │ EXIT_SMACK_PROCESS_LABEL │ Failed to set SMACK label. See │
3309 │ │ │ SmackProcessLabel= above. │
3310 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3311 │237 │ EXIT_KEYRING │ Failed to set up kernel keyring. │
3312 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3313 │238 │ EXIT_STATE_DIRECTORY │ Failed to set up unit's state directory. │
3314 │ │ │ See StateDirectory= above. │
3315 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3316 │239 │ EXIT_CACHE_DIRECTORY │ Failed to set up unit's cache directory. │
3317 │ │ │ See CacheDirectory= above. │
3318 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3319 │240 │ EXIT_LOGS_DIRECTORY │ Failed to set up unit's logging directory. │
3320 │ │ │ See LogsDirectory= above. │
3321 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3322 │241 │ EXIT_CONFIGURATION_DIRECTORY │ Failed to set up unit's configuration │
3323 │ │ │ directory. See ConfigurationDirectory= │
3324 │ │ │ above. │
3325 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3326 │242 │ EXIT_NUMA_POLICY │ Failed to set up unit's NUMA memory policy. │
3327 │ │ │ See NUMAPolicy= and NUMAMask= above. │
3328 ├──────────┼──────────────────────────────┼─────────────────────────────────────────────┤
3329 │243 │ EXIT_CREDENTIALS │ Failed to set up unit's credentials. See │
3330 │ │ │ LoadCredential= and SetCredential= above. │
3331 └──────────┴──────────────────────────────┴─────────────────────────────────────────────┘
3332
3333 Finally, the BSD operating systems define a set of exit codes,
3334 typically defined on Linux systems too:
3335
3336 Table 9. BSD exit codes
3337 ┌──────────┬────────────────┬─────────────────────┐
3338 │Exit Code │ Symbolic Name │ Description │
3339 ├──────────┼────────────────┼─────────────────────┤
3340 │64 │ EX_USAGE │ Command line usage │
3341 │ │ │ error │
3342 ├──────────┼────────────────┼─────────────────────┤
3343 │65 │ EX_DATAERR │ Data format error │
3344 ├──────────┼────────────────┼─────────────────────┤
3345 │66 │ EX_NOINPUT │ Cannot open input │
3346 ├──────────┼────────────────┼─────────────────────┤
3347 │67 │ EX_NOUSER │ Addressee unknown │
3348 ├──────────┼────────────────┼─────────────────────┤
3349 │68 │ EX_NOHOST │ Host name unknown │
3350 ├──────────┼────────────────┼─────────────────────┤
3351 │69 │ EX_UNAVAILABLE │ Service unavailable │
3352 ├──────────┼────────────────┼─────────────────────┤
3353 │70 │ EX_SOFTWARE │ internal software │
3354 │ │ │ error │
3355 ├──────────┼────────────────┼─────────────────────┤
3356 │71 │ EX_OSERR │ System error (e.g., │
3357 │ │ │ can't fork) │
3358 ├──────────┼────────────────┼─────────────────────┤
3359 │72 │ EX_OSFILE │ Critical OS file │
3360 │ │ │ missing │
3361 ├──────────┼────────────────┼─────────────────────┤
3362 │73 │ EX_CANTCREAT │ Can't create (user) │
3363 │ │ │ output file │
3364 ├──────────┼────────────────┼─────────────────────┤
3365 │74 │ EX_IOERR │ Input/output error │
3366 ├──────────┼────────────────┼─────────────────────┤
3367 │75 │ EX_TEMPFAIL │ Temporary failure; │
3368 │ │ │ user is invited to │
3369 │ │ │ retry │
3370 ├──────────┼────────────────┼─────────────────────┤
3371 │76 │ EX_PROTOCOL │ Remote error in │
3372 │ │ │ protocol │
3373 ├──────────┼────────────────┼─────────────────────┤
3374 │77 │ EX_NOPERM │ Permission denied │
3375 ├──────────┼────────────────┼─────────────────────┤
3376 │78 │ EX_CONFIG │ Configuration error │
3377 └──────────┴────────────────┴─────────────────────┘
3378
3380 systemd(1), systemctl(1), systemd-analyze(1), journalctl(1), systemd-
3381 system.conf(5), systemd.unit(5), systemd.service(5), systemd.socket(5),
3382 systemd.swap(5), systemd.mount(5), systemd.kill(5), systemd.resource-
3383 control(5), systemd.time(7), systemd.directives(7), tmpfiles.d(5),
3384 exec(3), fork(2)
3385
3387 1. Discoverable Partitions Specification
3388 https://systemd.io/DISCOVERABLE_PARTITIONS
3389
3390 2. The /proc Filesystem
3391 https://www.kernel.org/doc/html/latest/filesystems/proc.html#mount-options
3392
3393 3. User/Group Name Syntax
3394 https://systemd.io/USER_NAMES
3395
3396 4. No New Privileges Flag
3397 https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html
3398
3399 5. JSON User Record
3400 https://systemd.io/USER_RECORD
3401
3402 6. proc.txt
3403 https://www.kernel.org/doc/Documentation/filesystems/proc.txt
3404
3405 7. C escapes
3406 https://en.wikipedia.org/wiki/Escape_sequences_in_C#Table_of_escape_sequences
3407
3408 8. most control characters
3409 https://en.wikipedia.org/wiki/Control_character#In_ASCII
3410
3411 9. Base64
3412 https://tools.ietf.org/html/rfc2045#section-6.8
3413
3414 10. LSB specification
3415 https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html
3416
3417
3418
3419systemd 248 SYSTEMD.EXEC(5)