File Coverage

blib/lib/Config/Model/models/Systemd/Common/Exec.pl

Criterion	Covered	Total	%
statement	18	18	100.0
branch			n/a
condition			n/a
subroutine	6	6	100.0
pod			n/a
total	24	24	100.0

line	stmt	sub	time	code
1				#
2				# This file is part of Config-Model-Systemd
3				#
4				# This software is Copyright (c) 2008-2022 by Dominique Dumont.
5				#
6				# This is free software, licensed under:
7				#
8				# The GNU Lesser General Public License, Version 2.1, February 1999
9				#
10	4	4	16563	use strict;
	4	1	19
	4	1	91
	1		2515
	1		2
	1		58
	1		2606
	1		2
	1		17
11	4	4	17	use warnings;
	4	1	8
	4	1	14056
	1		6
	1		1
	1		3308
	1		6
	1		2
	1		3890
12
13				return [
14				{
15				'accept' => [
16				'.*',
17				{
18				'type' => 'leaf',
19				'value_type' => 'uniline',
20				'warn' => 'Unexpected systemd parameter. Please contact cme author to update systemd model.'
21				}
22				],
23				'class_description' => 'Unit configuration files for services, sockets, mount points, and swap devices share a subset of
24				configuration options which define the execution environment of spawned processes.
25
26				This man page lists the configuration options shared by these four unit types. See
27				L<systemd.unit(5)> for the common
28				options of all unit configuration files, and
29				L<systemd.service(5)>,
30				L<systemd.socket(5)>,
31				L<systemd.swap(5)>, and
32				L<systemd.mount(5)> for more
33				information on the specific unit configuration files. The execution specific configuration options are configured
34				in the [Service], [Socket], [Mount], or [Swap] sections, depending on the unit type.
35
36				In addition, options which control resources through Linux Control Groups (cgroups) are listed in
37				L<systemd.resource-control(5)>.
38				Those options complement options listed here.
39
40				The following service exit codes are defined by the L<LSB specification\|https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html>.
41
42
43
44				The LSB specification suggests that error codes 200 and above are reserved for implementations. Some of them are
45				used by the service manager to indicate problems during process invocation:
46
47
48				Finally, the BSD operating systems define a set of exit codes, typically defined on Linux systems too:
49				This configuration class was generated from systemd documentation.
50				by L<parse-man.pl\|https://github.com/dod38fr/config-model-systemd/contrib/parse-man.pl>
51				',
52				'copyright' => [
53				'2010-2016 Lennart Poettering and others',
54				'2016 Dominique Dumont'
55				],
56				'element' => [
57				'ExecSearchPath',
58				{
59				'cargo' => {
60				'type' => 'leaf',
61				'value_type' => 'uniline'
62				},
63				'description' => 'Takes a colon separated list of absolute paths relative to which the executable
64				used by the C<Exec*=> (e.g. C<ExecStart>,
65				C<ExecStop>, etc.) properties can be found. C<ExecSearchPath>
66				overrides C<$PATH> if C<$PATH> is not supplied by the user through
67				C<Environment>, C<EnvironmentFile> or
68				C<PassEnvironment>. Assigning an empty string removes previous assignments
69				and setting C<ExecSearchPath> to a value multiple times will append
70				to the previous setting.
71				',
72				'type' => 'list'
73				},
74				'WorkingDirectory',
75				{
76				'description' => 'Takes a directory path relative to the service\'s root directory specified by
77				C<RootDirectory>, or the special value C<~>. Sets the working directory for
78				executed processes. If set to C<~>, the home directory of the user specified in
79				C<User> is used. If not set, defaults to the root directory when systemd is running as a
80				system instance and the respective user\'s home directory if run as user. If the setting is prefixed with the
81				C<-> character, a missing working directory is not considered fatal. If
82				C<RootDirectory>/C<RootImage> is not set, then
83				C<WorkingDirectory> is relative to the root of the system running the service manager. Note
84				that setting this parameter might result in additional dependencies to be added to the unit (see
85				above).',
86				'type' => 'leaf',
87				'value_type' => 'uniline'
88				},
89				'RootDirectory',
90				{
91				'description' => 'Takes a directory path relative to the host\'s root directory (i.e. the root of the system
92				running the service manager). Sets the root directory for executed processes, with the L<chroot(2)> system
93				call. If this is used, it must be ensured that the process binary and all its auxiliary files are available in
94				the chroot() jail. Note that setting this parameter might result in additional
95				dependencies to be added to the unit (see above).
96
97				The C<MountAPIVFS> and C<PrivateUsers> settings are particularly useful
98				in conjunction with C<RootDirectory>. For details, see below.
99
100				If C<RootDirectory>/C<RootImage> are used together with
101				C<NotifyAccess> the notification socket is automatically mounted from the host into
102				the root environment, to ensure the notification interface can work correctly.
103
104				Note that services using C<RootDirectory>/C<RootImage> will
105				not be able to log via the syslog or journal protocols to the host logging infrastructure, unless the
106				relevant sockets are mounted from the host, specifically:',
107				'type' => 'leaf',
108				'value_type' => 'uniline'
109				},
110				'RootImage',
111				{
112				'description' => 'Takes a path to a block device node or regular file as argument. This call is similar
113				to C<RootDirectory> however mounts a file system hierarchy from a block device node
114				or loopback file instead of a directory. The device node or file system image file needs to contain a
115				file system without a partition table, or a file system within an MBR/MS-DOS or GPT partition table
116				with only a single Linux-compatible partition, or a set of file systems within a GPT partition table
117				that follows the L<Discoverable Partitions
118				Specification\|https://systemd.io/DISCOVERABLE_PARTITIONS>.
119
120				When C<DevicePolicy> is set to C<closed> or
121				C<strict>, or set to C<auto> and C<DeviceAllow> is
122				set, then this setting adds C</dev/loop-control> with C<rw> mode,
123				C<block-loop> and C<block-blkext> with C<rwm> mode
124				to C<DeviceAllow>. See
125				L<systemd.resource-control(5)>
126				for the details about C<DevicePolicy> or C<DeviceAllow>. Also, see
127				C<PrivateDevices> below, as it may change the setting of
128				C<DevicePolicy>.
129
130				Units making use of C<RootImage> automatically gain an
131				C<After> dependency on C<systemd-udevd.service>.',
132				'type' => 'leaf',
133				'value_type' => 'uniline'
134				},
135				'RootImageOptions',
136				{
137				'description' => 'Takes a comma-separated list of mount options that will be used on disk images specified by
138				C<RootImage>. Optionally a partition name can be prefixed, followed by colon, in
139				case the image has multiple partitions, otherwise partition name C<root> is implied.
140				Options for multiple partitions can be specified in a single line with space separators. Assigning an empty
141				string removes previous assignments. Duplicated options are ignored. For a list of valid mount options, please
142				refer to
143				L<mount(8)>.
144
145				Valid partition names follow the L<Discoverable Partitions Specification\|https://systemd.io/DISCOVERABLE_PARTITIONS>:
146				C<root>, C<usr>, C<home>, C<srv>,
147				C<esp>, C<xbootldr>, C<tmp>,
148				C<var>.',
149				'type' => 'leaf',
150				'value_type' => 'uniline'
151				},
152				'RootHash',
153				{
154				'description' => 'Takes a data integrity (dm-verity) root hash specified in hexadecimal, or the path to a file
155				containing a root hash in ASCII hexadecimal format. This option enables data integrity checks using dm-verity,
156				if the used image contains the appropriate integrity data (see above) or if C<RootVerity> is used.
157				The specified hash must match the root hash of integrity data, and is usually at least 256 bits (and hence 64
158				formatted hexadecimal characters) long (in case of SHA256 for example). If this option is not specified, but
159				the image file carries the C<user.verity.roothash> extended file attribute (see L<xattr(7)>), then the root
160				hash is read from it, also as formatted hexadecimal characters. If the extended file attribute is not found (or
161				is not supported by the underlying file system), but a file with the C<.roothash> suffix is
162				found next to the image file, bearing otherwise the same name (except if the image has the
163				C<.raw> suffix, in which case the root hash file must not have it in its name), the root hash
164				is read from it and automatically used, also as formatted hexadecimal characters.
165
166				If the disk image contains a separate C</usr/> partition it may also be
167				Verity protected, in which case the root hash may configured via an extended attribute
168				C<user.verity.usrhash> or a C<.usrhash> file adjacent to the disk
169				image. There\'s currently no option to configure the root hash for the C</usr/> file
170				system via the unit file directly.',
171				'type' => 'leaf',
172				'value_type' => 'uniline'
173				},
174				'RootHashSignature',
175				{
176				'description' => 'Takes a PKCS7 signature of the C<RootHash> option as a path to a
177				DER-encoded signature file, or as an ASCII base64 string encoding of a DER-encoded signature prefixed
178				by C<base64:>. The dm-verity volume will only be opened if the signature of the root
179				hash is valid and signed by a public key present in the kernel keyring. If this option is not
180				specified, but a file with the C<.roothash.p7s> suffix is found next to the image
181				file, bearing otherwise the same name (except if the image has the C<.raw> suffix,
182				in which case the signature file must not have it in its name), the signature is read from it and
183				automatically used.
184
185				If the disk image contains a separate C</usr/> partition it may also be
186				Verity protected, in which case the signature for the root hash may configured via a
187				C<.usrhash.p7s> file adjacent to the disk image. There\'s currently no option to
188				configure the root hash signature for the C</usr/> via the unit file
189				directly.',
190				'type' => 'leaf',
191				'value_type' => 'uniline'
192				},
193				'RootVerity',
194				{
195				'description' => 'Takes the path to a data integrity (dm-verity) file. This option enables data integrity checks
196				using dm-verity, if C<RootImage> is used and a root-hash is passed and if the used image itself
197				does not contains the integrity data. The integrity data must be matched by the root hash. If this option is not
198				specified, but a file with the C<.verity> suffix is found next to the image file, bearing otherwise
199				the same name (except if the image has the C<.raw> suffix, in which case the verity data file must
200				not have it in its name), the verity data is read from it and automatically used.
201
202				This option is supported only for disk images that contain a single file system, without an
203				enveloping partition table. Images that contain a GPT partition table should instead include both
204				root file system and matching Verity data in the same image, implementing the L<Discoverable Partitions Specification\|https://systemd.io/DISCOVERABLE_PARTITIONS>.',
205				'type' => 'leaf',
206				'value_type' => 'uniline'
207				},
208				'MountAPIVFS',
209				{
210				'description' => 'Takes a boolean argument. If on, a private mount namespace for the unit\'s processes is created
211				and the API file systems C</proc/>, C</sys/>, C</dev/> and
212				C</run/> (as an empty C<tmpfs>) are mounted inside of it, unless they are
213				already mounted. Note that this option has no effect unless used in conjunction with
214				C<RootDirectory>/C<RootImage> as these four mounts are
215				generally mounted in the host anyway, and unless the root directory is changed, the private mount namespace
216				will be a 1:1 copy of the host\'s, and include these four mounts. Note that the C</dev/> file
217				system of the host is bind mounted if this option is used without C<PrivateDevices>. To run
218				the service with a private, minimal version of C</dev/>, combine this option with
219				C<PrivateDevices>.
220
221				In order to allow propagating mounts at runtime in a safe manner, C</run/systemd/propagate>
222				on the host will be used to set up new mounts, and C</run/host/incoming/> in the private namespace
223				will be used as an intermediate step to store them before being moved to the final mount point.',
224				'type' => 'leaf',
225				'value_type' => 'boolean',
226				'write_as' => [
227				'no',
228				'yes'
229				]
230				},
231				'ProtectProc',
232				{
233				'choice' => [
234				'noaccess',
235				'invisible',
236				'ptraceable',
237				'default'
238				],
239				'description' => 'Takes one of C<noaccess>, C<invisible>,
240				C<ptraceable> or C<default> (which it defaults to). When set, this
241				controls the C<hidepid=> mount option of the C<procfs> instance for
242				the unit that controls which directories with process metainformation
243				(C</proc/PID>) are visible and accessible: when set to
244				C<noaccess> the ability to access most of other users\' process metadata in
245				C</proc/> is taken away for processes of the service. When set to
246				C<invisible> processes owned by other users are hidden from
247				C</proc/>. If C<ptraceable> all processes that cannot be
248				ptrace()\'ed by a process are hidden to it. If C<default> no
249				restrictions on C</proc/> access or visibility are made. For further details see
250				L<The /proc
251				Filesystem\|https://www.kernel.org/doc/html/latest/filesystems/proc.html#mount-options>. It is generally recommended to run most system services with this option set to
252				C<invisible>. This option is implemented via file system namespacing, and thus cannot
253				be used with services that shall be able to install mount points in the host file system
254				hierarchy. Note that the root user is unaffected by this option, so to be effective it has to be used
255				together with C<User> or C<DynamicUser=yes>, and also without the
256				C<CAP_SYS_PTRACE> capability, which also allows a process to bypass this feature. It
257				cannot be used for services that need to access metainformation about other users\' processes. This
258				option implies C<MountAPIVFS>.
259
260				If the kernel doesn\'t support per-mount point C<hidepid=> mount options this
261				setting remains without effect, and the unit\'s processes will be able to access and see other process
262				as if the option was not used.',
263				'type' => 'leaf',
264				'value_type' => 'enum'
265				},
266				'ProcSubset',
267				{
268				'choice' => [
269				'all',
270				'pid'
271				],
272				'description' => 'Takes one of C<all> (the default) and C<pid>. If
273				C<pid>, all files and directories not directly associated with process management and
274				introspection are made invisible in the C</proc/> file system configured for the
275				unit\'s processes. This controls the C<subset=> mount option of the
276				C<procfs> instance for the unit. For further details see L<The /proc
277				Filesystem\|https://www.kernel.org/doc/html/latest/filesystems/proc.html#mount-options>. Note that Linux exposes various kernel APIs via C</proc/>,
278				which are made unavailable with this setting. Since these APIs are used frequently this option is
279				useful only in a few, specific cases, and is not suitable for most non-trivial programs.
280
281				Much like C<ProtectProc> above, this is implemented via file system mount
282				namespacing, and hence the same restrictions apply: it is only available to system services, it
283				disables mount propagation to the host mount table, and it implies
284				C<MountAPIVFS>. Also, like C<ProtectProc> this setting is gracefully
285				disabled if the used kernel does not support the C<subset=> mount option of
286				C<procfs>.',
287				'type' => 'leaf',
288				'value_type' => 'enum'
289				},
290				'BindPaths',
291				{
292				'cargo' => {
293				'type' => 'leaf',
294				'value_type' => 'uniline'
295				},
296				'description' => 'Configures unit-specific bind mounts. A bind mount makes a particular file or directory
297				available at an additional place in the unit\'s view of the file system. Any bind mounts created with this
298				option are specific to the unit, and are not visible in the host\'s mount table. This option expects a
299				whitespace separated list of bind mount definitions. Each definition consists of a colon-separated triple of
300				source path, destination path and option string, where the latter two are optional. If only a source path is
301				specified the source and destination is taken to be the same. The option string may be either
302				C<rbind> or C<norbind> for configuring a recursive or non-recursive bind
303				mount. If the destination path is omitted, the option string must be omitted too.
304				Each bind mount definition may be prefixed with C<->, in which case it will be ignored
305				when its source path does not exist.
306
307				C<BindPaths> creates regular writable bind mounts (unless the source file system mount
308				is already marked read-only), while C<BindReadOnlyPaths> creates read-only bind mounts. These
309				settings may be used more than once, each usage appends to the unit\'s list of bind mounts. If the empty string
310				is assigned to either of these two options the entire list of bind mounts defined prior to this is reset. Note
311				that in this case both read-only and regular bind mounts are reset, regardless which of the two settings is
312				used.
313
314				This option is particularly useful when C<RootDirectory>/C<RootImage>
315				is used. In this case the source path refers to a path on the host file system, while the destination path
316				refers to a path below the root directory of the unit.
317
318				Note that the destination directory must exist or systemd must be able to create it. Thus, it
319				is not possible to use those options for mount points nested underneath paths specified in
320				C<InaccessiblePaths>, or under C</home/> and other protected
321				directories if C<ProtectHome=yes> is
322				specified. C<TemporaryFileSystem> with C<:ro> or
323				C<ProtectHome=tmpfs> should be used instead.',
324				'type' => 'list'
325				},
326				'BindReadOnlyPaths',
327				{
328				'cargo' => {
329				'type' => 'leaf',
330				'value_type' => 'uniline'
331				},
332				'description' => 'Configures unit-specific bind mounts. A bind mount makes a particular file or directory
333				available at an additional place in the unit\'s view of the file system. Any bind mounts created with this
334				option are specific to the unit, and are not visible in the host\'s mount table. This option expects a
335				whitespace separated list of bind mount definitions. Each definition consists of a colon-separated triple of
336				source path, destination path and option string, where the latter two are optional. If only a source path is
337				specified the source and destination is taken to be the same. The option string may be either
338				C<rbind> or C<norbind> for configuring a recursive or non-recursive bind
339				mount. If the destination path is omitted, the option string must be omitted too.
340				Each bind mount definition may be prefixed with C<->, in which case it will be ignored
341				when its source path does not exist.
342
343				C<BindPaths> creates regular writable bind mounts (unless the source file system mount
344				is already marked read-only), while C<BindReadOnlyPaths> creates read-only bind mounts. These
345				settings may be used more than once, each usage appends to the unit\'s list of bind mounts. If the empty string
346				is assigned to either of these two options the entire list of bind mounts defined prior to this is reset. Note
347				that in this case both read-only and regular bind mounts are reset, regardless which of the two settings is
348				used.
349
350				This option is particularly useful when C<RootDirectory>/C<RootImage>
351				is used. In this case the source path refers to a path on the host file system, while the destination path
352				refers to a path below the root directory of the unit.
353
354				Note that the destination directory must exist or systemd must be able to create it. Thus, it
355				is not possible to use those options for mount points nested underneath paths specified in
356				C<InaccessiblePaths>, or under C</home/> and other protected
357				directories if C<ProtectHome=yes> is
358				specified. C<TemporaryFileSystem> with C<:ro> or
359				C<ProtectHome=tmpfs> should be used instead.',
360				'type' => 'list'
361				},
362				'MountImages',
363				{
364				'cargo' => {
365				'type' => 'leaf',
366				'value_type' => 'uniline'
367				},
368				'description' => 'This setting is similar to C<RootImage> in that it mounts a file
369				system hierarchy from a block device node or loopback file, but the destination directory can be
370				specified as well as mount options. This option expects a whitespace separated list of mount
371				definitions. Each definition consists of a colon-separated tuple of source path and destination
372				definitions, optionally followed by another colon and a list of mount options.
373
374				Mount options may be defined as a single comma-separated list of options, in which case they
375				will be implicitly applied to the root partition on the image, or a series of colon-separated tuples
376				of partition name and mount options. Valid partition names and mount options are the same as for
377				C<RootImageOptions> setting described above.
378
379				Each mount definition may be prefixed with C<->, in which case it will be
380				ignored when its source path does not exist. The source argument is a path to a block device node or
381				regular file. If source or destination contain a C<:>, it needs to be escaped as
382				C<\\:>. The device node or file system image file needs to follow the same rules as
383				specified for C<RootImage>. Any mounts created with this option are specific to the
384				unit, and are not visible in the host\'s mount table.
385
386				These settings may be used more than once, each usage appends to the unit\'s list of mount
387				paths. If the empty string is assigned, the entire list of mount paths defined prior to this is
388				reset.
389
390				Note that the destination directory must exist or systemd must be able to create it. Thus, it
391				is not possible to use those options for mount points nested underneath paths specified in
392				C<InaccessiblePaths>, or under C</home/> and other protected
393				directories if C<ProtectHome=yes> is specified.
394
395				When C<DevicePolicy> is set to C<closed> or
396				C<strict>, or set to C<auto> and C<DeviceAllow> is
397				set, then this setting adds C</dev/loop-control> with C<rw> mode,
398				C<block-loop> and C<block-blkext> with C<rwm> mode
399				to C<DeviceAllow>. See
400				L<systemd.resource-control(5)>
401				for the details about C<DevicePolicy> or C<DeviceAllow>. Also, see
402				C<PrivateDevices> below, as it may change the setting of
403				C<DevicePolicy>.',
404				'type' => 'list'
405				},
406				'ExtensionImages',
407				{
408				'cargo' => {
409				'type' => 'leaf',
410				'value_type' => 'uniline'
411				},
412				'description' => 'This setting is similar to C<MountImages> in that it mounts a file
413				system hierarchy from a block device node or loopback file, but instead of providing a destination
414				path, an overlay will be set up. This option expects a whitespace separated list of mount
415				definitions. Each definition consists of a source path, optionally followed by a colon and a list of
416				mount options.
417
418				A read-only OverlayFS will be set up on top of C</usr/> and
419				C</opt/> hierarchies. The order in which the images are listed will determine the
420				order in which the overlay is laid down: images specified first to last will result in overlayfs
421				layers bottom to top.
422
423				Mount options may be defined as a single comma-separated list of options, in which case they
424				will be implicitly applied to the root partition on the image, or a series of colon-separated tuples
425				of partition name and mount options. Valid partition names and mount options are the same as for
426				C<RootImageOptions> setting described above.
427
428				Each mount definition may be prefixed with C<->, in which case it will be
429				ignored when its source path does not exist. The source argument is a path to a block device node or
430				regular file. If the source path contains a C<:>, it needs to be escaped as
431				C<\\:>. The device node or file system image file needs to follow the same rules as
432				specified for C<RootImage>. Any mounts created with this option are specific to the
433				unit, and are not visible in the host\'s mount table.
434
435				These settings may be used more than once, each usage appends to the unit\'s list of image
436				paths. If the empty string is assigned, the entire list of mount paths defined prior to this is
437				reset.
438
439				Each image must carry a C</usr/lib/extension-release.d/extension-release.IMAGE>
440				file, with the appropriate metadata which matches C<RootImage>/C<RootDirectory>
441				or the host. See:
442				L<os-release(5)>.
443
444				When C<DevicePolicy> is set to C<closed> or
445				C<strict>, or set to C<auto> and C<DeviceAllow> is
446				set, then this setting adds C</dev/loop-control> with C<rw> mode,
447				C<block-loop> and C<block-blkext> with C<rwm> mode
448				to C<DeviceAllow>. See
449				L<systemd.resource-control(5)>
450				for the details about C<DevicePolicy> or C<DeviceAllow>. Also, see
451				C<PrivateDevices> below, as it may change the setting of
452				C<DevicePolicy>.',
453				'type' => 'list'
454				},
455				'ExtensionDirectories',
456				{
457				'cargo' => {
458				'type' => 'leaf',
459				'value_type' => 'uniline'
460				},
461				'description' => 'This setting is similar to C<BindReadOnlyPaths> in that it mounts a file
462				system hierarchy from a directory, but instead of providing a destination path, an overlay will be set
463				up. This option expects a whitespace separated list of source directories.
464
465				A read-only OverlayFS will be set up on top of C</usr/> and
466				C</opt/> hierarchies. The order in which the directories are listed will determine
467				the order in which the overlay is laid down: directories specified first to last will result in overlayfs
468				layers bottom to top.
469
470				Each directory listed in C<ExtensionDirectories> may be prefixed with C<->,
471				in which case it will be ignored when its source path does not exist. Any mounts created with this option are
472				specific to the unit, and are not visible in the host\'s mount table.
473
474				These settings may be used more than once, each usage appends to the unit\'s list of directories
475				paths. If the empty string is assigned, the entire list of mount paths defined prior to this is
476				reset.
477
478				Each directory must contain a C</usr/lib/extension-release.d/extension-release.IMAGE>
479				file, with the appropriate metadata which matches C<RootImage>/C<RootDirectory>
480				or the host. See:
481				L<os-release(5)>.
482
483				Note that usage from user units requires overlayfs support in unprivileged user namespaces,
484				which was first introduced in kernel v5.11.',
485				'type' => 'list'
486				},
487				'User',
488				{
489				'description' => "Set the UNIX user or group that the processes are executed as, respectively. Takes a single
490				user or group name, or a numeric ID as argument. For system services (services run by the system service
491				manager, i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of
492				systemd --user), the default is C<root>, but C<User> may be
493				used to specify a different user. For user services of any other user, switching user identity is not
494				permitted, hence the only valid setting is the same user the user's service manager is running as. If no group
495				is set, the default group of the user is used. This setting does not affect commands whose command line is
496				prefixed with C<+>.
497
498				Note that this enforces only weak restrictions on the user/group name syntax, but will generate
499				warnings in many cases where user/group names do not adhere to the following rules: the specified
500				name should consist only of the characters a-z, A-Z, 0-9, C<_> and
501				C<->, except for the first character which must be one of a-z, A-Z and
502				C<_> (i.e. digits and C<-> are not permitted as first character). The
503				user/group name must have at least one character, and at most 31. These restrictions are made in
504				order to avoid ambiguities and to ensure user/group names and unit files remain portable among Linux
505				systems. For further details on the names accepted and the names warned about see L<User/Group Name Syntax\|https://systemd.io/USER_NAMES>.
506
507				When used in conjunction with C<DynamicUser> the user/group name specified is
508				dynamically allocated at the time the service is started, and released at the time the service is
509				stopped \x{2014} unless it is already allocated statically (see below). If C<DynamicUser>
510				is not used the specified user and group must have been created statically in the user database no
511				later than the moment the service is started, for example using the
512				L<sysusers.d(5)>
513				facility, which is applied at boot or package install time. If the user does not exist by then
514				program invocation will fail.
515
516				If the C<User> setting is used the supplementary group list is initialized
517				from the specified user's default group list, as defined in the system's user and group
518				database. Additional groups may be configured through the C<SupplementaryGroups>
519				setting (see below).",
520				'type' => 'leaf',
521				'value_type' => 'uniline'
522				},
523				'Group',
524				{
525				'description' => "Set the UNIX user or group that the processes are executed as, respectively. Takes a single
526				user or group name, or a numeric ID as argument. For system services (services run by the system service
527				manager, i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of
528				systemd --user), the default is C<root>, but C<User> may be
529				used to specify a different user. For user services of any other user, switching user identity is not
530				permitted, hence the only valid setting is the same user the user's service manager is running as. If no group
531				is set, the default group of the user is used. This setting does not affect commands whose command line is
532				prefixed with C<+>.
533
534				Note that this enforces only weak restrictions on the user/group name syntax, but will generate
535				warnings in many cases where user/group names do not adhere to the following rules: the specified
536				name should consist only of the characters a-z, A-Z, 0-9, C<_> and
537				C<->, except for the first character which must be one of a-z, A-Z and
538				C<_> (i.e. digits and C<-> are not permitted as first character). The
539				user/group name must have at least one character, and at most 31. These restrictions are made in
540				order to avoid ambiguities and to ensure user/group names and unit files remain portable among Linux
541				systems. For further details on the names accepted and the names warned about see L<User/Group Name Syntax\|https://systemd.io/USER_NAMES>.
542
543				When used in conjunction with C<DynamicUser> the user/group name specified is
544				dynamically allocated at the time the service is started, and released at the time the service is
545				stopped \x{2014} unless it is already allocated statically (see below). If C<DynamicUser>
546				is not used the specified user and group must have been created statically in the user database no
547				later than the moment the service is started, for example using the
548				L<sysusers.d(5)>
549				facility, which is applied at boot or package install time. If the user does not exist by then
550				program invocation will fail.
551
552				If the C<User> setting is used the supplementary group list is initialized
553				from the specified user's default group list, as defined in the system's user and group
554				database. Additional groups may be configured through the C<SupplementaryGroups>
555				setting (see below).",
556				'type' => 'leaf',
557				'value_type' => 'uniline'
558				},
559				'DynamicUser',
560				{
561				'description' => "Takes a boolean parameter. If set, a UNIX user and group pair is allocated
562				dynamically when the unit is started, and released as soon as it is stopped. The user and group will
563				not be added to C</etc/passwd> or C</etc/group>, but are managed
564				transiently during runtime. The
565				L<nss-systemd(8)> glibc
566				NSS module provides integration of these dynamic users/groups into the system's user and group
567				databases. The user and group name to use may be configured via C<User> and
568				C<Group> (see above). If these options are not used and dynamic user/group
569				allocation is enabled for a unit, the name of the dynamic user/group is implicitly derived from the
570				unit name. If the unit name without the type suffix qualifies as valid user name it is used directly,
571				otherwise a name incorporating a hash of it is used. If a statically allocated user or group of the
572				configured name already exists, it is used and no dynamic user/group is allocated. Note that if
573				C<User> is specified and the static group with the name exists, then it is required
574				that the static user with the name already exists. Similarly, if C<Group> is
575				specified and the static user with the name exists, then it is required that the static group with
576				the name already exists. Dynamic users/groups are allocated from the UID/GID range 61184\x{2026}65519. It is
577				recommended to avoid this range for regular system or login users. At any point in time each UID/GID
578				from this range is only assigned to zero or one dynamically allocated users/groups in use. However,
579				UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running as
580				part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by
581				these users/groups around, as a different unit might get the same UID/GID assigned later on, and thus
582				gain access to these files or directories. If C<DynamicUser> is enabled,
583				C<RemoveIPC> and C<PrivateTmp> are implied (and cannot be turned
584				off). This ensures that the lifetime of IPC objects and temporary files created by the executed
585				processes is bound to the runtime of the service, and hence the lifetime of the dynamic
586				user/group. Since C</tmp/> and C</var/tmp/> are usually the only
587				world-writable directories on a system this ensures that a unit making use of dynamic user/group
588				allocation cannot leave files around after unit termination. Furthermore
589				C<NoNewPrivileges> and C<RestrictSUIDSGID> are implicitly enabled
590				(and cannot be disabled), to ensure that processes invoked cannot take benefit or create SUID/SGID
591				files or directories. Moreover C<ProtectSystem=strict> and
592				C<ProtectHome=read-only> are implied, thus prohibiting the service to write to
593				arbitrary file system locations. In order to allow the service to write to certain directories, they
594				have to be allow-listed using C<ReadWritePaths>, but care must be taken so that
595				UID/GID recycling doesn't create security issues involving files created by the service. Use
596				C<RuntimeDirectory> (see below) in order to assign a writable runtime directory to a
597				service, owned by the dynamic user/group and removed automatically when the unit is terminated. Use
598				C<StateDirectory>, C<CacheDirectory> and
599				C<LogsDirectory> in order to assign a set of writable directories for specific
600				purposes to the service in a way that they are protected from vulnerabilities due to UID reuse (see
601				below). If this option is enabled, care should be taken that the unit's processes do not get access
602				to directories outside of these explicitly configured and managed ones. Specifically, do not use
603				C<BindPaths> and be careful with C<AF_UNIX> file descriptor
604				passing for directory file descriptors, as this would permit processes to create files or directories
605				owned by the dynamic user/group that are not subject to the lifecycle and access guarantees of the
606				service. Defaults to off.",
607				'type' => 'leaf',
608				'value_type' => 'boolean',
609				'write_as' => [
610				'no',
611				'yes'
612				]
613				},
614				'SupplementaryGroups',
615				{
616				'cargo' => {
617				'type' => 'leaf',
618				'value_type' => 'uniline'
619				},
620				'description' => 'Sets the supplementary Unix groups the processes are executed as. This takes a space-separated
621				list of group names or IDs. This option may be specified more than once, in which case all listed groups are
622				set as supplementary groups. When the empty string is assigned, the list of supplementary groups is reset, and
623				all assignments prior to this one will have no effect. In any way, this option does not override, but extends
624				the list of supplementary groups configured in the system group database for the user. This does not affect
625				commands prefixed with C<+>.',
626				'type' => 'list'
627				},
628				'PAMName',
629				{
630				'description' => 'Sets the PAM service name to set up a session as. If set, the executed process will be
631				registered as a PAM session under the specified service name. This is only useful in conjunction with the
632				C<User> setting, and is otherwise ignored. If not set, no PAM session will be opened for the
633				executed processes. See L<pam(8)> for
634				details.
635
636				Note that for each unit making use of this option a PAM session handler process will be maintained as
637				part of the unit and stays around as long as the unit is active, to ensure that appropriate actions can be
638				taken when the unit and hence the PAM session terminates. This process is named C<(sd-pam)> and
639				is an immediate child process of the unit\'s main process.
640
641				Note that when this option is used for a unit it is very likely (depending on PAM configuration) that the
642				main unit process will be migrated to its own session scope unit when it is activated. This process will hence
643				be associated with two units: the unit it was originally started from (and for which
644				C<PAMName> was configured), and the session scope unit. Any child processes of that process
645				will however be associated with the session scope unit only. This has implications when used in combination
646				with C<NotifyAccess>C<all>, as these child processes will not be able to affect
647				changes in the original unit through notification messages. These messages will be considered belonging to the
648				session scope unit and not the original unit. It is hence not recommended to use C<PAMName> in
649				combination with C<NotifyAccess>C<all>.',
650				'type' => 'leaf',
651				'value_type' => 'uniline'
652				},
653				'CapabilityBoundingSet',
654				{
655				'description' => 'Controls which capabilities to include in the capability bounding set for the
656				executed process. See L<capabilities(7)>
657				for details. Takes a whitespace-separated list of capability names,
658				e.g. C<CAP_SYS_ADMIN>, C<CAP_DAC_OVERRIDE>,
659				C<CAP_SYS_PTRACE>. Capabilities listed will be included in the bounding set, all
660				others are removed. If the list of capabilities is prefixed with C<~>, all but the
661				listed capabilities will be included, the effect of the assignment inverted. Note that this option
662				also affects the respective capabilities in the effective, permitted and inheritable capability
663				sets. If this option is not used, the capability bounding set is not modified on process execution,
664				hence no limits on the capabilities of the process are enforced. This option may appear more than
665				once, in which case the bounding sets are merged by C<OR>, or by
666				C<AND> if the lines are prefixed with C<~> (see below). If the
667				empty string is assigned to this option, the bounding set is reset to the empty capability set, and
668				all prior settings have no effect. If set to C<~> (without any further argument),
669				the bounding set is reset to the full set of available capabilities, also undoing any previous
670				settings. This does not affect commands prefixed with C<+>.
671
672				Use
673				L<systemd-analyze(1)>\'s
674				capability command to retrieve a list of capabilities defined on the local
675				system.
676
677				Example: if a unit has the following,
678
679				CapabilityBoundingSet=CAP_A CAP_B
680				CapabilityBoundingSet=CAP_B CAP_C
681
682				then C<CAP_A>, C<CAP_B>, and
683				C<CAP_C> are set. If the second line is prefixed with
684				C<~>, e.g.,
685
686				CapabilityBoundingSet=CAP_A CAP_B
687				CapabilityBoundingSet=~CAP_B CAP_C
688
689				then, only C<CAP_A> is set.',
690				'type' => 'leaf',
691				'value_type' => 'uniline'
692				},
693				'AmbientCapabilities',
694				{
695				'description' => 'Controls which capabilities to include in the ambient capability set for the executed
696				process. Takes a whitespace-separated list of capability names, e.g. C<CAP_SYS_ADMIN>,
697				C<CAP_DAC_OVERRIDE>, C<CAP_SYS_PTRACE>. This option may appear more than
698				once in which case the ambient capability sets are merged (see the above examples in
699				C<CapabilityBoundingSet>). If the list of capabilities is prefixed with C<~>,
700				all but the listed capabilities will be included, the effect of the assignment inverted. If the empty string is
701				assigned to this option, the ambient capability set is reset to the empty capability set, and all prior
702				settings have no effect. If set to C<~> (without any further argument), the ambient capability
703				set is reset to the full set of available capabilities, also undoing any previous settings. Note that adding
704				capabilities to ambient capability set adds them to the process\'s inherited capability set.
705
706				Ambient capability sets are useful if you want to execute a process as a non-privileged user but still want to
707				give it some capabilities. Note that in this case option C<keep-caps> is automatically added
708				to C<SecureBits> to retain the capabilities over the user
709				change. C<AmbientCapabilities> does not affect commands prefixed with
710				C<+>.',
711				'type' => 'leaf',
712				'value_type' => 'uniline'
713				},
714				'NoNewPrivileges',
715				{
716				'description' => 'Takes a boolean argument. If true, ensures that the service process and all its
717				children can never gain new privileges through execve() (e.g. via setuid or
718				setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that
719				a process and its children can never elevate privileges again. Defaults to false, but certain
720				settings override this and ignore the value of this setting. This is the case when
721				C<DynamicUser>,
722				C<LockPersonality>,
723				C<MemoryDenyWriteExecute>,
724				C<PrivateDevices>,
725				C<ProtectClock>,
726				C<ProtectHostname>,
727				C<ProtectKernelLogs>,
728				C<ProtectKernelModules>,
729				C<ProtectKernelTunables>,
730				C<RestrictAddressFamilies>,
731				C<RestrictNamespaces>,
732				C<RestrictRealtime>,
733				C<RestrictSUIDSGID>,
734				C<SystemCallArchitectures>,
735				C<SystemCallFilter>, or
736				C<SystemCallLog> are specified. Note that even if this setting is overridden
737				by them, systemctl show shows the original value of this setting. In case the
738				service will be run in a new mount namespace anyway and SELinux is disabled, all file systems
739				are mounted with C<MS_NOSUID> flag. Also see
740				L<No New
741				Privileges Flag\|https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html>.',
742				'type' => 'leaf',
743				'value_type' => 'boolean',
744				'write_as' => [
745				'no',
746				'yes'
747				]
748				},
749				'SecureBits',
750				{
751				'description' => 'Controls the secure bits set for the executed process. Takes a space-separated combination of
752				options from the following list: C<keep-caps>, C<keep-caps-locked>,
753				C<no-setuid-fixup>, C<no-setuid-fixup-locked>, C<noroot>, and
754				C<noroot-locked>. This option may appear more than once, in which case the secure bits are
755				ORed. If the empty string is assigned to this option, the bits are reset to 0. This does not affect commands
756				prefixed with C<+>. See L<capabilities(7)> for
757				details.',
758				'type' => 'leaf',
759				'value_type' => 'uniline'
760				},
761				'SELinuxContext',
762				{
763				'description' => 'Set the SELinux security context of the executed process. If set, this will override the
764				automated domain transition. However, the policy still needs to authorize the transition. This directive is
765				ignored if SELinux is disabled. If prefixed by C<->, failing to set the SELinux
766				security context will be ignored, but it\'s still possible that the subsequent
767				execve() may fail if the policy doesn\'t allow the transition for the
768				non-overridden context. This does not affect commands prefixed with C<+>. See
769				L<setexeccon(3)>
770				for details.',
771				'type' => 'leaf',
772				'value_type' => 'uniline'
773				},
774				'AppArmorProfile',
775				{
776				'description' => 'Takes a profile name as argument. The process executed by the unit will switch to
777				this profile when started. Profiles must already be loaded in the kernel, or the unit will fail. If
778				prefixed by C<->, all errors will be ignored. This setting has no effect if AppArmor
779				is not enabled. This setting does not affect commands prefixed with C<+>.',
780				'type' => 'leaf',
781				'value_type' => 'uniline'
782				},
783				'SmackProcessLabel',
784				{
785				'description' => 'Takes a C<SMACK64> security label as argument. The process executed by the unit
786				will be started under this label and SMACK will decide whether the process is allowed to run or not, based on
787				it. The process will continue to run under the label specified here unless the executable has its own
788				C<SMACK64EXEC> label, in which case the process will transition to run under that label. When not
789				specified, the label that systemd is running under is used. This directive is ignored if SMACK is
790				disabled.
791
792				The value may be prefixed by C<->, in which case all errors will be ignored. An empty
793				value may be specified to unset previous assignments. This does not affect commands prefixed with
794				C<+>.',
795				'type' => 'leaf',
796				'value_type' => 'uniline'
797				},
798				'LimitCPU',
799				{
800				'description' => "Set soft and hard limits on various resources for executed processes. See
801				L<setrlimit(2)> for
802				details on the resource limit concept. Resource limits may be specified in two formats: either as
803				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
804				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
805				Use the string C<infinity> to configure no limit on a specific resource. The
806				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
807				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
808				usual time units ms, s, min, h and so on may be used (see
809				L<systemd.time(7)> for
810				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
811				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
812				implied. Also, note that the effective granularity of the limits might influence their
813				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
814				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
815				syntaxes: if prefixed with C<+> or C<->, the value is understood as
816				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
817				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
818
819				Note that most process resource limits configured with these options are per-process, and
820				processes may fork in order to acquire a new set of resources that are accounted independently of the
821				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
822				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
823				controls listed in
824				L<systemd.resource-control(5)>
825				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
826				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
827				powerful (and working) replacement for C<LimitRSS>.
828
829				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
830				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
831				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
832				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
833				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
834
835				Resource limits not configured explicitly for a unit default to the value configured in the various
836				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
837				L<systemd-system.conf(5)>, and \x{2013}
838				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
839				services, see below).
840
841				For system units these resource limits may be chosen freely. When these settings are configured
842				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
843				used to raise the limits above those set for the user manager itself when it was first invoked, as
844				the user's service manager generally lacks the privileges to do so. In user context these
845				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
846				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
847				available configuration mechanisms differ between operating systems, but typically require
848				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
849				setting limits on the system service encapsulating the user's service manager, i.e. the user's
850				instance of C<user\@.service>. After making such changes, make sure to restart the
851				user's service manager.",
852				'type' => 'leaf',
853				'value_type' => 'uniline'
854				},
855				'LimitFSIZE',
856				{
857				'description' => "Set soft and hard limits on various resources for executed processes. See
858				L<setrlimit(2)> for
859				details on the resource limit concept. Resource limits may be specified in two formats: either as
860				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
861				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
862				Use the string C<infinity> to configure no limit on a specific resource. The
863				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
864				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
865				usual time units ms, s, min, h and so on may be used (see
866				L<systemd.time(7)> for
867				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
868				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
869				implied. Also, note that the effective granularity of the limits might influence their
870				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
871				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
872				syntaxes: if prefixed with C<+> or C<->, the value is understood as
873				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
874				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
875
876				Note that most process resource limits configured with these options are per-process, and
877				processes may fork in order to acquire a new set of resources that are accounted independently of the
878				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
879				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
880				controls listed in
881				L<systemd.resource-control(5)>
882				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
883				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
884				powerful (and working) replacement for C<LimitRSS>.
885
886				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
887				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
888				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
889				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
890				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
891
892				Resource limits not configured explicitly for a unit default to the value configured in the various
893				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
894				L<systemd-system.conf(5)>, and \x{2013}
895				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
896				services, see below).
897
898				For system units these resource limits may be chosen freely. When these settings are configured
899				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
900				used to raise the limits above those set for the user manager itself when it was first invoked, as
901				the user's service manager generally lacks the privileges to do so. In user context these
902				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
903				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
904				available configuration mechanisms differ between operating systems, but typically require
905				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
906				setting limits on the system service encapsulating the user's service manager, i.e. the user's
907				instance of C<user\@.service>. After making such changes, make sure to restart the
908				user's service manager.",
909				'type' => 'leaf',
910				'value_type' => 'uniline'
911				},
912				'LimitDATA',
913				{
914				'description' => "Set soft and hard limits on various resources for executed processes. See
915				L<setrlimit(2)> for
916				details on the resource limit concept. Resource limits may be specified in two formats: either as
917				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
918				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
919				Use the string C<infinity> to configure no limit on a specific resource. The
920				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
921				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
922				usual time units ms, s, min, h and so on may be used (see
923				L<systemd.time(7)> for
924				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
925				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
926				implied. Also, note that the effective granularity of the limits might influence their
927				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
928				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
929				syntaxes: if prefixed with C<+> or C<->, the value is understood as
930				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
931				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
932
933				Note that most process resource limits configured with these options are per-process, and
934				processes may fork in order to acquire a new set of resources that are accounted independently of the
935				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
936				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
937				controls listed in
938				L<systemd.resource-control(5)>
939				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
940				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
941				powerful (and working) replacement for C<LimitRSS>.
942
943				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
944				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
945				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
946				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
947				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
948
949				Resource limits not configured explicitly for a unit default to the value configured in the various
950				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
951				L<systemd-system.conf(5)>, and \x{2013}
952				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
953				services, see below).
954
955				For system units these resource limits may be chosen freely. When these settings are configured
956				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
957				used to raise the limits above those set for the user manager itself when it was first invoked, as
958				the user's service manager generally lacks the privileges to do so. In user context these
959				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
960				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
961				available configuration mechanisms differ between operating systems, but typically require
962				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
963				setting limits on the system service encapsulating the user's service manager, i.e. the user's
964				instance of C<user\@.service>. After making such changes, make sure to restart the
965				user's service manager.",
966				'type' => 'leaf',
967				'value_type' => 'uniline'
968				},
969				'LimitSTACK',
970				{
971				'description' => "Set soft and hard limits on various resources for executed processes. See
972				L<setrlimit(2)> for
973				details on the resource limit concept. Resource limits may be specified in two formats: either as
974				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
975				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
976				Use the string C<infinity> to configure no limit on a specific resource. The
977				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
978				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
979				usual time units ms, s, min, h and so on may be used (see
980				L<systemd.time(7)> for
981				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
982				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
983				implied. Also, note that the effective granularity of the limits might influence their
984				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
985				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
986				syntaxes: if prefixed with C<+> or C<->, the value is understood as
987				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
988				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
989
990				Note that most process resource limits configured with these options are per-process, and
991				processes may fork in order to acquire a new set of resources that are accounted independently of the
992				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
993				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
994				controls listed in
995				L<systemd.resource-control(5)>
996				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
997				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
998				powerful (and working) replacement for C<LimitRSS>.
999
1000				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1001				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1002				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1003				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1004				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1005
1006				Resource limits not configured explicitly for a unit default to the value configured in the various
1007				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1008				L<systemd-system.conf(5)>, and \x{2013}
1009				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1010				services, see below).
1011
1012				For system units these resource limits may be chosen freely. When these settings are configured
1013				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1014				used to raise the limits above those set for the user manager itself when it was first invoked, as
1015				the user's service manager generally lacks the privileges to do so. In user context these
1016				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1017				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1018				available configuration mechanisms differ between operating systems, but typically require
1019				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1020				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1021				instance of C<user\@.service>. After making such changes, make sure to restart the
1022				user's service manager.",
1023				'type' => 'leaf',
1024				'value_type' => 'uniline'
1025				},
1026				'LimitCORE',
1027				{
1028				'description' => "Set soft and hard limits on various resources for executed processes. See
1029				L<setrlimit(2)> for
1030				details on the resource limit concept. Resource limits may be specified in two formats: either as
1031				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
1032				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
1033				Use the string C<infinity> to configure no limit on a specific resource. The
1034				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
1035				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
1036				usual time units ms, s, min, h and so on may be used (see
1037				L<systemd.time(7)> for
1038				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1039				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1040				implied. Also, note that the effective granularity of the limits might influence their
1041				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1042				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1043				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1044				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1045				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1046
1047				Note that most process resource limits configured with these options are per-process, and
1048				processes may fork in order to acquire a new set of resources that are accounted independently of the
1049				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1050				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1051				controls listed in
1052				L<systemd.resource-control(5)>
1053				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1054				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1055				powerful (and working) replacement for C<LimitRSS>.
1056
1057				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1058				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1059				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1060				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1061				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1062
1063				Resource limits not configured explicitly for a unit default to the value configured in the various
1064				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1065				L<systemd-system.conf(5)>, and \x{2013}
1066				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1067				services, see below).
1068
1069				For system units these resource limits may be chosen freely. When these settings are configured
1070				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1071				used to raise the limits above those set for the user manager itself when it was first invoked, as
1072				the user's service manager generally lacks the privileges to do so. In user context these
1073				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1074				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1075				available configuration mechanisms differ between operating systems, but typically require
1076				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1077				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1078				instance of C<user\@.service>. After making such changes, make sure to restart the
1079				user's service manager.",
1080				'type' => 'leaf',
1081				'value_type' => 'uniline'
1082				},
1083				'LimitRSS',
1084				{
1085				'description' => "Set soft and hard limits on various resources for executed processes. See
1086				L<setrlimit(2)> for
1087				details on the resource limit concept. Resource limits may be specified in two formats: either as
1088				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
1089				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
1090				Use the string C<infinity> to configure no limit on a specific resource. The
1091				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
1092				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
1093				usual time units ms, s, min, h and so on may be used (see
1094				L<systemd.time(7)> for
1095				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1096				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1097				implied. Also, note that the effective granularity of the limits might influence their
1098				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1099				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1100				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1101				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1102				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1103
1104				Note that most process resource limits configured with these options are per-process, and
1105				processes may fork in order to acquire a new set of resources that are accounted independently of the
1106				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1107				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1108				controls listed in
1109				L<systemd.resource-control(5)>
1110				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1111				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1112				powerful (and working) replacement for C<LimitRSS>.
1113
1114				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1115				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1116				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1117				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1118				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1119
1120				Resource limits not configured explicitly for a unit default to the value configured in the various
1121				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1122				L<systemd-system.conf(5)>, and \x{2013}
1123				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1124				services, see below).
1125
1126				For system units these resource limits may be chosen freely. When these settings are configured
1127				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1128				used to raise the limits above those set for the user manager itself when it was first invoked, as
1129				the user's service manager generally lacks the privileges to do so. In user context these
1130				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1131				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1132				available configuration mechanisms differ between operating systems, but typically require
1133				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1134				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1135				instance of C<user\@.service>. After making such changes, make sure to restart the
1136				user's service manager.",
1137				'type' => 'leaf',
1138				'value_type' => 'uniline'
1139				},
1140				'LimitNOFILE',
1141				{
1142				'description' => "Set soft and hard limits on various resources for executed processes. See
1143				L<setrlimit(2)> for
1144				details on the resource limit concept. Resource limits may be specified in two formats: either as
1145				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
1146				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
1147				Use the string C<infinity> to configure no limit on a specific resource. The
1148				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
1149				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
1150				usual time units ms, s, min, h and so on may be used (see
1151				L<systemd.time(7)> for
1152				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1153				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1154				implied. Also, note that the effective granularity of the limits might influence their
1155				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1156				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1157				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1158				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1159				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1160
1161				Note that most process resource limits configured with these options are per-process, and
1162				processes may fork in order to acquire a new set of resources that are accounted independently of the
1163				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1164				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1165				controls listed in
1166				L<systemd.resource-control(5)>
1167				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1168				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1169				powerful (and working) replacement for C<LimitRSS>.
1170
1171				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1172				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1173				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1174				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1175				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1176
1177				Resource limits not configured explicitly for a unit default to the value configured in the various
1178				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1179				L<systemd-system.conf(5)>, and \x{2013}
1180				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1181				services, see below).
1182
1183				For system units these resource limits may be chosen freely. When these settings are configured
1184				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1185				used to raise the limits above those set for the user manager itself when it was first invoked, as
1186				the user's service manager generally lacks the privileges to do so. In user context these
1187				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1188				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1189				available configuration mechanisms differ between operating systems, but typically require
1190				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1191				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1192				instance of C<user\@.service>. After making such changes, make sure to restart the
1193				user's service manager.",
1194				'type' => 'leaf',
1195				'value_type' => 'uniline'
1196				},
1197				'LimitAS',
1198				{
1199				'description' => "Set soft and hard limits on various resources for executed processes. See
1200				L<setrlimit(2)> for
1201				details on the resource limit concept. Resource limits may be specified in two formats: either as
1202				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
1203				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
1204				Use the string C<infinity> to configure no limit on a specific resource. The
1205				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
1206				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
1207				usual time units ms, s, min, h and so on may be used (see
1208				L<systemd.time(7)> for
1209				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1210				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1211				implied. Also, note that the effective granularity of the limits might influence their
1212				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1213				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1214				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1215				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1216				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1217
1218				Note that most process resource limits configured with these options are per-process, and
1219				processes may fork in order to acquire a new set of resources that are accounted independently of the
1220				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1221				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1222				controls listed in
1223				L<systemd.resource-control(5)>
1224				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1225				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1226				powerful (and working) replacement for C<LimitRSS>.
1227
1228				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1229				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1230				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1231				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1232				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1233
1234				Resource limits not configured explicitly for a unit default to the value configured in the various
1235				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1236				L<systemd-system.conf(5)>, and \x{2013}
1237				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1238				services, see below).
1239
1240				For system units these resource limits may be chosen freely. When these settings are configured
1241				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1242				used to raise the limits above those set for the user manager itself when it was first invoked, as
1243				the user's service manager generally lacks the privileges to do so. In user context these
1244				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1245				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1246				available configuration mechanisms differ between operating systems, but typically require
1247				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1248				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1249				instance of C<user\@.service>. After making such changes, make sure to restart the
1250				user's service manager.",
1251				'type' => 'leaf',
1252				'value_type' => 'uniline'
1253				},
1254				'LimitNPROC',
1255				{
1256				'description' => "Set soft and hard limits on various resources for executed processes. See
1257				L<setrlimit(2)> for
1258				details on the resource limit concept. Resource limits may be specified in two formats: either as
1259				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
1260				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
1261				Use the string C<infinity> to configure no limit on a specific resource. The
1262				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
1263				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
1264				usual time units ms, s, min, h and so on may be used (see
1265				L<systemd.time(7)> for
1266				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1267				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1268				implied. Also, note that the effective granularity of the limits might influence their
1269				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1270				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1271				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1272				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1273				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1274
1275				Note that most process resource limits configured with these options are per-process, and
1276				processes may fork in order to acquire a new set of resources that are accounted independently of the
1277				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1278				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1279				controls listed in
1280				L<systemd.resource-control(5)>
1281				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1282				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1283				powerful (and working) replacement for C<LimitRSS>.
1284
1285				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1286				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1287				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1288				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1289				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1290
1291				Resource limits not configured explicitly for a unit default to the value configured in the various
1292				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1293				L<systemd-system.conf(5)>, and \x{2013}
1294				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1295				services, see below).
1296
1297				For system units these resource limits may be chosen freely. When these settings are configured
1298				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1299				used to raise the limits above those set for the user manager itself when it was first invoked, as
1300				the user's service manager generally lacks the privileges to do so. In user context these
1301				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1302				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1303				available configuration mechanisms differ between operating systems, but typically require
1304				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1305				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1306				instance of C<user\@.service>. After making such changes, make sure to restart the
1307				user's service manager.",
1308				'type' => 'leaf',
1309				'value_type' => 'uniline'
1310				},
1311				'LimitMEMLOCK',
1312				{
1313				'description' => "Set soft and hard limits on various resources for executed processes. See
1314				L<setrlimit(2)> for
1315				details on the resource limit concept. Resource limits may be specified in two formats: either as
1316				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
1317				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
1318				Use the string C<infinity> to configure no limit on a specific resource. The
1319				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
1320				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
1321				usual time units ms, s, min, h and so on may be used (see
1322				L<systemd.time(7)> for
1323				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1324				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1325				implied. Also, note that the effective granularity of the limits might influence their
1326				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1327				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1328				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1329				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1330				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1331
1332				Note that most process resource limits configured with these options are per-process, and
1333				processes may fork in order to acquire a new set of resources that are accounted independently of the
1334				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1335				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1336				controls listed in
1337				L<systemd.resource-control(5)>
1338				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1339				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1340				powerful (and working) replacement for C<LimitRSS>.
1341
1342				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1343				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1344				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1345				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1346				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1347
1348				Resource limits not configured explicitly for a unit default to the value configured in the various
1349				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1350				L<systemd-system.conf(5)>, and \x{2013}
1351				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1352				services, see below).
1353
1354				For system units these resource limits may be chosen freely. When these settings are configured
1355				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1356				used to raise the limits above those set for the user manager itself when it was first invoked, as
1357				the user's service manager generally lacks the privileges to do so. In user context these
1358				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1359				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1360				available configuration mechanisms differ between operating systems, but typically require
1361				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1362				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1363				instance of C<user\@.service>. After making such changes, make sure to restart the
1364				user's service manager.",
1365				'type' => 'leaf',
1366				'value_type' => 'uniline'
1367				},
1368				'LimitLOCKS',
1369				{
1370				'description' => "Set soft and hard limits on various resources for executed processes. See
1371				L<setrlimit(2)> for
1372				details on the resource limit concept. Resource limits may be specified in two formats: either as
1373				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
1374				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
1375				Use the string C<infinity> to configure no limit on a specific resource. The
1376				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
1377				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
1378				usual time units ms, s, min, h and so on may be used (see
1379				L<systemd.time(7)> for
1380				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1381				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1382				implied. Also, note that the effective granularity of the limits might influence their
1383				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1384				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1385				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1386				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1387				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1388
1389				Note that most process resource limits configured with these options are per-process, and
1390				processes may fork in order to acquire a new set of resources that are accounted independently of the
1391				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1392				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1393				controls listed in
1394				L<systemd.resource-control(5)>
1395				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1396				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1397				powerful (and working) replacement for C<LimitRSS>.
1398
1399				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1400				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1401				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1402				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1403				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1404
1405				Resource limits not configured explicitly for a unit default to the value configured in the various
1406				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1407				L<systemd-system.conf(5)>, and \x{2013}
1408				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1409				services, see below).
1410
1411				For system units these resource limits may be chosen freely. When these settings are configured
1412				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1413				used to raise the limits above those set for the user manager itself when it was first invoked, as
1414				the user's service manager generally lacks the privileges to do so. In user context these
1415				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1416				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1417				available configuration mechanisms differ between operating systems, but typically require
1418				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1419				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1420				instance of C<user\@.service>. After making such changes, make sure to restart the
1421				user's service manager.",
1422				'type' => 'leaf',
1423				'value_type' => 'uniline'
1424				},
1425				'LimitSIGPENDING',
1426				{
1427				'description' => "Set soft and hard limits on various resources for executed processes. See
1428				L<setrlimit(2)> for
1429				details on the resource limit concept. Resource limits may be specified in two formats: either as
1430				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
1431				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
1432				Use the string C<infinity> to configure no limit on a specific resource. The
1433				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
1434				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
1435				usual time units ms, s, min, h and so on may be used (see
1436				L<systemd.time(7)> for
1437				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1438				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1439				implied. Also, note that the effective granularity of the limits might influence their
1440				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1441				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1442				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1443				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1444				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1445
1446				Note that most process resource limits configured with these options are per-process, and
1447				processes may fork in order to acquire a new set of resources that are accounted independently of the
1448				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1449				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1450				controls listed in
1451				L<systemd.resource-control(5)>
1452				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1453				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1454				powerful (and working) replacement for C<LimitRSS>.
1455
1456				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1457				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1458				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1459				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1460				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1461
1462				Resource limits not configured explicitly for a unit default to the value configured in the various
1463				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1464				L<systemd-system.conf(5)>, and \x{2013}
1465				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1466				services, see below).
1467
1468				For system units these resource limits may be chosen freely. When these settings are configured
1469				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1470				used to raise the limits above those set for the user manager itself when it was first invoked, as
1471				the user's service manager generally lacks the privileges to do so. In user context these
1472				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1473				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1474				available configuration mechanisms differ between operating systems, but typically require
1475				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1476				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1477				instance of C<user\@.service>. After making such changes, make sure to restart the
1478				user's service manager.",
1479				'type' => 'leaf',
1480				'value_type' => 'uniline'
1481				},
1482				'LimitMSGQUEUE',
1483				{
1484				'description' => "Set soft and hard limits on various resources for executed processes. See
1485				L<setrlimit(2)> for
1486				details on the resource limit concept. Resource limits may be specified in two formats: either as
1487				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
1488				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
1489				Use the string C<infinity> to configure no limit on a specific resource. The
1490				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
1491				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
1492				usual time units ms, s, min, h and so on may be used (see
1493				L<systemd.time(7)> for
1494				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1495				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1496				implied. Also, note that the effective granularity of the limits might influence their
1497				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1498				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1499				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1500				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1501				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1502
1503				Note that most process resource limits configured with these options are per-process, and
1504				processes may fork in order to acquire a new set of resources that are accounted independently of the
1505				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1506				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1507				controls listed in
1508				L<systemd.resource-control(5)>
1509				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1510				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1511				powerful (and working) replacement for C<LimitRSS>.
1512
1513				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1514				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1515				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1516				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1517				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1518
1519				Resource limits not configured explicitly for a unit default to the value configured in the various
1520				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1521				L<systemd-system.conf(5)>, and \x{2013}
1522				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1523				services, see below).
1524
1525				For system units these resource limits may be chosen freely. When these settings are configured
1526				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1527				used to raise the limits above those set for the user manager itself when it was first invoked, as
1528				the user's service manager generally lacks the privileges to do so. In user context these
1529				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1530				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1531				available configuration mechanisms differ between operating systems, but typically require
1532				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1533				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1534				instance of C<user\@.service>. After making such changes, make sure to restart the
1535				user's service manager.",
1536				'type' => 'leaf',
1537				'value_type' => 'uniline'
1538				},
1539				'LimitNICE',
1540				{
1541				'description' => "Set soft and hard limits on various resources for executed processes. See
1542				L<setrlimit(2)> for
1543				details on the resource limit concept. Resource limits may be specified in two formats: either as
1544				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
1545				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
1546				Use the string C<infinity> to configure no limit on a specific resource. The
1547				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
1548				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
1549				usual time units ms, s, min, h and so on may be used (see
1550				L<systemd.time(7)> for
1551				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1552				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1553				implied. Also, note that the effective granularity of the limits might influence their
1554				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1555				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1556				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1557				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1558				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1559
1560				Note that most process resource limits configured with these options are per-process, and
1561				processes may fork in order to acquire a new set of resources that are accounted independently of the
1562				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1563				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1564				controls listed in
1565				L<systemd.resource-control(5)>
1566				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1567				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1568				powerful (and working) replacement for C<LimitRSS>.
1569
1570				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1571				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1572				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1573				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1574				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1575
1576				Resource limits not configured explicitly for a unit default to the value configured in the various
1577				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1578				L<systemd-system.conf(5)>, and \x{2013}
1579				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1580				services, see below).
1581
1582				For system units these resource limits may be chosen freely. When these settings are configured
1583				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1584				used to raise the limits above those set for the user manager itself when it was first invoked, as
1585				the user's service manager generally lacks the privileges to do so. In user context these
1586				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1587				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1588				available configuration mechanisms differ between operating systems, but typically require
1589				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1590				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1591				instance of C<user\@.service>. After making such changes, make sure to restart the
1592				user's service manager.",
1593				'type' => 'leaf',
1594				'value_type' => 'uniline'
1595				},
1596				'LimitRTPRIO',
1597				{
1598				'description' => "Set soft and hard limits on various resources for executed processes. See
1599				L<setrlimit(2)> for
1600				details on the resource limit concept. Resource limits may be specified in two formats: either as
1601				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
1602				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
1603				Use the string C<infinity> to configure no limit on a specific resource. The
1604				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
1605				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
1606				usual time units ms, s, min, h and so on may be used (see
1607				L<systemd.time(7)> for
1608				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1609				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1610				implied. Also, note that the effective granularity of the limits might influence their
1611				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1612				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1613				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1614				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1615				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1616
1617				Note that most process resource limits configured with these options are per-process, and
1618				processes may fork in order to acquire a new set of resources that are accounted independently of the
1619				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1620				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1621				controls listed in
1622				L<systemd.resource-control(5)>
1623				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1624				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1625				powerful (and working) replacement for C<LimitRSS>.
1626
1627				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1628				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1629				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1630				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1631				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1632
1633				Resource limits not configured explicitly for a unit default to the value configured in the various
1634				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1635				L<systemd-system.conf(5)>, and \x{2013}
1636				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1637				services, see below).
1638
1639				For system units these resource limits may be chosen freely. When these settings are configured
1640				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1641				used to raise the limits above those set for the user manager itself when it was first invoked, as
1642				the user's service manager generally lacks the privileges to do so. In user context these
1643				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1644				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1645				available configuration mechanisms differ between operating systems, but typically require
1646				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1647				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1648				instance of C<user\@.service>. After making such changes, make sure to restart the
1649				user's service manager.",
1650				'type' => 'leaf',
1651				'value_type' => 'uniline'
1652				},
1653				'LimitRTTIME',
1654				{
1655				'description' => "Set soft and hard limits on various resources for executed processes. See
1656				L<setrlimit(2)> for
1657				details on the resource limit concept. Resource limits may be specified in two formats: either as
1658				single value to set a specific soft and hard limit to the same value, or as colon-separated pair
1659				C<soft:hard> to set both limits individually (e.g. C<LimitAS=4G:16G>).
1660				Use the string C<infinity> to configure no limit on a specific resource. The
1661				multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
1662				measured in bytes (e.g. C<LimitAS=16G>). For the limits referring to time values, the
1663				usual time units ms, s, min, h and so on may be used (see
1664				L<systemd.time(7)> for
1665				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1666				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1667				implied. Also, note that the effective granularity of the limits might influence their
1668				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1669				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1670				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1671				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1672				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1673
1674				Note that most process resource limits configured with these options are per-process, and
1675				processes may fork in order to acquire a new set of resources that are accounted independently of the
1676				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1677				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1678				controls listed in
1679				L<systemd.resource-control(5)>
1680				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1681				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1682				powerful (and working) replacement for C<LimitRSS>.
1683
1684				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1685				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1686				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1687				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1688				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1689
1690				Resource limits not configured explicitly for a unit default to the value configured in the various
1691				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1692				L<systemd-system.conf(5)>, and \x{2013}
1693				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1694				services, see below).
1695
1696				For system units these resource limits may be chosen freely. When these settings are configured
1697				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1698				used to raise the limits above those set for the user manager itself when it was first invoked, as
1699				the user's service manager generally lacks the privileges to do so. In user context these
1700				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1701				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1702				available configuration mechanisms differ between operating systems, but typically require
1703				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1704				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1705				instance of C<user\@.service>. After making such changes, make sure to restart the
1706				user's service manager.",
1707				'type' => 'leaf',
1708				'value_type' => 'uniline'
1709				},
1710				'UMask',
1711				{
1712				'description' => "Controls the file mode creation mask. Takes an access mode in octal notation. See
1713				L<umask(2)> for
1714				details. Defaults to 0022 for system units. For user units the default value is inherited from the
1715				per-user service manager (whose default is in turn inherited from the system service manager, and
1716				thus typically also is 0022 \x{2014} unless overridden by a PAM module). In order to change the per-user mask
1717				for all user services, consider setting the C<UMask> setting of the user's
1718				C<user\@.service> system service instance. The per-user umask may also be set via
1719				the C<umask> field of a user's L<JSON User
1720				Record\|https://systemd.io/USER_RECORD> (for users managed by
1721				L<systemd-homed.service(8)>
1722				this field may be controlled via homectl --umask=). It may also be set via a PAM
1723				module, such as L<pam_umask(8)>.",
1724				'type' => 'leaf',
1725				'value_type' => 'uniline'
1726				},
1727				'CoredumpFilter',
1728				{
1729				'description' => 'Controls which types of memory mappings will be saved if the process dumps core
1730				(using the C</proc/pid/coredump_filter> file). Takes a
1731				whitespace-separated combination of mapping type names or numbers (with the default base 16). Mapping
1732				type names are C<private-anonymous>, C<shared-anonymous>,
1733				C<private-file-backed>, C<shared-file-backed>,
1734				C<elf-headers>, C<private-huge>,
1735				C<shared-huge>, C<private-dax>, C<shared-dax>,
1736				and the special values C<all> (all types) and C<default> (the
1737				kernel default of C<C<private-anonymous>C<shared-anonymous> C<elf-headers>C<private-huge>>). See
1738				L<core(5)>
1739				for the meaning of the mapping types. When specified multiple times, all specified masks are
1740				ORed. When not set, or if the empty value is assigned, the inherited value is not changed.',
1741				'type' => 'leaf',
1742				'value_type' => 'uniline'
1743				},
1744				'KeyringMode',
1745				{
1746				'choice' => [
1747				'inherit',
1748				'private',
1749				'shared'
1750				],
1751				'description' => 'Controls how the kernel session keyring is set up for the service (see L<session-keyring(7)> for
1752				details on the session keyring). Takes one of C<inherit>, C<private>,
1753				C<shared>. If set to C<inherit> no special keyring setup is done, and the kernel\'s
1754				default behaviour is applied. If C<private> is used a new session keyring is allocated when a
1755				service process is invoked, and it is not linked up with any user keyring. This is the recommended setting for
1756				system services, as this ensures that multiple services running under the same system user ID (in particular
1757				the root user) do not share their key material among each other. If C<shared> is used a new
1758				session keyring is allocated as for C<private>, but the user keyring of the user configured with
1759				C<User> is linked into it, so that keys assigned to the user may be requested by the unit\'s
1760				processes. In this modes multiple units running processes under the same user ID may share key material. Unless
1761				C<inherit> is selected the unique invocation ID for the unit (see below) is added as a protected
1762				key by the name C<invocation_id> to the newly created session keyring. Defaults to
1763				C<private> for services of the system service manager and to C<inherit> for
1764				non-service units and for services of the user service manager.',
1765				'type' => 'leaf',
1766				'value_type' => 'enum'
1767				},
1768				'OOMScoreAdjust',
1769				{
1770				'description' => 'Sets the adjustment value for the Linux kernel\'s Out-Of-Memory (OOM) killer score for
1771				executed processes. Takes an integer between -1000 (to disable OOM killing of processes of this unit)
1772				and 1000 (to make killing of processes of this unit under memory pressure very likely). See L<proc.txt\|https://www.kernel.org/doc/Documentation/filesystems/proc.txt> for details. If
1773				not specified defaults to the OOM score adjustment level of the service manager itself, which is
1774				normally at 0.
1775
1776				Use the C<OOMPolicy> setting of service units to configure how the service
1777				manager shall react to the kernel OOM killer or systemd-oomd terminating a process of the service. See
1778				L<systemd.service(5)>
1779				for details.',
1780				'max' => '1000',
1781				'min' => '-1000',
1782				'type' => 'leaf',
1783				'value_type' => 'integer'
1784				},
1785				'TimerSlackNSec',
1786				{
1787				'description' => 'Sets the timer slack in nanoseconds for the executed processes. The timer slack controls the
1788				accuracy of wake-ups triggered by timers. See
1789				L<prctl(2)> for more
1790				information. Note that in contrast to most other time span definitions this parameter takes an integer value in
1791				nano-seconds if no unit is specified. The usual time units are understood too.',
1792				'type' => 'leaf',
1793				'value_type' => 'uniline'
1794				},
1795				'Personality',
1796				{
1797				'choice' => [
1798				'x86',
1799				'x86-64',
1800				'ppc',
1801				'ppc-le',
1802				'ppc64',
1803				'ppc64-le',
1804				's390',
1805				's390x'
1806				],
1807				'description' => 'Controls which kernel architecture L<uname(2)> shall report,
1808				when invoked by unit processes. Takes one of the architecture identifiers C<x86>,
1809				C<x86-64>, C<ppc>, C<ppc-le>, C<ppc64>,
1810				C<ppc64-le>, C<s390> or C<s390x>. Which personality
1811				architectures are supported depends on the system architecture. Usually the 64bit versions of the various
1812				system architectures support their immediate 32bit personality architecture counterpart, but no others. For
1813				example, C<x86-64> systems support the C<x86-64> and
1814				C<x86> personalities but no others. The personality feature is useful when running 32-bit
1815				services on a 64-bit host system. If not specified, the personality is left unmodified and thus reflects the
1816				personality of the host system\'s kernel.',
1817				'type' => 'leaf',
1818				'value_type' => 'enum'
1819				},
1820				'IgnoreSIGPIPE',
1821				{
1822				'description' => 'Takes a boolean argument. If true, causes C<SIGPIPE> to be ignored in the
1823				executed process. Defaults to true because C<SIGPIPE> generally is useful only in shell
1824				pipelines.',
1825				'type' => 'leaf',
1826				'value_type' => 'boolean',
1827				'write_as' => [
1828				'no',
1829				'yes'
1830				]
1831				},
1832				'Nice',
1833				{
1834				'description' => 'Sets the default nice level (scheduling priority) for executed processes. Takes an
1835				integer between -20 (highest priority) and 19 (lowest priority). In case of resource contention,
1836				smaller values mean more resources will be made available to the unit\'s processes, larger values mean
1837				less resources will be made available. See
1838				L<setpriority(2)> for
1839				details.',
1840				'max' => '19',
1841				'min' => '-20',
1842				'type' => 'leaf',
1843				'value_type' => 'integer'
1844				},
1845				'CPUSchedulingPolicy',
1846				{
1847				'choice' => [
1848				'other',
1849				'batch',
1850				'idle',
1851				'fifo',
1852				'rr'
1853				],
1854				'description' => 'Sets the CPU scheduling policy for executed processes. Takes one of C<other>,
1855				C<batch>, C<idle>, C<fifo> or C<rr>. See
1856				L<sched_setscheduler(2)> for
1857				details.',
1858				'type' => 'leaf',
1859				'value_type' => 'enum'
1860				},
1861				'CPUSchedulingPriority',
1862				{
1863				'description' => 'Sets the CPU scheduling priority for executed processes. The available priority range
1864				depends on the selected CPU scheduling policy (see above). For real-time scheduling policies an
1865				integer between 1 (lowest priority) and 99 (highest priority) can be used. In case of CPU resource
1866				contention, smaller values mean less CPU time is made available to the service, larger values mean
1867				more. See L<sched_setscheduler(2)>
1868				for details.',
1869				'type' => 'leaf',
1870				'value_type' => 'uniline'
1871				},
1872				'CPUSchedulingResetOnFork',
1873				{
1874				'description' => 'Takes a boolean argument. If true, elevated CPU scheduling priorities and policies
1875				will be reset when the executed processes call
1876				L<fork(2)>,
1877				and can hence not leak into child processes. See
1878				L<sched_setscheduler(2)>
1879				for details. Defaults to false.',
1880				'type' => 'leaf',
1881				'value_type' => 'boolean',
1882				'write_as' => [
1883				'no',
1884				'yes'
1885				]
1886				},
1887				'CPUAffinity',
1888				{
1889				'cargo' => {
1890				'type' => 'leaf',
1891				'value_type' => 'uniline'
1892				},
1893				'description' => 'Controls the CPU affinity of the executed processes. Takes a list of CPU indices or ranges
1894				separated by either whitespace or commas. Alternatively, takes a special "numa" value in which case systemd
1895				automatically derives allowed CPU range based on the value of C<NUMAMask> option. CPU ranges
1896				are specified by the lower and upper CPU indices separated by a dash. This option may be specified more than
1897				once, in which case the specified CPU affinity masks are merged. If the empty string is assigned, the mask
1898				is reset, all assignments prior to this will have no effect. See
1899				L<sched_setaffinity(2)> for
1900				details.',
1901				'type' => 'list'
1902				},
1903				'NUMAPolicy',
1904				{
1905				'description' => 'Controls the NUMA memory policy of the executed processes. Takes a policy type, one of:
1906				C<default>, C<preferred>, C<bind>, C<interleave> and
1907				C<local>. A list of NUMA nodes that should be associated with the policy must be specified
1908				in C<NUMAMask>. For more details on each policy please see,
1909				L<set_mempolicy(2)>. For overall
1910				overview of NUMA support in Linux see,
1911				L<numa(7)>.
1912				',
1913				'type' => 'leaf',
1914				'value_type' => 'uniline'
1915				},
1916				'NUMAMask',
1917				{
1918				'description' => 'Controls the NUMA node list which will be applied alongside with selected NUMA policy.
1919				Takes a list of NUMA nodes and has the same syntax as a list of CPUs for C<CPUAffinity>
1920				option or special "all" value which will include all available NUMA nodes in the mask. Note that the list
1921				of NUMA nodes is not required for C<default> and C<local>
1922				policies and for C<preferred> policy we expect a single NUMA node.',
1923				'type' => 'leaf',
1924				'value_type' => 'uniline'
1925				},
1926				'IOSchedulingClass',
1927				{
1928				'choice' => [
1929				'0',
1930				'1',
1931				'2',
1932				'3',
1933				'none',
1934				'realtime',
1935				'best-effort',
1936				'idle'
1937				],
1938				'description' => 'Sets the I/O scheduling class for executed processes. Takes one of the strings
1939				C<realtime>, C<best-effort> or C<idle>. The kernel\'s
1940				default scheduling class is C<best-effort> at a priority of 4. If the empty string is
1941				assigned to this option, all prior assignments to both C<IOSchedulingClass> and
1942				C<IOSchedulingPriority> have no effect. See
1943				L<ioprio_set(2)> for
1944				details.',
1945				'type' => 'leaf',
1946				'value_type' => 'enum'
1947				},
1948				'IOSchedulingPriority',
1949				{
1950				'description' => 'Sets the I/O scheduling priority for executed processes. Takes an integer between 0
1951				(highest priority) and 7 (lowest priority). In case of I/O contention, smaller values mean more I/O
1952				bandwidth is made available to the unit\'s processes, larger values mean less bandwidth. The available
1953				priorities depend on the selected I/O scheduling class (see above). If the empty string is assigned
1954				to this option, all prior assignments to both C<IOSchedulingClass> and
1955				C<IOSchedulingPriority> have no effect. For the kernel\'s default scheduling class
1956				(C<best-effort>) this defaults to 4. See
1957				L<ioprio_set(2)> for
1958				details.',
1959				'max' => '7',
1960				'min' => '0',
1961				'type' => 'leaf',
1962				'upstream_default' => '4',
1963				'value_type' => 'integer'
1964				},
1965				'ProtectSystem',
1966				{
1967				'choice' => [
1968				'no',
1969				'yes',
1970				'full',
1971				'strict'
1972				],
1973				'description' => 'Takes a boolean argument or the special values C<full> or
1974				C<strict>. If true, mounts the C</usr/> and the boot loader
1975				directories (C</boot> and C</efi>) read-only for processes
1976				invoked by this unit. If set to C<full>, the C</etc/> directory is
1977				mounted read-only, too. If set to C<strict> the entire file system hierarchy is
1978				mounted read-only, except for the API file system subtrees C</dev/>,
1979				C</proc/> and C</sys/> (protect these directories using
1980				C<PrivateDevices>, C<ProtectKernelTunables>,
1981				C<ProtectControlGroups>). This setting ensures that any modification of the vendor-supplied
1982				operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is
1983				recommended to enable this setting for all long-running services, unless they are involved with system updates
1984				or need to modify the operating system in other ways. If this option is used,
1985				C<ReadWritePaths> may be used to exclude specific directories from being made read-only. This
1986				setting is implied if C<DynamicUser> is set. This setting cannot ensure protection in all
1987				cases. In general it has the same limitations as C<ReadOnlyPaths>, see below. Defaults to
1988				off.',
1989				'replace' => {
1990				'0' => 'no',
1991				'1' => 'yes',
1992				'false' => 'no',
1993				'true' => 'yes'
1994				},
1995				'type' => 'leaf',
1996				'value_type' => 'enum'
1997				},
1998				'ProtectHome',
1999				{
2000				'choice' => [
2001				'no',
2002				'yes',
2003				'read-only',
2004				'tmpfs'
2005				],
2006				'description' => 'Takes a boolean argument or the special values C<read-only> or
2007				C<tmpfs>. If true, the directories C</home/>,
2008				C</root>, and C</run/user> are made inaccessible and empty for
2009				processes invoked by this unit. If set to C<read-only>, the three directories are
2010				made read-only instead. If set to C<tmpfs>, temporary file systems are mounted on the
2011				three directories in read-only mode. The value C<tmpfs> is useful to hide home
2012				directories not relevant to the processes invoked by the unit, while still allowing necessary
2013				directories to be made visible when listed in C<BindPaths> or
2014				C<BindReadOnlyPaths>.
2015
2016				Setting this to C<yes> is mostly equivalent to set the three directories in
2017				C<InaccessiblePaths>. Similarly, C<read-only> is mostly equivalent to
2018				C<ReadOnlyPaths>, and C<tmpfs> is mostly equivalent to
2019				C<TemporaryFileSystem> with C<:ro>.
2020
2021				It is recommended to enable this setting for all long-running services (in particular
2022				network-facing ones), to ensure they cannot get access to private user data, unless the services
2023				actually require access to the user\'s private data. This setting is implied if
2024				C<DynamicUser> is set. This setting cannot ensure protection in all cases. In
2025				general it has the same limitations as C<ReadOnlyPaths>, see below.',
2026				'replace' => {
2027				'0' => 'no',
2028				'1' => 'yes',
2029				'false' => 'no',
2030				'true' => 'yes'
2031				},
2032				'type' => 'leaf',
2033				'value_type' => 'enum'
2034				},
2035				'RuntimeDirectory',
2036				{
2037				'description' => 'These options take a whitespace-separated list of directory names. The specified
2038				directory names must be relative, and may not include C<..>. If set, when the unit is
2039				started, one or more directories by the specified names will be created (including their parents)
2040				below the locations defined in the following table. Also, the corresponding environment variable will
2041				be defined with the full paths of the directories. If multiple directories are set, then in the
2042				environment variable the paths are concatenated with colon (C<:>).
2043
2044				In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2045				the unit is stopped. It is possible to preserve the specified directories in this case if
2046				C<RuntimeDirectoryPreserve> is configured to C<restart> or
2047				C<yes> (see below). The directories specified with C<StateDirectory>,
2048				C<CacheDirectory>, C<LogsDirectory>,
2049				C<ConfigurationDirectory> are not removed when the unit is stopped.
2050
2051				Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2052				owned by the user and group specified in C<User> and C<Group>. If the
2053				specified directories already exist and their owning user or group do not match the configured ones, all files
2054				and directories below the specified directories as well as the directories themselves will have their file
2055				ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2056				already owned by the right user and group, files and directories below of them are left as-is, even if they do
2057				not match what is requested. The innermost specified directories will have their access mode adjusted to the
2058				what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2059				C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2060				C<ConfigurationDirectoryMode>.
2061
2062				These options imply C<BindPaths> for the specified paths. When combined with
2063				C<RootDirectory> or C<RootImage> these paths always reside on the host and
2064				are mounted from there into the unit\'s file system namespace.
2065
2066				If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2067				C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2068				C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2069				respectively, which are host directories made inaccessible to
2070				unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2071				user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2072				perspective of the host and from inside the unit, the relevant directories hence always appear
2073				directly below C</var/cache>, C</var/log> and
2074				C</var/lib>.
2075
2076				Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2077				their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2078				runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2079				directory is cleaned up automatically after use. For runtime directories that require more complex or different
2080				configuration or lifetime guarantees, please consider using
2081				L<tmpfiles.d(5)>.
2082
2083				C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2084				and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2085				The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2086				The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2087				options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2088				using the same first parameter, but a different second parameter.',
2089				'type' => 'leaf',
2090				'value_type' => 'uniline'
2091				},
2092				'StateDirectory',
2093				{
2094				'description' => 'These options take a whitespace-separated list of directory names. The specified
2095				directory names must be relative, and may not include C<..>. If set, when the unit is
2096				started, one or more directories by the specified names will be created (including their parents)
2097				below the locations defined in the following table. Also, the corresponding environment variable will
2098				be defined with the full paths of the directories. If multiple directories are set, then in the
2099				environment variable the paths are concatenated with colon (C<:>).
2100
2101				In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2102				the unit is stopped. It is possible to preserve the specified directories in this case if
2103				C<RuntimeDirectoryPreserve> is configured to C<restart> or
2104				C<yes> (see below). The directories specified with C<StateDirectory>,
2105				C<CacheDirectory>, C<LogsDirectory>,
2106				C<ConfigurationDirectory> are not removed when the unit is stopped.
2107
2108				Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2109				owned by the user and group specified in C<User> and C<Group>. If the
2110				specified directories already exist and their owning user or group do not match the configured ones, all files
2111				and directories below the specified directories as well as the directories themselves will have their file
2112				ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2113				already owned by the right user and group, files and directories below of them are left as-is, even if they do
2114				not match what is requested. The innermost specified directories will have their access mode adjusted to the
2115				what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2116				C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2117				C<ConfigurationDirectoryMode>.
2118
2119				These options imply C<BindPaths> for the specified paths. When combined with
2120				C<RootDirectory> or C<RootImage> these paths always reside on the host and
2121				are mounted from there into the unit\'s file system namespace.
2122
2123				If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2124				C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2125				C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2126				respectively, which are host directories made inaccessible to
2127				unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2128				user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2129				perspective of the host and from inside the unit, the relevant directories hence always appear
2130				directly below C</var/cache>, C</var/log> and
2131				C</var/lib>.
2132
2133				Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2134				their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2135				runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2136				directory is cleaned up automatically after use. For runtime directories that require more complex or different
2137				configuration or lifetime guarantees, please consider using
2138				L<tmpfiles.d(5)>.
2139
2140				C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2141				and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2142				The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2143				The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2144				options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2145				using the same first parameter, but a different second parameter.',
2146				'type' => 'leaf',
2147				'value_type' => 'uniline'
2148				},
2149				'CacheDirectory',
2150				{
2151				'description' => 'These options take a whitespace-separated list of directory names. The specified
2152				directory names must be relative, and may not include C<..>. If set, when the unit is
2153				started, one or more directories by the specified names will be created (including their parents)
2154				below the locations defined in the following table. Also, the corresponding environment variable will
2155				be defined with the full paths of the directories. If multiple directories are set, then in the
2156				environment variable the paths are concatenated with colon (C<:>).
2157
2158				In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2159				the unit is stopped. It is possible to preserve the specified directories in this case if
2160				C<RuntimeDirectoryPreserve> is configured to C<restart> or
2161				C<yes> (see below). The directories specified with C<StateDirectory>,
2162				C<CacheDirectory>, C<LogsDirectory>,
2163				C<ConfigurationDirectory> are not removed when the unit is stopped.
2164
2165				Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2166				owned by the user and group specified in C<User> and C<Group>. If the
2167				specified directories already exist and their owning user or group do not match the configured ones, all files
2168				and directories below the specified directories as well as the directories themselves will have their file
2169				ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2170				already owned by the right user and group, files and directories below of them are left as-is, even if they do
2171				not match what is requested. The innermost specified directories will have their access mode adjusted to the
2172				what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2173				C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2174				C<ConfigurationDirectoryMode>.
2175
2176				These options imply C<BindPaths> for the specified paths. When combined with
2177				C<RootDirectory> or C<RootImage> these paths always reside on the host and
2178				are mounted from there into the unit\'s file system namespace.
2179
2180				If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2181				C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2182				C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2183				respectively, which are host directories made inaccessible to
2184				unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2185				user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2186				perspective of the host and from inside the unit, the relevant directories hence always appear
2187				directly below C</var/cache>, C</var/log> and
2188				C</var/lib>.
2189
2190				Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2191				their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2192				runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2193				directory is cleaned up automatically after use. For runtime directories that require more complex or different
2194				configuration or lifetime guarantees, please consider using
2195				L<tmpfiles.d(5)>.
2196
2197				C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2198				and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2199				The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2200				The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2201				options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2202				using the same first parameter, but a different second parameter.',
2203				'type' => 'leaf',
2204				'value_type' => 'uniline'
2205				},
2206				'LogsDirectory',
2207				{
2208				'description' => 'These options take a whitespace-separated list of directory names. The specified
2209				directory names must be relative, and may not include C<..>. If set, when the unit is
2210				started, one or more directories by the specified names will be created (including their parents)
2211				below the locations defined in the following table. Also, the corresponding environment variable will
2212				be defined with the full paths of the directories. If multiple directories are set, then in the
2213				environment variable the paths are concatenated with colon (C<:>).
2214
2215				In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2216				the unit is stopped. It is possible to preserve the specified directories in this case if
2217				C<RuntimeDirectoryPreserve> is configured to C<restart> or
2218				C<yes> (see below). The directories specified with C<StateDirectory>,
2219				C<CacheDirectory>, C<LogsDirectory>,
2220				C<ConfigurationDirectory> are not removed when the unit is stopped.
2221
2222				Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2223				owned by the user and group specified in C<User> and C<Group>. If the
2224				specified directories already exist and their owning user or group do not match the configured ones, all files
2225				and directories below the specified directories as well as the directories themselves will have their file
2226				ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2227				already owned by the right user and group, files and directories below of them are left as-is, even if they do
2228				not match what is requested. The innermost specified directories will have their access mode adjusted to the
2229				what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2230				C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2231				C<ConfigurationDirectoryMode>.
2232
2233				These options imply C<BindPaths> for the specified paths. When combined with
2234				C<RootDirectory> or C<RootImage> these paths always reside on the host and
2235				are mounted from there into the unit\'s file system namespace.
2236
2237				If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2238				C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2239				C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2240				respectively, which are host directories made inaccessible to
2241				unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2242				user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2243				perspective of the host and from inside the unit, the relevant directories hence always appear
2244				directly below C</var/cache>, C</var/log> and
2245				C</var/lib>.
2246
2247				Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2248				their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2249				runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2250				directory is cleaned up automatically after use. For runtime directories that require more complex or different
2251				configuration or lifetime guarantees, please consider using
2252				L<tmpfiles.d(5)>.
2253
2254				C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2255				and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2256				The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2257				The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2258				options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2259				using the same first parameter, but a different second parameter.',
2260				'type' => 'leaf',
2261				'value_type' => 'uniline'
2262				},
2263				'ConfigurationDirectory',
2264				{
2265				'description' => 'These options take a whitespace-separated list of directory names. The specified
2266				directory names must be relative, and may not include C<..>. If set, when the unit is
2267				started, one or more directories by the specified names will be created (including their parents)
2268				below the locations defined in the following table. Also, the corresponding environment variable will
2269				be defined with the full paths of the directories. If multiple directories are set, then in the
2270				environment variable the paths are concatenated with colon (C<:>).
2271
2272				In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2273				the unit is stopped. It is possible to preserve the specified directories in this case if
2274				C<RuntimeDirectoryPreserve> is configured to C<restart> or
2275				C<yes> (see below). The directories specified with C<StateDirectory>,
2276				C<CacheDirectory>, C<LogsDirectory>,
2277				C<ConfigurationDirectory> are not removed when the unit is stopped.
2278
2279				Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2280				owned by the user and group specified in C<User> and C<Group>. If the
2281				specified directories already exist and their owning user or group do not match the configured ones, all files
2282				and directories below the specified directories as well as the directories themselves will have their file
2283				ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2284				already owned by the right user and group, files and directories below of them are left as-is, even if they do
2285				not match what is requested. The innermost specified directories will have their access mode adjusted to the
2286				what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2287				C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2288				C<ConfigurationDirectoryMode>.
2289
2290				These options imply C<BindPaths> for the specified paths. When combined with
2291				C<RootDirectory> or C<RootImage> these paths always reside on the host and
2292				are mounted from there into the unit\'s file system namespace.
2293
2294				If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2295				C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2296				C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2297				respectively, which are host directories made inaccessible to
2298				unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2299				user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2300				perspective of the host and from inside the unit, the relevant directories hence always appear
2301				directly below C</var/cache>, C</var/log> and
2302				C</var/lib>.
2303
2304				Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2305				their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2306				runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2307				directory is cleaned up automatically after use. For runtime directories that require more complex or different
2308				configuration or lifetime guarantees, please consider using
2309				L<tmpfiles.d(5)>.
2310
2311				C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2312				and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2313				The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2314				The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2315				options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2316				using the same first parameter, but a different second parameter.',
2317				'type' => 'leaf',
2318				'value_type' => 'uniline'
2319				},
2320				'RuntimeDirectoryMode',
2321				{
2322				'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2323				C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2324				C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2325				C<0755>. See "Permissions" in L<path_resolution(7)> for a
2326				discussion of the meaning of permission bits.',
2327				'type' => 'leaf',
2328				'value_type' => 'uniline'
2329				},
2330				'StateDirectoryMode',
2331				{
2332				'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2333				C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2334				C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2335				C<0755>. See "Permissions" in L<path_resolution(7)> for a
2336				discussion of the meaning of permission bits.',
2337				'type' => 'leaf',
2338				'value_type' => 'uniline'
2339				},
2340				'CacheDirectoryMode',
2341				{
2342				'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2343				C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2344				C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2345				C<0755>. See "Permissions" in L<path_resolution(7)> for a
2346				discussion of the meaning of permission bits.',
2347				'type' => 'leaf',
2348				'value_type' => 'uniline'
2349				},
2350				'LogsDirectoryMode',
2351				{
2352				'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2353				C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2354				C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2355				C<0755>. See "Permissions" in L<path_resolution(7)> for a
2356				discussion of the meaning of permission bits.',
2357				'type' => 'leaf',
2358				'value_type' => 'uniline'
2359				},
2360				'ConfigurationDirectoryMode',
2361				{
2362				'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2363				C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2364				C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2365				C<0755>. See "Permissions" in L<path_resolution(7)> for a
2366				discussion of the meaning of permission bits.',
2367				'type' => 'leaf',
2368				'value_type' => 'uniline'
2369				},
2370				'RuntimeDirectoryPreserve',
2371				{
2372				'choice' => [
2373				'no',
2374				'yes',
2375				'restart'
2376				],
2377				'description' => 'Takes a boolean argument or C<restart>. If set to C<no> (the
2378				default), the directories specified in C<RuntimeDirectory> are always removed when the service
2379				stops. If set to C<restart> the directories are preserved when the service is both automatically
2380				and manually restarted. Here, the automatic restart means the operation specified in
2381				C<Restart>, and manual restart means the one triggered by systemctl restart
2382				foo.service. If set to C<yes>, then the directories are not removed when the service is
2383				stopped. Note that since the runtime directory C</run/> is a mount point of
2384				C<tmpfs>, then for system services the directories specified in
2385				C<RuntimeDirectory> are removed when the system is rebooted.',
2386				'replace' => {
2387				'0' => 'no',
2388				'1' => 'yes',
2389				'false' => 'no',
2390				'true' => 'yes'
2391				},
2392				'type' => 'leaf',
2393				'value_type' => 'enum'
2394				},
2395				'TimeoutCleanSec',
2396				{
2397				'description' => "Configures a timeout on the clean-up operation requested through systemctl
2398				clean \x{2026}, see
2399				L<systemctl(1)> for
2400				details. Takes the usual time values and defaults to C<infinity>, i.e. by default
2401				no timeout is applied. If a timeout is configured the clean operation will be aborted forcibly when
2402				the timeout is reached, potentially leaving resources on disk.",
2403				'type' => 'leaf',
2404				'value_type' => 'uniline'
2405				},
2406				'ReadWritePaths',
2407				{
2408				'cargo' => {
2409				'type' => 'leaf',
2410				'value_type' => 'uniline'
2411				},
2412				'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2413				to limit access a process has to the file system. Each setting takes a space-separated list of paths
2414				relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2415				paths contain symlinks, they are resolved relative to the root directory set with
2416				C<RootDirectory>/C<RootImage>.
2417
2418				Paths listed in C<ReadWritePaths> are accessible from within the namespace
2419				with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2420				are accessible for reading only, writing will be refused even if the usual file access controls would
2421				permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2422				order to provide writable subdirectories within read-only directories. Use
2423				C<ReadWritePaths> in order to allow-list specific paths for write access if
2424				C<ProtectSystem=strict> is used.
2425
2426				Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2427				the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2428				desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2429				C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2430				see C<TemporaryFileSystem>.
2431
2432				Content in paths listed in C<NoExecPaths> are not executable even if the usual
2433				file access controls would permit this. Nest C<ExecPaths> inside of
2434				C<NoExecPaths> in order to provide executable content within non-executable
2435				directories.
2436
2437				Non-directory paths may be specified as well. These options may be specified more than once,
2438				in which case all paths listed will have limited access from within the namespace. If the empty string is
2439				assigned to this option, the specific list is reset, and all prior assignments have no effect.
2440
2441				Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2442				C<InaccessiblePaths>, C<ExecPaths> and
2443				C<NoExecPaths> may be prefixed with C<->, in which case they will be
2444				ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2445				directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2446				instead of relative to the root directory of the host (see above). When combining C<-> and
2447				C<+> on the same path make sure to specify C<-> first, and C<+>
2448				second.
2449
2450				Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2451				host. This means that this setting may not be used for services which shall be able to install mount points in
2452				the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>
2453				propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2454				unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2455				mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2456				i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2457				below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2458				not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2459				setting is not complete, and does not offer full protection.
2460
2461				Note that the effect of these settings may be undone by privileged processes. In order to set up an
2462				effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2463				C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2464				C<SystemCallFilter=~@mount>.
2465
2466				Simple allow-list example using these directives:
2467
2468				[Service]
2469				ReadOnlyPaths=/
2470				ReadWritePaths=/var /run
2471				InaccessiblePaths=-/lost+found
2472				NoExecPaths=/
2473				ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2474
2475				',
2476				'type' => 'list'
2477				},
2478				'ReadOnlyPaths',
2479				{
2480				'cargo' => {
2481				'type' => 'leaf',
2482				'value_type' => 'uniline'
2483				},
2484				'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2485				to limit access a process has to the file system. Each setting takes a space-separated list of paths
2486				relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2487				paths contain symlinks, they are resolved relative to the root directory set with
2488				C<RootDirectory>/C<RootImage>.
2489
2490				Paths listed in C<ReadWritePaths> are accessible from within the namespace
2491				with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2492				are accessible for reading only, writing will be refused even if the usual file access controls would
2493				permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2494				order to provide writable subdirectories within read-only directories. Use
2495				C<ReadWritePaths> in order to allow-list specific paths for write access if
2496				C<ProtectSystem=strict> is used.
2497
2498				Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2499				the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2500				desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2501				C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2502				see C<TemporaryFileSystem>.
2503
2504				Content in paths listed in C<NoExecPaths> are not executable even if the usual
2505				file access controls would permit this. Nest C<ExecPaths> inside of
2506				C<NoExecPaths> in order to provide executable content within non-executable
2507				directories.
2508
2509				Non-directory paths may be specified as well. These options may be specified more than once,
2510				in which case all paths listed will have limited access from within the namespace. If the empty string is
2511				assigned to this option, the specific list is reset, and all prior assignments have no effect.
2512
2513				Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2514				C<InaccessiblePaths>, C<ExecPaths> and
2515				C<NoExecPaths> may be prefixed with C<->, in which case they will be
2516				ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2517				directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2518				instead of relative to the root directory of the host (see above). When combining C<-> and
2519				C<+> on the same path make sure to specify C<-> first, and C<+>
2520				second.
2521
2522				Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2523				host. This means that this setting may not be used for services which shall be able to install mount points in
2524				the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>
2525				propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2526				unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2527				mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2528				i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2529				below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2530				not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2531				setting is not complete, and does not offer full protection.
2532
2533				Note that the effect of these settings may be undone by privileged processes. In order to set up an
2534				effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2535				C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2536				C<SystemCallFilter=~@mount>.
2537
2538				Simple allow-list example using these directives:
2539
2540				[Service]
2541				ReadOnlyPaths=/
2542				ReadWritePaths=/var /run
2543				InaccessiblePaths=-/lost+found
2544				NoExecPaths=/
2545				ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2546
2547				',
2548				'type' => 'list'
2549				},
2550				'InaccessiblePaths',
2551				{
2552				'cargo' => {
2553				'type' => 'leaf',
2554				'value_type' => 'uniline'
2555				},
2556				'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2557				to limit access a process has to the file system. Each setting takes a space-separated list of paths
2558				relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2559				paths contain symlinks, they are resolved relative to the root directory set with
2560				C<RootDirectory>/C<RootImage>.
2561
2562				Paths listed in C<ReadWritePaths> are accessible from within the namespace
2563				with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2564				are accessible for reading only, writing will be refused even if the usual file access controls would
2565				permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2566				order to provide writable subdirectories within read-only directories. Use
2567				C<ReadWritePaths> in order to allow-list specific paths for write access if
2568				C<ProtectSystem=strict> is used.
2569
2570				Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2571				the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2572				desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2573				C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2574				see C<TemporaryFileSystem>.
2575
2576				Content in paths listed in C<NoExecPaths> are not executable even if the usual
2577				file access controls would permit this. Nest C<ExecPaths> inside of
2578				C<NoExecPaths> in order to provide executable content within non-executable
2579				directories.
2580
2581				Non-directory paths may be specified as well. These options may be specified more than once,
2582				in which case all paths listed will have limited access from within the namespace. If the empty string is
2583				assigned to this option, the specific list is reset, and all prior assignments have no effect.
2584
2585				Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2586				C<InaccessiblePaths>, C<ExecPaths> and
2587				C<NoExecPaths> may be prefixed with C<->, in which case they will be
2588				ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2589				directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2590				instead of relative to the root directory of the host (see above). When combining C<-> and
2591				C<+> on the same path make sure to specify C<-> first, and C<+>
2592				second.
2593
2594				Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2595				host. This means that this setting may not be used for services which shall be able to install mount points in
2596				the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>
2597				propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2598				unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2599				mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2600				i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2601				below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2602				not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2603				setting is not complete, and does not offer full protection.
2604
2605				Note that the effect of these settings may be undone by privileged processes. In order to set up an
2606				effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2607				C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2608				C<SystemCallFilter=~@mount>.
2609
2610				Simple allow-list example using these directives:
2611
2612				[Service]
2613				ReadOnlyPaths=/
2614				ReadWritePaths=/var /run
2615				InaccessiblePaths=-/lost+found
2616				NoExecPaths=/
2617				ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2618
2619				',
2620				'type' => 'list'
2621				},
2622				'ExecPaths',
2623				{
2624				'cargo' => {
2625				'type' => 'leaf',
2626				'value_type' => 'uniline'
2627				},
2628				'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2629				to limit access a process has to the file system. Each setting takes a space-separated list of paths
2630				relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2631				paths contain symlinks, they are resolved relative to the root directory set with
2632				C<RootDirectory>/C<RootImage>.
2633
2634				Paths listed in C<ReadWritePaths> are accessible from within the namespace
2635				with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2636				are accessible for reading only, writing will be refused even if the usual file access controls would
2637				permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2638				order to provide writable subdirectories within read-only directories. Use
2639				C<ReadWritePaths> in order to allow-list specific paths for write access if
2640				C<ProtectSystem=strict> is used.
2641
2642				Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2643				the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2644				desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2645				C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2646				see C<TemporaryFileSystem>.
2647
2648				Content in paths listed in C<NoExecPaths> are not executable even if the usual
2649				file access controls would permit this. Nest C<ExecPaths> inside of
2650				C<NoExecPaths> in order to provide executable content within non-executable
2651				directories.
2652
2653				Non-directory paths may be specified as well. These options may be specified more than once,
2654				in which case all paths listed will have limited access from within the namespace. If the empty string is
2655				assigned to this option, the specific list is reset, and all prior assignments have no effect.
2656
2657				Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2658				C<InaccessiblePaths>, C<ExecPaths> and
2659				C<NoExecPaths> may be prefixed with C<->, in which case they will be
2660				ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2661				directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2662				instead of relative to the root directory of the host (see above). When combining C<-> and
2663				C<+> on the same path make sure to specify C<-> first, and C<+>
2664				second.
2665
2666				Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2667				host. This means that this setting may not be used for services which shall be able to install mount points in
2668				the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>
2669				propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2670				unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2671				mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2672				i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2673				below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2674				not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2675				setting is not complete, and does not offer full protection.
2676
2677				Note that the effect of these settings may be undone by privileged processes. In order to set up an
2678				effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2679				C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2680				C<SystemCallFilter=~@mount>.
2681
2682				Simple allow-list example using these directives:
2683
2684				[Service]
2685				ReadOnlyPaths=/
2686				ReadWritePaths=/var /run
2687				InaccessiblePaths=-/lost+found
2688				NoExecPaths=/
2689				ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2690
2691				',
2692				'type' => 'list'
2693				},
2694				'NoExecPaths',
2695				{
2696				'cargo' => {
2697				'type' => 'leaf',
2698				'value_type' => 'uniline'
2699				},
2700				'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2701				to limit access a process has to the file system. Each setting takes a space-separated list of paths
2702				relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2703				paths contain symlinks, they are resolved relative to the root directory set with
2704				C<RootDirectory>/C<RootImage>.
2705
2706				Paths listed in C<ReadWritePaths> are accessible from within the namespace
2707				with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2708				are accessible for reading only, writing will be refused even if the usual file access controls would
2709				permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2710				order to provide writable subdirectories within read-only directories. Use
2711				C<ReadWritePaths> in order to allow-list specific paths for write access if
2712				C<ProtectSystem=strict> is used.
2713
2714				Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2715				the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2716				desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2717				C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2718				see C<TemporaryFileSystem>.
2719
2720				Content in paths listed in C<NoExecPaths> are not executable even if the usual
2721				file access controls would permit this. Nest C<ExecPaths> inside of
2722				C<NoExecPaths> in order to provide executable content within non-executable
2723				directories.
2724
2725				Non-directory paths may be specified as well. These options may be specified more than once,
2726				in which case all paths listed will have limited access from within the namespace. If the empty string is
2727				assigned to this option, the specific list is reset, and all prior assignments have no effect.
2728
2729				Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2730				C<InaccessiblePaths>, C<ExecPaths> and
2731				C<NoExecPaths> may be prefixed with C<->, in which case they will be
2732				ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2733				directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2734				instead of relative to the root directory of the host (see above). When combining C<-> and
2735				C<+> on the same path make sure to specify C<-> first, and C<+>
2736				second.
2737
2738				Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2739				host. This means that this setting may not be used for services which shall be able to install mount points in
2740				the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>
2741				propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2742				unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2743				mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2744				i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2745				below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2746				not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2747				setting is not complete, and does not offer full protection.
2748
2749				Note that the effect of these settings may be undone by privileged processes. In order to set up an
2750				effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2751				C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2752				C<SystemCallFilter=~@mount>.
2753
2754				Simple allow-list example using these directives:
2755
2756				[Service]
2757				ReadOnlyPaths=/
2758				ReadWritePaths=/var /run
2759				InaccessiblePaths=-/lost+found
2760				NoExecPaths=/
2761				ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2762
2763				',
2764				'type' => 'list'
2765				},
2766				'TemporaryFileSystem',
2767				{
2768				'cargo' => {
2769				'type' => 'leaf',
2770				'value_type' => 'uniline'
2771				},
2772				'description' => 'Takes a space-separated list of mount points for temporary file systems (tmpfs). If set, a new file
2773				system namespace is set up for executed processes, and a temporary file system is mounted on each mount point.
2774				This option may be specified more than once, in which case temporary file systems are mounted on all listed mount
2775				points. If the empty string is assigned to this option, the list is reset, and all prior assignments have no effect.
2776				Each mount point may optionally be suffixed with a colon (C<:>) and mount options such as
2777				C<size=10%> or C<ro>. By default, each temporary file system is mounted
2778				with C<nodev,strictatime,mode=0755>. These can be disabled by explicitly specifying the corresponding
2779				mount options, e.g., C<dev> or C<nostrictatime>.
2780
2781				This is useful to hide files or directories not relevant to the processes invoked by the unit, while necessary
2782				files or directories can be still accessed by combining with C<BindPaths> or
2783				C<BindReadOnlyPaths>:
2784
2785				Example: if a unit has the following,
2786
2787				TemporaryFileSystem=/var:ro
2788				BindReadOnlyPaths=/var/lib/systemd
2789
2790				then the invoked processes by the unit cannot see any files or directories under C</var/> except for
2791				C</var/lib/systemd> or its contents.',
2792				'type' => 'list'
2793				},
2794				'PrivateTmp',
2795				{
2796				'description' => 'Takes a boolean argument. If true, sets up a new file system namespace for the
2797				executed processes and mounts private C</tmp/> and C</var/tmp/>
2798				directories inside it that are not shared by processes outside of the namespace. This is useful to
2799				secure access to temporary files of the process, but makes sharing between processes via
2800				C</tmp/> or C</var/tmp/> impossible. If true, all temporary files
2801				created by a service in these directories will be removed after the service is stopped. Defaults to
2802				false. It is possible to run two or more units within the same private C</tmp/> and
2803				C</var/tmp/> namespace by using the C<JoinsNamespaceOf> directive,
2804				see L<systemd.unit(5)>
2805				for details. This setting is implied if C<DynamicUser> is set. For this setting the
2806				same restrictions regarding mount propagation and privileges apply as for
2807				C<ReadOnlyPaths> and related calls, see above. Enabling this setting has the side
2808				effect of adding C<Requires> and C<After> dependencies on all mount
2809				units necessary to access C</tmp/> and C</var/tmp/>. Moreover an
2810				implicitly C<After> ordering on
2811				L<systemd-tmpfiles-setup.service(8)>
2812				is added.
2813
2814				Note that the implementation of this setting might be impossible (for example if mount namespaces are not
2815				available), and the unit should be written in a way that does not solely rely on this setting for
2816				security.',
2817				'type' => 'leaf',
2818				'value_type' => 'boolean',
2819				'write_as' => [
2820				'no',
2821				'yes'
2822				]
2823				},
2824				'PrivateDevices',
2825				{
2826				'description' => 'Takes a boolean argument. If true, sets up a new C</dev/> mount for
2827				the executed processes and only adds API pseudo devices such as C</dev/null>,
2828				C</dev/zero> or C</dev/random> (as well as the pseudo TTY
2829				subsystem) to it, but no physical devices such as C</dev/sda>, system memory
2830				C</dev/mem>, system ports C</dev/port> and others. This is useful
2831				to turn off physical device access by the executed process. Defaults to false.
2832
2833				Enabling this option will install a system call filter to block low-level I/O system calls that
2834				are grouped in the C<@raw-io> set, remove C<CAP_MKNOD> and
2835				C<CAP_SYS_RAWIO> from the capability bounding set for the unit, and set
2836				C<DevicePolicy=closed> (see
2837				L<systemd.resource-control(5)>
2838				for details). Note that using this setting will disconnect propagation of mounts from the service to
2839				the host (propagation in the opposite direction continues to work). This means that this setting may
2840				not be used for services which shall be able to install mount points in the main mount namespace. The
2841				new C</dev/> will be mounted read-only and \'noexec\'. The latter may break old
2842				programs which try to set up executable memory by using
2843				L<mmap(2)> of
2844				C</dev/zero> instead of using C<MAP_ANON>. For this setting the
2845				same restrictions regarding mount propagation and privileges apply as for
2846				C<ReadOnlyPaths> and related calls, see above. If turned on and if running in user
2847				mode, or in system mode, but without the C<CAP_SYS_ADMIN> capability (e.g. setting
2848				C<User>), C<NoNewPrivileges=yes> is implied.
2849
2850				Note that the implementation of this setting might be impossible (for example if mount
2851				namespaces are not available), and the unit should be written in a way that does not solely rely on
2852				this setting for security.
2853
2854				When access to some but not all devices must be possible, the C<DeviceAllow>
2855				setting might be used instead. See
2856				L<systemd.resource-control(5)>.
2857				',
2858				'type' => 'leaf',
2859				'value_type' => 'boolean',
2860				'write_as' => [
2861				'no',
2862				'yes'
2863				]
2864				},
2865				'PrivateNetwork',
2866				{
2867				'description' => 'Takes a boolean argument. If true, sets up a new network namespace for the executed processes
2868				and configures only the loopback network device C<lo> inside it. No other network devices will
2869				be available to the executed process. This is useful to turn off network access by the executed process.
2870				Defaults to false. It is possible to run two or more units within the same private network namespace by using
2871				the C<JoinsNamespaceOf> directive, see
2872				L<systemd.unit(5)> for
2873				details. Note that this option will disconnect all socket families from the host, including
2874				C<AF_NETLINK> and C<AF_UNIX>. Effectively, for
2875				C<AF_NETLINK> this means that device configuration events received from
2876				L<systemd-udevd.service(8)> are
2877				not delivered to the unit\'s processes. And for C<AF_UNIX> this has the effect that
2878				C<AF_UNIX> sockets in the abstract socket namespace of the host will become unavailable to
2879				the unit\'s processes (however, those located in the file system will continue to be accessible).
2880
2881				Note that the implementation of this setting might be impossible (for example if network namespaces are
2882				not available), and the unit should be written in a way that does not solely rely on this setting for
2883				security.
2884
2885				When this option is used on a socket unit any sockets bound on behalf of this unit will be
2886				bound within a private network namespace. This may be combined with
2887				C<JoinsNamespaceOf> to listen on sockets inside of network namespaces of other
2888				services.',
2889				'type' => 'leaf',
2890				'value_type' => 'boolean',
2891				'write_as' => [
2892				'no',
2893				'yes'
2894				]
2895				},
2896				'NetworkNamespacePath',
2897				{
2898				'description' => 'Takes an absolute file system path refererring to a Linux network namespace
2899				pseudo-file (i.e. a file like C</proc/$PID/ns/net> or a bind mount or symlink to
2900				one). When set the invoked processes are added to the network namespace referenced by that path. The
2901				path has to point to a valid namespace file at the moment the processes are forked off. If this
2902				option is used C<PrivateNetwork> has no effect. If this option is used together with
2903				C<JoinsNamespaceOf> then it only has an effect if this unit is started before any of
2904				the listed units that have C<PrivateNetwork> or
2905				C<NetworkNamespacePath> configured, as otherwise the network namespace of those
2906				units is reused.
2907
2908				When this option is used on a socket unit any sockets bound on behalf of this unit will be
2909				bound within the specified network namespace.',
2910				'type' => 'leaf',
2911				'value_type' => 'uniline'
2912				},
2913				'PrivateIPC',
2914				{
2915				'description' => 'Takes a boolean argument. If true, sets up a new IPC namespace for the executed processes.
2916				Each IPC namespace has its own set of System V IPC identifiers and its own POSIX message queue file system.
2917				This is useful to avoid name clash of IPC identifiers. Defaults to false. It is possible to run two or
2918				more units within the same private IPC namespace by using the C<JoinsNamespaceOf> directive,
2919				see L<systemd.unit(5)> for
2920				details.
2921
2922				Note that IPC namespacing does not have an effect on
2923				C<AF_UNIX> sockets, which are the most common
2924				form of IPC used on Linux. Instead, C<AF_UNIX>
2925				sockets in the file system are subject to mount namespacing, and
2926				those in the abstract namespace are subject to network namespacing.
2927				IPC namespacing only has an effect on SysV IPC (which is mostly
2928				legacy) as well as POSIX message queues (for which
2929				C<AF_UNIX>/C<SOCK_SEQPACKET>
2930				sockets are typically a better replacement). IPC namespacing also
2931				has no effect on POSIX shared memory (which is subject to mount
2932				namespacing) either. See
2933				L<ipc_namespaces(7)> for
2934				the details.
2935
2936				Note that the implementation of this setting might be impossible (for example if IPC namespaces are
2937				not available), and the unit should be written in a way that does not solely rely on this setting for
2938				security.',
2939				'type' => 'leaf',
2940				'value_type' => 'boolean',
2941				'write_as' => [
2942				'no',
2943				'yes'
2944				]
2945				},
2946				'IPCNamespacePath',
2947				{
2948				'description' => 'Takes an absolute file system path refererring to a Linux IPC namespace
2949				pseudo-file (i.e. a file like C</proc/$PID/ns/ipc> or a bind mount or symlink to
2950				one). When set the invoked processes are added to the network namespace referenced by that path. The
2951				path has to point to a valid namespace file at the moment the processes are forked off. If this
2952				option is used C<PrivateIPC> has no effect. If this option is used together with
2953				C<JoinsNamespaceOf> then it only has an effect if this unit is started before any of
2954				the listed units that have C<PrivateIPC> or
2955				C<IPCNamespacePath> configured, as otherwise the network namespace of those
2956				units is reused.',
2957				'type' => 'leaf',
2958				'value_type' => 'uniline'
2959				},
2960				'PrivateUsers',
2961				{
2962				'description' => 'Takes a boolean argument. If true, sets up a new user namespace for the executed processes and
2963				configures a minimal user and group mapping, that maps the C<root> user and group as well as
2964				the unit\'s own user and group to themselves and everything else to the C<nobody> user and
2965				group. This is useful to securely detach the user and group databases used by the unit from the rest of the
2966				system, and thus to create an effective sandbox environment. All files, directories, processes, IPC objects and
2967				other resources owned by users/groups not equaling C<root> or the unit\'s own will stay visible
2968				from within the unit but appear owned by the C<nobody> user and group. If this mode is enabled,
2969				all unit processes are run without privileges in the host user namespace (regardless if the unit\'s own
2970				user/group is C<root> or not). Specifically this means that the process will have zero process
2971				capabilities on the host\'s user namespace, but full capabilities within the service\'s user namespace. Settings
2972				such as C<CapabilityBoundingSet> will affect only the latter, and there\'s no way to acquire
2973				additional capabilities in the host\'s user namespace. Defaults to off.
2974
2975				When this setting is set up by a per-user instance of the service manager, the mapping of the
2976				C<root> user and group to itself is omitted (unless the user manager is root).
2977				Additionally, in the per-user instance manager case, the
2978				user namespace will be set up before most other namespaces. This means that combining
2979				C<PrivateUsers>C<true> with other namespaces will enable use of features not
2980				normally supported by the per-user instances of the service manager.
2981
2982				This setting is particularly useful in conjunction with
2983				C<RootDirectory>/C<RootImage>, as the need to synchronize the user and group
2984				databases in the root directory and on the host is reduced, as the only users and groups who need to be matched
2985				are C<root>, C<nobody> and the unit\'s own user and group.
2986
2987				Note that the implementation of this setting might be impossible (for example if user namespaces are not
2988				available), and the unit should be written in a way that does not solely rely on this setting for
2989				security.',
2990				'type' => 'leaf',
2991				'value_type' => 'boolean',
2992				'write_as' => [
2993				'no',
2994				'yes'
2995				]
2996				},
2997				'ProtectHostname',
2998				{
2999				'description' => 'Takes a boolean argument. When set, sets up a new UTS namespace for the executed
3000				processes. In addition, changing hostname or domainname is prevented. Defaults to off.
3001
3002				Note that the implementation of this setting might be impossible (for example if UTS namespaces
3003				are not available), and the unit should be written in a way that does not solely rely on this setting
3004				for security.
3005
3006				Note that when this option is enabled for a service hostname changes no longer propagate from
3007				the system into the service, it is hence not suitable for services that need to take notice of system
3008				hostname changes dynamically.
3009
3010				If this setting is on, but the unit doesn\'t have the C<CAP_SYS_ADMIN>
3011				capability (e.g. services for which C<User> is set),
3012				C<NoNewPrivileges=yes> is implied.',
3013				'type' => 'leaf',
3014				'value_type' => 'boolean',
3015				'write_as' => [
3016				'no',
3017				'yes'
3018				]
3019				},
3020				'ProtectClock',
3021				{
3022				'description' => 'Takes a boolean argument. If set, writes to the hardware clock or system clock will be denied.
3023				It is recommended to turn this on for most services that do not need modify the clock. Defaults to off. Enabling
3024				this option removes C<CAP_SYS_TIME> and C<CAP_WAKE_ALARM> from the
3025				capability bounding set for this unit, installs a system call filter to block calls that can set the
3026				clock, and C<DeviceAllow=char-rtc r> is implied. This ensures C</dev/rtc0>,
3027				C</dev/rtc1>, etc. are made read-only to the service. See
3028				L<systemd.resource-control(5)>
3029				for the details about C<DeviceAllow>. If this setting is on, but the unit
3030				doesn\'t have the C<CAP_SYS_ADMIN> capability (e.g. services for which
3031				C<User> is set), C<NoNewPrivileges=yes> is implied.',
3032				'type' => 'leaf',
3033				'value_type' => 'boolean',
3034				'write_as' => [
3035				'no',
3036				'yes'
3037				]
3038				},
3039				'ProtectKernelTunables',
3040				{
3041				'description' => 'Takes a boolean argument. If true, kernel variables accessible through
3042				C</proc/sys/>, C</sys/>, C</proc/sysrq-trigger>,
3043				C</proc/latency_stats>, C</proc/acpi>,
3044				C</proc/timer_stats>, C</proc/fs> and C</proc/irq> will
3045				be made read-only to all processes of the unit. Usually, tunable kernel variables should be initialized only at
3046				boot-time, for example with the
3047				L<sysctl.d(5)> mechanism. Few
3048				services need to write to these at runtime; it is hence recommended to turn this on for most services. For this
3049				setting the same restrictions regarding mount propagation and privileges apply as for
3050				C<ReadOnlyPaths> and related calls, see above. Defaults to off. If this
3051				setting is on, but the unit doesn\'t have the C<CAP_SYS_ADMIN> capability
3052				(e.g. services for which C<User> is set),
3053				C<NoNewPrivileges=yes> is implied. Note that this option does not prevent
3054				indirect changes to kernel tunables effected by IPC calls to other processes. However,
3055				C<InaccessiblePaths> may be used to make relevant IPC file system objects
3056				inaccessible. If C<ProtectKernelTunables> is set,
3057				C<MountAPIVFS=yes> is implied.',
3058				'type' => 'leaf',
3059				'value_type' => 'boolean',
3060				'write_as' => [
3061				'no',
3062				'yes'
3063				]
3064				},
3065				'ProtectKernelModules',
3066				{
3067				'description' => 'Takes a boolean argument. If true, explicit module loading will be denied. This allows
3068				module load and unload operations to be turned off on modular kernels. It is recommended to turn this on for most services
3069				that do not need special file systems or extra kernel modules to work. Defaults to off. Enabling this option
3070				removes C<CAP_SYS_MODULE> from the capability bounding set for the unit, and installs a
3071				system call filter to block module system calls, also C</usr/lib/modules> is made
3072				inaccessible. For this setting the same restrictions regarding mount propagation and privileges apply as for
3073				C<ReadOnlyPaths> and related calls, see above. Note that limited automatic module loading due
3074				to user configuration or kernel mapping tables might still happen as side effect of requested user operations,
3075				both privileged and unprivileged. To disable module auto-load feature please see
3076				L<sysctl.d(5)>C<kernel.modules_disabled> mechanism and
3077				C</proc/sys/kernel/modules_disabled> documentation. If this setting is on,
3078				but the unit doesn\'t have the C<CAP_SYS_ADMIN> capability (e.g. services for
3079				which C<User> is set), C<NoNewPrivileges=yes> is implied.',
3080				'type' => 'leaf',
3081				'value_type' => 'boolean',
3082				'write_as' => [
3083				'no',
3084				'yes'
3085				]
3086				},
3087				'ProtectKernelLogs',
3088				{
3089				'description' => 'Takes a boolean argument. If true, access to the kernel log ring buffer will be denied. It is
3090				recommended to turn this on for most services that do not need to read from or write to the kernel log ring
3091				buffer. Enabling this option removes C<CAP_SYSLOG> from the capability bounding set for this
3092				unit, and installs a system call filter to block the
3093				L<syslog(2)>
3094				system call (not to be confused with the libc API
3095				L<syslog(3)>
3096				for userspace logging). The kernel exposes its log buffer to userspace via C</dev/kmsg> and
3097				C</proc/kmsg>. If enabled, these are made inaccessible to all the processes in the unit.
3098				If this setting is on, but the unit doesn\'t have the C<CAP_SYS_ADMIN>
3099				capability (e.g. services for which C<User> is set),
3100				C<NoNewPrivileges=yes> is implied.',
3101				'type' => 'leaf',
3102				'value_type' => 'boolean',
3103				'write_as' => [
3104				'no',
3105				'yes'
3106				]
3107				},
3108				'ProtectControlGroups',
3109				{
3110				'description' => 'Takes a boolean argument. If true, the Linux Control Groups (L<cgroups(7)>) hierarchies
3111				accessible through C</sys/fs/cgroup/> will be made read-only to all processes of the
3112				unit. Except for container managers no services should require write access to the control groups hierarchies;
3113				it is hence recommended to turn this on for most services. For this setting the same restrictions regarding
3114				mount propagation and privileges apply as for C<ReadOnlyPaths> and related calls, see
3115				above. Defaults to off. If C<ProtectControlGroups> is set, C<MountAPIVFS=yes>
3116				is implied.',
3117				'type' => 'leaf',
3118				'value_type' => 'boolean',
3119				'write_as' => [
3120				'no',
3121				'yes'
3122				]
3123				},
3124				'RestrictAddressFamilies',
3125				{
3126				'description' => 'Restricts the set of socket address families accessible to the processes of this
3127				unit. Takes C<none>, or a space-separated list of address family names to
3128				allow-list, such as C<AF_UNIX>, C<AF_INET> or
3129				C<AF_INET6>. When C<none> is specified, then all address
3130				families will be denied. When prefixed with C<~> the listed address
3131				families will be applied as deny list, otherwise as allow list. Note that this restricts access
3132				to the
3133				L<socket(2)>
3134				system call only. Sockets passed into the process by other means (for example, by using socket
3135				activation with socket units, see
3136				L<systemd.socket(5)>)
3137				are unaffected. Also, sockets created with socketpair() (which creates connected
3138				AF_UNIX sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x,
3139				mips, mips-le, ppc, ppc-le, ppc64, ppc64-le and is ignored (but works correctly on other ABIs,
3140				including x86-64). Note that on systems supporting multiple ABIs (such as x86/x86-64) it is
3141				recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the
3142				restrictions of this option. Specifically, it is recommended to combine this option with
3143				C<SystemCallArchitectures=native> or similar. If running in user mode, or in system
3144				mode, but without the C<CAP_SYS_ADMIN> capability (e.g. setting
3145				C<User>), C<NoNewPrivileges=yes> is implied. By default, no
3146				restrictions apply, all address families are accessible to processes. If assigned the empty string,
3147				any previous address family restriction changes are undone. This setting does not affect commands
3148				prefixed with C<+>.
3149
3150				Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive
3151				network protocols, such as C<AF_PACKET>. Note that in most cases, the local
3152				C<AF_UNIX> address family should be included in the configured allow list as it is frequently
3153				used for local communication, including for
3154				L<syslog(2)>
3155				logging.',
3156				'type' => 'leaf',
3157				'value_type' => 'uniline'
3158				},
3159				'RestrictFileSystems',
3160				{
3161				'description' => 'Restricts the set of filesystems processes of this unit can open files on. Takes a space-separated
3162				list of filesystem names. Any filesystem listed is made accessible to the unit\'s processes, access to filesystem
3163				types not listed is prohibited (allow-listing). If the first character of the list is C<~>, the
3164				effect is inverted: access to the filesystems listed is prohibited (deny-listing). If the empty string is assigned,
3165				access to filesystems is not restricted.
3166
3167				If you specify both types of this option (i.e. allow-listing and deny-listing), the first encountered will take
3168				precedence and will dictate the default action (allow access to the filesystem or deny it). Then the next occurrences
3169				of this option will add or delete the listed filesystems from the set of the restricted filesystems, depending on its
3170				type and the default action.
3171
3172				Example: if a unit has the following,
3173
3174				RestrictFileSystems=ext4 tmpfs
3175				RestrictFileSystems=ext2 ext4
3176
3177				then access to C<ext4>, C<tmpfs>, and C<ext2> is allowed
3178				and access to other filesystems is denied.
3179
3180				Example: if a unit has the following,
3181
3182				RestrictFileSystems=ext4 tmpfs
3183				RestrictFileSystems=~ext4
3184
3185				then only access C<tmpfs> is allowed.
3186
3187				Example: if a unit has the following,
3188
3189				RestrictFileSystems=~ext4 tmpfs
3190				RestrictFileSystems=ext4
3191
3192				then only access to C<tmpfs> is denied.
3193
3194				As the number of possible filesystems is large, predefined sets of filesystems are provided. A set
3195				starts with C<@> character, followed by name of the set.
3196
3197				Use
3198				L<systemd-analyze(1)>\'s
3199				filesystems command to retrieve a list of filesystems defined on the local
3200				system.
3201
3202				Note that this setting might not be supported on some systems (for example if the LSM eBPF hook is
3203				not enabled in the underlying kernel or if not using the unified control group hierarchy). In that case this setting
3204				has no effect.',
3205				'type' => 'leaf',
3206				'value_type' => 'uniline'
3207				},
3208				'RestrictNamespaces',
3209				{
3210				'description' => "Restricts access to Linux namespace functionality for the processes of this unit. For details
3211				about Linux namespaces, see L<namespaces(7)>. Either
3212				takes a boolean argument, or a space-separated list of namespace type identifiers. If false (the default), no
3213				restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is
3214				prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of
3215				any combination of: C<cgroup>, C<ipc>, C<net>,
3216				C<mnt>, C<pid>, C<user> and C<uts>. Any
3217				namespace type listed is made accessible to the unit's processes, access to namespace types not listed is
3218				prohibited (allow-listing). By prepending the list with a single tilde character (C<~>) the
3219				effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are
3220				permitted (deny-listing). If the empty string is assigned, the default namespace restrictions are applied,
3221				which is equivalent to false. This option may appear more than once, in which case the namespace types are
3222				merged by C<OR>, or by C<AND> if the lines are prefixed with
3223				C<~> (see examples below). Internally, this setting limits access to the
3224				L<unshare(2)>,
3225				L<clone(2)> and
3226				L<setns(2)> system calls, taking
3227				the specified flags parameters into account. Note that \x{2014} if this option is used \x{2014} in addition to restricting
3228				creation and switching of the specified types of namespaces (or all of them, if true) access to the
3229				setns() system call with a zero flags parameter is prohibited. This setting is only
3230				supported on x86, x86-64, mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32, ppc64, ppc64-le, s390
3231				and s390x, and enforces no restrictions on other architectures. If running in user mode, or in system mode, but
3232				without the C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3233				C<NoNewPrivileges=yes> is implied.
3234
3235				Example: if a unit has the following,
3236
3237				RestrictNamespaces=cgroup ipc
3238				RestrictNamespaces=cgroup net
3239
3240				then C<cgroup>, C<ipc>, and C<net> are set.
3241				If the second line is prefixed with C<~>, e.g.,
3242
3243				RestrictNamespaces=cgroup ipc
3244				RestrictNamespaces=~cgroup net
3245
3246				then, only C<ipc> is set.",
3247				'type' => 'leaf',
3248				'value_type' => 'uniline'
3249				},
3250				'LockPersonality',
3251				{
3252				'description' => 'Takes a boolean argument. If set, locks down the L<personality(2)> system
3253				call so that the kernel execution domain may not be changed from the default or the personality selected with
3254				C<Personality> directive. This may be useful to improve security, because odd personality
3255				emulations may be poorly tested and source of vulnerabilities. If running in user mode, or in system mode, but
3256				without the C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3257				C<NoNewPrivileges=yes> is implied.',
3258				'type' => 'leaf',
3259				'value_type' => 'boolean',
3260				'write_as' => [
3261				'no',
3262				'yes'
3263				]
3264				},
3265				'MemoryDenyWriteExecute',
3266				{
3267				'description' => 'Takes a boolean argument. If set, attempts to create memory mappings that are writable and
3268				executable at the same time, or to change existing memory mappings to become executable, or mapping shared
3269				memory segments as executable are prohibited. Specifically, a system call filter is added that rejects
3270				L<mmap(2)> system calls with both
3271				C<PROT_EXEC> and C<PROT_WRITE> set,
3272				L<mprotect(2)> or
3273				L<pkey_mprotect(2)> system calls
3274				with C<PROT_EXEC> set and
3275				L<shmat(2)> system calls with
3276				C<SHM_EXEC> set. Note that this option is incompatible with programs and libraries that
3277				generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code
3278				"trampoline" feature of various C compilers. This option improves service security, as it makes harder for
3279				software exploits to change running code dynamically. However, the protection can be circumvented, if
3280				the service can write to a filesystem, which is not mounted with C<noexec> (such as
3281				C</dev/shm>), or it can use memfd_create(). This can be
3282				prevented by making such file systems inaccessible to the service
3283				(e.g. C<InaccessiblePaths=/dev/shm>) and installing further system call filters
3284				(C<SystemCallFilter=~memfd_create>). Note that this feature is fully available on
3285				x86-64, and partially on x86. Specifically, the shmat() protection is not
3286				available on x86. Note that on systems supporting multiple ABIs (such as x86/x86-64) it is
3287				recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the
3288				restrictions of this option. Specifically, it is recommended to combine this option with
3289				C<SystemCallArchitectures=native> or similar. If running in user mode, or in system
3290				mode, but without the C<CAP_SYS_ADMIN> capability (e.g. setting
3291				C<User>), C<NoNewPrivileges=yes> is implied.',
3292				'type' => 'leaf',
3293				'value_type' => 'boolean',
3294				'write_as' => [
3295				'no',
3296				'yes'
3297				]
3298				},
3299				'RestrictRealtime',
3300				{
3301				'description' => 'Takes a boolean argument. If set, any attempts to enable realtime scheduling in a process of
3302				the unit are refused. This restricts access to realtime task scheduling policies such as
3303				C<SCHED_FIFO>, C<SCHED_RR> or C<SCHED_DEADLINE>. See
3304				L<sched(7)>
3305				for details about these scheduling policies. If running in user mode, or in system mode, but without the
3306				C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3307				C<NoNewPrivileges=yes> is implied. Realtime scheduling policies may be used to monopolize CPU
3308				time for longer periods of time, and may hence be used to lock up or otherwise trigger Denial-of-Service
3309				situations on the system. It is hence recommended to restrict access to realtime scheduling to the few programs
3310				that actually require them. Defaults to off.',
3311				'type' => 'leaf',
3312				'value_type' => 'boolean',
3313				'write_as' => [
3314				'no',
3315				'yes'
3316				]
3317				},
3318				'RestrictSUIDSGID',
3319				{
3320				'description' => 'Takes a boolean argument. If set, any attempts to set the set-user-ID (SUID) or
3321				set-group-ID (SGID) bits on files or directories will be denied (for details on these bits see
3322				L<inode(7)>). If
3323				running in user mode, or in system mode, but without the C<CAP_SYS_ADMIN>
3324				capability (e.g. setting C<User>), C<NoNewPrivileges=yes> is
3325				implied. As the SUID/SGID bits are mechanisms to elevate privileges, and allows users to acquire the
3326				identity of other users, it is recommended to restrict creation of SUID/SGID files to the few
3327				programs that actually require them. Note that this restricts marking of any type of file system
3328				object with these bits, including both regular files and directories (where the SGID is a different
3329				meaning than for files, see documentation). This option is implied if C<DynamicUser>
3330				is enabled. Defaults to off.',
3331				'type' => 'leaf',
3332				'value_type' => 'boolean',
3333				'write_as' => [
3334				'no',
3335				'yes'
3336				]
3337				},
3338				'RemoveIPC',
3339				{
3340				'description' => 'Takes a boolean parameter. If set, all System V and POSIX IPC objects owned by the user and
3341				group the processes of this unit are run as are removed when the unit is stopped. This setting only has an
3342				effect if at least one of C<User>, C<Group> and
3343				C<DynamicUser> are used. It has no effect on IPC objects owned by the root user. Specifically,
3344				this removes System V semaphores, as well as System V and POSIX shared memory segments and message queues. If
3345				multiple units use the same user or group the IPC objects are removed when the last of these units is
3346				stopped. This setting is implied if C<DynamicUser> is set.',
3347				'type' => 'leaf',
3348				'value_type' => 'boolean',
3349				'write_as' => [
3350				'no',
3351				'yes'
3352				]
3353				},
3354				'PrivateMounts',
3355				{
3356				'description' => "Takes a boolean parameter. If set, the processes of this unit will be run in their own private
3357				file system (mount) namespace with all mount propagation from the processes towards the host's main file system
3358				namespace turned off. This means any file system mount points established or removed by the unit's processes
3359				will be private to them and not be visible to the host. However, file system mount points established or
3360				removed on the host will be propagated to the unit's processes. See L<mount_namespaces(7)> for
3361				details on file system namespaces. Defaults to off.
3362
3363				When turned on, this executes three operations for each invoked process: a new
3364				C<CLONE_NEWNS> namespace is created, after which all existing mounts are remounted to
3365				C<MS_SLAVE> to disable propagation from the unit's processes to the host (but leaving
3366				propagation in the opposite direction in effect). Finally, the mounts are remounted again to the propagation
3367				mode configured with C<MountFlags>, see below.
3368
3369				File system namespaces are set up individually for each process forked off by the service manager. Mounts
3370				established in the namespace of the process created by C<ExecStartPre> will hence be cleaned
3371				up automatically as soon as that process exits and will not be available to subsequent processes forked off for
3372				C<ExecStart> (and similar applies to the various other commands configured for
3373				units). Similarly, C<JoinsNamespaceOf> does not permit sharing kernel mount namespaces between
3374				units, it only enables sharing of the C</tmp/> and C</var/tmp/>
3375				directories.
3376
3377				Other file system namespace unit settings \x{2014} C<PrivateMounts>,
3378				C<PrivateTmp>, C<PrivateDevices>, C<ProtectSystem>,
3379				C<ProtectHome>, C<ReadOnlyPaths>, C<InaccessiblePaths>,
3380				C<ReadWritePaths>, \x{2026} \x{2014} also enable file system namespacing in a fashion equivalent to this
3381				option. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are
3382				used.",
3383				'type' => 'leaf',
3384				'value_type' => 'boolean',
3385				'write_as' => [
3386				'no',
3387				'yes'
3388				]
3389				},
3390				'MountFlags',
3391				{
3392				'description' => "Takes a mount propagation setting: C<shared>, C<slave> or
3393				C<private>, which controls whether file system mount points in the file system namespaces set up
3394				for this unit's processes will receive or propagate mounts and unmounts from other file system namespaces. See
3395				L<mount(2)>
3396				for details on mount propagation, and the three propagation flags in particular.
3397
3398				This setting only controls the final propagation setting in effect on all mount
3399				points of the file system namespace created for each process of this unit. Other file system namespacing unit
3400				settings (see the discussion in C<PrivateMounts> above) will implicitly disable mount and
3401				unmount propagation from the unit's processes towards the host by changing the propagation setting of all mount
3402				points in the unit's file system namespace to C<slave> first. Setting this option to
3403				C<shared> does not reestablish propagation in that case.
3404
3405				If not set \x{2013} but file system namespaces are enabled through another file system namespace unit setting \x{2013}
3406				C<shared> mount propagation is used, but \x{2014} as mentioned \x{2014} as C<slave> is applied
3407				first, propagation from the unit's processes to the host is still turned off.
3408
3409				It is not recommended to use C<private> mount propagation for units, as this means
3410				temporary mounts (such as removable media) of the host will stay mounted and thus indefinitely busy in forked
3411				off processes, as unmount propagation events won't be received by the file system namespace of the unit.
3412
3413				Usually, it is best to leave this setting unmodified, and use higher level file system namespacing
3414				options instead, in particular C<PrivateMounts>, see above.",
3415				'type' => 'leaf',
3416				'value_type' => 'uniline'
3417				},
3418				'SystemCallFilter',
3419				{
3420				'cargo' => {
3421				'type' => 'leaf',
3422				'value_type' => 'uniline'
3423				},
3424				'description' => "Takes a space-separated list of system call names. If this setting is used, all
3425				system calls executed by the unit processes except for the listed ones will result in immediate
3426				process termination with the C<SIGSYS> signal (allow-listing). (See
3427				C<SystemCallErrorNumber> below for changing the default action). If the first
3428				character of the list is C<~>, the effect is inverted: only the listed system calls
3429				will result in immediate process termination (deny-listing). Deny-listed system calls and system call
3430				groups may optionally be suffixed with a colon (C<:>) and C<errno>
3431				error number (between 0 and 4095) or errno name such as C<EPERM>,
3432				C<EACCES> or C<EUCLEAN> (see L<errno(3)> for a
3433				full list). This value will be returned when a deny-listed system call is triggered, instead of
3434				terminating the processes immediately. Special setting C<kill> can be used to
3435				explicitly specify killing. This value takes precedence over the one given in
3436				C<SystemCallErrorNumber>, see below. If running in user mode, or in system mode,
3437				but without the C<CAP_SYS_ADMIN> capability (e.g. setting
3438				C<User>), C<NoNewPrivileges=yes> is implied. This feature
3439				makes use of the Secure Computing Mode 2 interfaces of the kernel ('seccomp filtering') and is useful
3440				for enforcing a minimal sandboxing environment. Note that the execve(),
3441				exit(), exit_group(), getrlimit(),
3442				rt_sigreturn(), sigreturn() system calls and the system calls
3443				for querying time and sleeping are implicitly allow-listed and do not need to be listed
3444				explicitly. This option may be specified more than once, in which case the filter masks are
3445				merged. If the empty string is assigned, the filter is reset, all prior assignments will have no
3446				effect. This does not affect commands prefixed with C<+>.
3447
3448				Note that on systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off
3449				alternative ABIs for services, so that they cannot be used to circumvent the restrictions of this
3450				option. Specifically, it is recommended to combine this option with
3451				C<SystemCallArchitectures=native> or similar.
3452
3453				Note that strict system call filters may impact execution and error handling code paths of the service
3454				invocation. Specifically, access to the execve() system call is required for the execution
3455				of the service binary \x{2014} if it is blocked service invocation will necessarily fail. Also, if execution of the
3456				service binary fails for some reason (for example: missing service executable), the error handling logic might
3457				require access to an additional set of system calls in order to process and log this failure correctly. It
3458				might be necessary to temporarily disable system call filters in order to simplify debugging of such
3459				failures.
3460
3461				If you specify both types of this option (i.e. allow-listing and deny-listing), the first
3462				encountered will take precedence and will dictate the default action (termination or approval of a
3463				system call). Then the next occurrences of this option will add or delete the listed system calls
3464				from the set of the filtered system calls, depending of its type and the default action. (For
3465				example, if you have started with an allow list rule for read() and
3466				write(), and right after it add a deny list rule for write(),
3467				then write() will be removed from the set.)
3468
3469				As the number of possible system calls is large, predefined sets of system calls are provided. A set
3470				starts with C<\@> character, followed by name of the set.
3471				Currently predefined system call setsSetDescription\@aioAsynchronous I/O (L<io_setup(2)>, L<io_submit(2)>, and related calls)\@basic-ioSystem calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (L<read(2)>, L<write(2)>, and related calls)\@chownChanging file ownership (L<chown(2)>, L<fchownat(2)>, and related calls)\@clockSystem calls for changing the system clock (L<adjtimex(2)>, L<settimeofday(2)>, and related calls)\@cpu-emulationSystem calls for CPU emulation functionality (L<vm86(2)> and related calls)\@debugDebugging, performance monitoring and tracing functionality (L<ptrace(2)>, L<perf_event_open(2)> and related calls)\@file-systemFile system operations: opening, creating files and directories for read and write, renaming and removing them, reading file properties, or creating hard and symbolic links\@io-eventEvent loop system calls (L<poll(2)>, L<select(2)>, L<epoll(7)>, L<eventfd(2)> and related calls)\@ipcPipes, SysV IPC, POSIX Message Queues and other IPC (L<mq_overview(7)>, L<svipc(7)>)\@keyringKernel keyring access (L<keyctl(2)> and related calls)\@memlockLocking of memory in RAM (L<mlock(2)>, L<mlockall(2)> and related calls)\@moduleLoading and unloading of kernel modules (L<init_module(2)>, L<delete_module(2)> and related calls)\@mountMounting and unmounting of file systems (L<mount(2)>, L<chroot(2)>, and related calls)\@network-ioSocket I/O (including local AF_UNIX): L<socket(7)>, L<unix(7)>\@obsoleteUnusual, obsolete or unimplemented (L<create_module(2)>, L<gtty(2)>, \x{2026})\@privilegedAll system calls which need super-user capabilities (L<capabilities(7)>)\@processProcess control, execution, namespacing operations (L<clone(2)>, L<kill(2)>, L<namespaces(7)>, \x{2026})\@raw-ioRaw I/O port access (L<ioperm(2)>, L<iopl(2)>, pciconfig_read(), \x{2026})\@rebootSystem calls for rebooting and reboot preparation (L<reboot(2)>, kexec(), \x{2026})\@resourcesSystem calls for changing resource limits, memory and scheduling parameters (L<setrlimit(2)>, L<setpriority(2)>, \x{2026})\@setuidSystem calls for changing user ID and group ID credentials, (L<setuid(2)>, L<setgid(2)>, L<setresuid(2)>, \x{2026})\@signalSystem calls for manipulating and handling process signals (L<signal(2)>, L<sigprocmask(2)>, \x{2026})\@swapSystem calls for enabling/disabling swap devices (L<swapon(2)>, L<swapoff(2)>)\@syncSynchronizing files and memory to disk (L<fsync(2)>, L<msync(2)>, and related calls)\@system-serviceA reasonable set of system calls used by common system services, excluding any special purpose calls. This is the recommended starting point for allow-listing system calls for system services, as it contains what is typically needed by system services, but excludes overly specific interfaces. For example, the following APIs are excluded: C<\@clock>, C<\@mount>, C<\@swap>, C<\@reboot>.\@timerSystem calls for scheduling operations by time (L<alarm(2)>, L<timer_create(2)>, \x{2026})\@knownAll system calls defined by the kernel. This list is defined statically in systemd based on a kernel version that was available when this systemd version was released. It will become progressively more out-of-date as the kernel is updated.
3472				Note, that as new system calls are added to the kernel, additional system calls might be added to the groups
3473				above. Contents of the sets may also change between systemd versions. In addition, the list of system calls
3474				depends on the kernel version and architecture for which systemd was compiled. Use
3475				systemd-analyze\x{a0}syscall-filter to list the actual list of system calls in each
3476				filter.
3477
3478				Generally, allow-listing system calls (rather than deny-listing) is the safer mode of
3479				operation. It is recommended to enforce system call allow lists for all long-running system
3480				services. Specifically, the following lines are a relatively safe basic choice for the majority of
3481				system services:
3482
3483				Note that various kernel system calls are defined redundantly: there are multiple system calls
3484				for executing the same operation. For example, the pidfd_send_signal() system
3485				call may be used to execute operations similar to what can be done with the older
3486				kill() system call, hence blocking the latter without the former only provides
3487				weak protection. Since new system calls are added regularly to the kernel as development progresses,
3488				keeping system call deny lists comprehensive requires constant work. It is thus recommended to use
3489				allow-listing instead, which offers the benefit that new system calls are by default implicitly
3490				blocked until the allow list is updated.
3491
3492				Also note that a number of system calls are required to be accessible for the dynamic linker to
3493				work. The dynamic linker is required for running most regular programs (specifically: all dynamic ELF
3494				binaries, which is how most distributions build packaged programs). This means that blocking these
3495				system calls (which include open(), openat() or
3496				mmap()) will make most programs typically shipped with generic distributions
3497				unusable.
3498
3499				It is recommended to combine the file system namespacing related options with
3500				C<SystemCallFilter=~\@mount>, in order to prohibit the unit's processes to undo the
3501				mappings. Specifically these are the options C<PrivateTmp>,
3502				C<PrivateDevices>, C<ProtectSystem>, C<ProtectHome>,
3503				C<ProtectKernelTunables>, C<ProtectControlGroups>,
3504				C<ProtectKernelLogs>, C<ProtectClock>, C<ReadOnlyPaths>,
3505				C<InaccessiblePaths> and C<ReadWritePaths>.",
3506				'type' => 'list'
3507				},
3508				'SystemCallErrorNumber',
3509				{
3510				'description' => 'Takes an C<errno> error number (between 1 and 4095) or errno name
3511				such as C<EPERM>, C<EACCES> or C<EUCLEAN>, to
3512				return when the system call filter configured with C<SystemCallFilter> is triggered,
3513				instead of terminating the process immediately. See L<errno(3)> for a
3514				full list of error codes. When this setting is not used, or when the empty string or the special
3515				setting C<kill> is assigned, the process will be terminated immediately when the
3516				filter is triggered.',
3517				'type' => 'leaf',
3518				'value_type' => 'uniline'
3519				},
3520				'SystemCallArchitectures',
3521				{
3522				'description' => "Takes a space-separated list of architecture identifiers to include in the system call
3523				filter. The known architecture identifiers are the same as for C<ConditionArchitecture>
3524				described in L<systemd.unit(5)>,
3525				as well as C<x32>, C<mips64-n32>, C<mips64-le-n32>, and
3526				the special identifier C<native>. The special identifier C<native>
3527				implicitly maps to the native architecture of the system (or more precisely: to the architecture the system
3528				manager is compiled for). If running in user mode, or in system mode, but without the
3529				C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3530				C<NoNewPrivileges=yes> is implied. By default, this option is set to the empty list, i.e. no
3531				filtering is applied.
3532
3533				If this setting is used, processes of this unit will only be permitted to call native system calls, and
3534				system calls of the specified architectures. For the purposes of this option, the x32 architecture is treated
3535				as including x86-64 system calls. However, this setting still fulfills its purpose, as explained below, on
3536				x32.
3537
3538				System call filtering is not equally effective on all architectures. For example, on x86
3539				filtering of network socket-related calls is not possible, due to ABI limitations \x{2014} a limitation that x86-64
3540				does not have, however. On systems supporting multiple ABIs at the same time \x{2014} such as x86/x86-64 \x{2014} it is hence
3541				recommended to limit the set of permitted system call architectures so that secondary ABIs may not be used to
3542				circumvent the restrictions applied to the native ABI of the system. In particular, setting
3543				C<SystemCallArchitectures=native> is a good choice for disabling non-native ABIs.
3544
3545				System call architectures may also be restricted system-wide via the
3546				C<SystemCallArchitectures> option in the global configuration. See
3547				L<systemd-system.conf(5)> for
3548				details.",
3549				'type' => 'leaf',
3550				'value_type' => 'uniline'
3551				},
3552				'SystemCallLog',
3553				{
3554				'cargo' => {
3555				'type' => 'leaf',
3556				'value_type' => 'uniline'
3557				},
3558				'description' => 'Takes a space-separated list of system call names. If this setting is used, all
3559				system calls executed by the unit processes for the listed ones will be logged. If the first
3560				character of the list is C<~>, the effect is inverted: all system calls except the
3561				listed system calls will be logged. If running in user mode, or in system mode, but without the
3562				C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3563				C<NoNewPrivileges=yes> is implied. This feature makes use of the Secure Computing
3564				Mode 2 interfaces of the kernel (\'seccomp filtering\') and is useful for auditing or setting up a
3565				minimal sandboxing environment. This option may be specified more than once, in which case the filter
3566				masks are merged. If the empty string is assigned, the filter is reset, all prior assignments will
3567				have no effect. This does not affect commands prefixed with C<+>.',
3568				'type' => 'list'
3569				},
3570				'Environment',
3571				{
3572				'cargo' => {
3573				'type' => 'leaf',
3574				'value_type' => 'uniline'
3575				},
3576				'description' => "Sets environment variables for executed processes. Each line is unquoted using the
3577				rules described in \"Quoting\" section in
3578				L<systemd.syntax(7)>
3579				and becomes a list of variable assignments. If you need to assign a value containing spaces or the
3580				equals sign to a variable, put quotes around the whole assignment. Variable expansion is not
3581				performed inside the strings and the C<\$> character has no special meaning. Specifier
3582				expansion is performed, see the \"Specifiers\" section in
3583				L<systemd.unit(5)>.
3584
3585				This option may be specified more than once, in which case all listed variables will be set. If
3586				the same variable is listed twice, the later setting will override the earlier setting. If the empty
3587				string is assigned to this option, the list of environment variables is reset, all prior assignments
3588				have no effect.
3589
3590				The names of the variables can contain ASCII letters, digits, and the underscore character.
3591				Variable names cannot be empty or start with a digit. In variable values, most characters are
3592				allowed, but non-printable characters are currently rejected.
3593
3594				Example:
3595
3596				Environment=\"VAR1=word1 word2\" VAR2=word3 \"VAR3=\$word 5 6\"
3597
3598				gives three variables C<VAR1>,
3599				C<VAR2>, C<VAR3>
3600				with the values C<word1 word2>,
3601				C<word3>, C<\$word 5 6>.
3602
3603				See L<environ(7)> for
3604				details about environment variables.
3605
3606				Note that environment variables are not suitable for passing secrets (such as passwords, key
3607				material, \x{2026}) to service processes. Environment variables set for a unit are exposed to unprivileged
3608				clients via D-Bus IPC, and generally not understood as being data that requires protection. Moreover,
3609				environment variables are propagated down the process tree, including across security boundaries
3610				(such as setuid/setgid executables), and hence might leak to processes that should not have access to
3611				the secret data. Use C<LoadCredential>, C<LoadCredentialEncrypted>
3612				or C<SetCredentialEncrypted> (see below) to pass data to unit processes
3613				securely.",
3614				'type' => 'list'
3615				},
3616				'EnvironmentFile',
3617				{
3618				'cargo' => {
3619				'type' => 'leaf',
3620				'value_type' => 'uniline'
3621				},
3622				'description' => 'Similar to C<Environment> but reads the environment variables from a text file.
3623				The text file should contain newline-separated variable assignments. Empty lines, lines without an
3624				C<=> separator, or lines starting with C<;> or C<#> will be
3625				ignored, which may be used for commenting. The file must be UTF-8 encoded. Valid characters are L<unicode scalar values\|https://www.unicode.org/glossary/#unicode_scalar_value> other than L<noncharacters\|https://www.unicode.org/glossary/#noncharacter>, U+0000 NUL, and U+FEFF L<byte order mark\|https://www.unicode.org/glossary/#byte_order_mark>. Control codes other than NUL
3626				are allowed.
3627
3628				In the file, an unquoted value after the C<=> is parsed with the same backslash-escape
3629				rules as L<unquoted
3630				text\|https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_01> in a POSIX shell, but unlike in a shell, interior whitespace is preserved and quotes after the
3631				first non-whitespace character are preserved. Leading and trailing whitespace (space, tab, carriage return) is
3632				discarded, but interior whitespace within the line is preserved verbatim. A line ending with a backslash will be
3633				continued to the following one, with the newline itself discarded. A backslash
3634				C<\\> followed by any character other than newline will preserve the following character, so that
3635				C<\\\\> will become the value C<\\>.
3636
3637				In the file, a C<\'>-quoted value after the C<=> can span multiple lines
3638				and contain any character verbatim other than single quote, like L<single-quoted
3639				text\|https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_02> in a POSIX shell. No backslash-escape sequences are recognized. Leading and trailing whitespace
3640				outside of the single quotes is discarded.
3641
3642				In the file, a C<">-quoted value after the C<=> can span multiple lines,
3643				and the same escape sequences are recognized as in L<double-quoted
3644				text\|https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_03> of a POSIX shell. Backslash (C<\\>) followed by any of C<"\\`$> will
3645				preserve that character. A backslash followed by newline is a line continuation, and the newline itself is
3646				discarded. A backslash followed by any other character is ignored; both the backslash and the following
3647				character are preserved verbatim. Leading and trailing whitespace outside of the double quotes is
3648				discarded.
3649
3650				The argument passed should be an absolute filename or wildcard expression, optionally prefixed with
3651				C<->, which indicates that if the file does not exist, it will not be read and no error or
3652				warning message is logged. This option may be specified more than once in which case all specified files are
3653				read. If the empty string is assigned to this option, the list of file to read is reset, all prior assignments
3654				have no effect.
3655
3656				The files listed with this directive will be read shortly before the process is executed (more
3657				specifically, after all processes from a previous unit state terminated. This means you can generate these
3658				files in one unit state, and read it with this option in the next. The files are read from the file
3659				system of the service manager, before any file system changes like bind mounts take place).
3660
3661				Settings from these files override settings made with C<Environment>. If the same
3662				variable is set twice from these files, the files will be read in the order they are specified and the later
3663				setting will override the earlier setting.',
3664				'type' => 'list'
3665				},
3666				'PassEnvironment',
3667				{
3668				'cargo' => {
3669				'type' => 'leaf',
3670				'value_type' => 'uniline'
3671				},
3672				'description' => 'Pass environment variables set for the system service manager to executed processes. Takes a
3673				space-separated list of variable names. This option may be specified more than once, in which case all listed
3674				variables will be passed. If the empty string is assigned to this option, the list of environment variables to
3675				pass is reset, all prior assignments have no effect. Variables specified that are not set for the system
3676				manager will not be passed and will be silently ignored. Note that this option is only relevant for the system
3677				service manager, as system services by default do not automatically inherit any environment variables set for
3678				the service manager itself. However, in case of the user service manager all environment variables are passed
3679				to the executed processes anyway, hence this option is without effect for the user service manager.
3680
3681				Variables set for invoked processes due to this setting are subject to being overridden by those
3682				configured with C<Environment> or C<EnvironmentFile>.
3683
3684				Example:
3685
3686				PassEnvironment=VAR1 VAR2 VAR3
3687
3688				passes three variables C<VAR1>,
3689				C<VAR2>, C<VAR3>
3690				with the values set for those variables in PID1.
3691
3692				See L<environ(7)> for details
3693				about environment variables.',
3694				'type' => 'list'
3695				},
3696				'UnsetEnvironment',
3697				{
3698				'cargo' => {
3699				'type' => 'leaf',
3700				'value_type' => 'uniline'
3701				},
3702				'description' => 'Explicitly unset environment variable assignments that would normally be passed from the
3703				service manager to invoked processes of this unit. Takes a space-separated list of variable names or variable
3704				assignments. This option may be specified more than once, in which case all listed variables/assignments will
3705				be unset. If the empty string is assigned to this option, the list of environment variables/assignments to
3706				unset is reset. If a variable assignment is specified (that is: a variable name, followed by
3707				C<=>, followed by its value), then any environment variable matching this precise assignment is
3708				removed. If a variable name is specified (that is a variable name without any following C<=> or
3709				value), then any assignment matching the variable name, regardless of its value is removed. Note that the
3710				effect of C<UnsetEnvironment> is applied as final step when the environment list passed to
3711				executed processes is compiled. That means it may undo assignments from any configuration source, including
3712				assignments made through C<Environment> or C<EnvironmentFile>, inherited from
3713				the system manager\'s global set of environment variables, inherited via C<PassEnvironment>,
3714				set by the service manager itself (such as C<$NOTIFY_SOCKET> and such), or set by a PAM module
3715				(in case C<PAMName> is used).
3716
3717				See "Environment Variables in Spawned Processes" below for a description of how those
3718				settings combine to form the inherited environment. See L<environ(7)> for general
3719				information about environment variables.',
3720				'type' => 'list'
3721				},
3722				'StandardInput',
3723				{
3724				'choice' => [
3725				'null',
3726				'tty',
3727				'tty-force',
3728				'tty-fail',
3729				'data',
3730				'socket'
3731				],
3732				'description' => "Controls where file descriptor 0 (STDIN) of the executed processes is connected to. Takes one
3733				of C<null>, C<tty>, C<tty-force>, C<tty-fail>,
3734				C<data>, C<file:path>, C<socket> or
3735				C<fd:name>.
3736
3737				If C<null> is selected, standard input will be connected to C</dev/null>,
3738				i.e. all read attempts by the process will result in immediate EOF.
3739
3740				If C<tty> is selected, standard input is connected to a TTY (as configured by
3741				C<TTYPath>, see below) and the executed process becomes the controlling process of the
3742				terminal. If the terminal is already being controlled by another process, the executed process waits until the
3743				current controlling process releases the terminal.
3744
3745				C<tty-force> is similar to C<tty>, but the executed process is forcefully and
3746				immediately made the controlling process of the terminal, potentially removing previous controlling processes
3747				from the terminal.
3748
3749				C<tty-fail> is similar to C<tty>, but if the terminal already has a
3750				controlling process start-up of the executed process fails.
3751
3752				The C<data> option may be used to configure arbitrary textual or binary data to pass via
3753				standard input to the executed process. The data to pass is configured via
3754				C<StandardInputText>/C<StandardInputData> (see below). Note that the actual
3755				file descriptor type passed (memory file, regular file, UNIX pipe, \x{2026}) might depend on the kernel and available
3756				privileges. In any case, the file descriptor is read-only, and when read returns the specified data followed by
3757				EOF.
3758
3759				The C<file:path> option may be used to connect a specific file
3760				system object to standard input. An absolute path following the C<:> character is expected,
3761				which may refer to a regular file, a FIFO or special file. If an C<AF_UNIX> socket in the
3762				file system is specified, a stream socket is connected to it. The latter is useful for connecting standard
3763				input of processes to arbitrary system services.
3764
3765				The C<socket> option is valid in socket-activated services only, and requires the relevant
3766				socket unit file (see
3767				L<systemd.socket(5)> for details)
3768				to have C<Accept=yes> set, or to specify a single socket only. If this option is set, standard
3769				input will be connected to the socket the service was activated from, which is primarily useful for
3770				compatibility with daemons designed for use with the traditional L<inetd(8)> socket activation
3771				daemon.
3772
3773				The C<fd:name> option connects standard input to a specific,
3774				named file descriptor provided by a socket unit. The name may be specified as part of this option, following a
3775				C<:> character (e.g. C<fd:foobar>). If no name is specified, the name
3776				C<stdin> is implied (i.e. C<fd> is equivalent to C<fd:stdin>).
3777				At least one socket unit defining the specified name must be provided via the C<Sockets>
3778				option, and the file descriptor name may differ from the name of its containing socket unit. If multiple
3779				matches are found, the first one will be used. See C<FileDescriptorName> in
3780				L<systemd.socket(5)> for more
3781				details about named file descriptors and their ordering.
3782
3783				This setting defaults to C<null>, unless
3784				C<StandardInputText>/C<StandardInputData> are set, in which case it
3785				defaults to C<data>.",
3786				'type' => 'leaf',
3787				'value_type' => 'enum'
3788				},
3789				'StandardOutput',
3790				{
3791				'choice' => [
3792				'inherit',
3793				'null',
3794				'tty',
3795				'journal',
3796				'kmsg',
3797				'journal+console',
3798				'kmsg+console',
3799				'socket'
3800				],
3801				'description' => "Controls where file descriptor 1 (stdout) of the executed processes is connected
3802				to. Takes one of C<inherit>, C<null>, C<tty>,
3803				C<journal>, C<kmsg>, C<journal+console>,
3804				C<kmsg+console>, C<file:path>,
3805				C<append:path>, C<truncate:path>,
3806				C<socket> or C<fd:name>.
3807
3808				C<inherit> duplicates the file descriptor of standard input for standard output.
3809
3810				C<null> connects standard output to C</dev/null>, i.e. everything written
3811				to it will be lost.
3812
3813				C<tty> connects standard output to a tty (as configured via C<TTYPath>,
3814				see below). If the TTY is used for output only, the executed process will not become the controlling process of
3815				the terminal, and will not fail or wait for other processes to release the terminal.
3816
3817				C<journal> connects standard output with the journal, which is accessible via
3818				L<journalctl(1)>. Note
3819				that everything that is written to kmsg (see below) is implicitly stored in the journal as well, the
3820				specific option listed below is hence a superset of this one. (Also note that any external,
3821				additional syslog daemons receive their log data from the journal, too, hence this is the option to
3822				use when logging shall be processed with such a daemon.)
3823
3824				C<kmsg> connects standard output with the kernel log buffer which is accessible via
3825				L<dmesg(1)>,
3826				in addition to the journal. The journal daemon might be configured to send all logs to kmsg anyway, in which
3827				case this option is no different from C<journal>.
3828
3829				C<journal+console> and C<kmsg+console> work in a similar way as the
3830				two options above but copy the output to the system console as well.
3831
3832				The C<file:path> option may be used to connect a specific file
3833				system object to standard output. The semantics are similar to the same option of
3834				C<StandardInput>, see above. If path refers to a regular file
3835				on the filesystem, it is opened (created if it doesn't exist yet) for writing at the beginning of the file,
3836				but without truncating it.
3837				If standard input and output are directed to the same file path, it is opened only once \x{2014} for reading as well
3838				as writing \x{2014} and duplicated. This is particularly useful when the specified path refers to an
3839				C<AF_UNIX> socket in the file system, as in that case only a
3840				single stream connection is created for both input and output.
3841
3842				C<append:path> is similar to
3843				C<file:path> above, but it opens the file in append mode.
3844
3845				C<truncate:path> is similar to
3846				C<file:path> above, but it truncates the file when opening
3847				it. For units with multiple command lines, e.g. C<Type=oneshot> services with
3848				multiple C<ExecStart>, or services with C<ExecCondition>,
3849				C<ExecStartPre> or C<ExecStartPost>, the output file is reopened
3850				and therefore re-truncated for each command line. If the output file is truncated while another
3851				process still has the file open, e.g. by an C<ExecReload> running concurrently with
3852				an C<ExecStart>, and the other process continues writing to the file without
3853				adjusting its offset, then the space between the file pointers of the two processes may be filled
3854				with C<NUL> bytes, producing a sparse file. Thus,
3855				C<truncate:path> is typically only useful for units where
3856				only one process runs at a time, such as services with a single C<ExecStart> and no
3857				C<ExecStartPost>, C<ExecReload>, C<ExecStop> or
3858				similar.
3859
3860				C<socket> connects standard output to a socket acquired via socket activation. The
3861				semantics are similar to the same option of C<StandardInput>, see above.
3862
3863				The C<fd:name> option connects standard output to a
3864				specific, named file descriptor provided by a socket unit. A name may be specified as part of this
3865				option, following a C<:> character
3866				(e.g. C<fd:foobar>). If no name is specified, the name
3867				C<stdout> is implied (i.e. C<fd> is equivalent to
3868				C<fd:stdout>). At least one socket unit defining the specified name must be provided
3869				via the C<Sockets> option, and the file descriptor name may differ from the name of
3870				its containing socket unit. If multiple matches are found, the first one will be used. See
3871				C<FileDescriptorName> in
3872				L<systemd.socket(5)>
3873				for more details about named descriptors and their ordering.
3874
3875				If the standard output (or error output, see below) of a unit is connected to the journal or
3876				the kernel log buffer, the unit will implicitly gain a dependency of type C<After>
3877				on C<systemd-journald.socket> (also see the \"Implicit Dependencies\" section
3878				above). Also note that in this case stdout (or stderr, see below) will be an
3879				C<AF_UNIX> stream socket, and not a pipe or FIFO that can be re-opened. This means
3880				when executing shell scripts the construct echo \"hello\" > /dev/stderr for
3881				writing text to stderr will not work. To mitigate this use the construct echo \"hello\"
3882				>&2 instead, which is mostly equivalent and avoids this pitfall.
3883
3884				This setting defaults to the value set with C<DefaultStandardOutput> in
3885				L<systemd-system.conf(5)>, which
3886				defaults to C<journal>. Note that setting this parameter might result in additional dependencies
3887				to be added to the unit (see above).",
3888				'type' => 'leaf',
3889				'value_type' => 'enum'
3890				},
3891				'StandardError',
3892				{
3893				'description' => 'Controls where file descriptor 2 (stderr) of the executed processes is connected to. The
3894				available options are identical to those of C<StandardOutput>, with some exceptions: if set to
3895				C<inherit> the file descriptor used for standard output is duplicated for standard error, while
3896				C<fd:name> will use a default file descriptor name of
3897				C<stderr>.
3898
3899				This setting defaults to the value set with C<DefaultStandardError> in
3900				L<systemd-system.conf(5)>, which
3901				defaults to C<inherit>. Note that setting this parameter might result in additional dependencies
3902				to be added to the unit (see above).',
3903				'type' => 'leaf',
3904				'value_type' => 'uniline'
3905				},
3906				'StandardInputText',
3907				{
3908				'description' => 'Configures arbitrary textual or binary data to pass via file descriptor 0 (STDIN) to
3909				the executed processes. These settings have no effect unless C<StandardInput> is set
3910				to C<data> (which is the default if C<StandardInput> is not set
3911				otherwise, but C<StandardInputText>/C<StandardInputData> is). Use
3912				this option to embed process input data directly in the unit file.
3913
3914				C<StandardInputText> accepts arbitrary textual data. C-style escapes for special
3915				characters as well as the usual C<%>-specifiers are resolved. Each time this setting is used
3916				the specified text is appended to the per-unit data buffer, followed by a newline character (thus every use
3917				appends a new line to the end of the buffer). Note that leading and trailing whitespace of lines configured
3918				with this option is removed. If an empty line is specified the buffer is cleared (hence, in order to insert an
3919				empty line, add an additional C<\\n> to the end or beginning of a line).
3920
3921				C<StandardInputData> accepts arbitrary binary data, encoded in L<Base64\|https://tools.ietf.org/html/rfc2045#section-6.8>. No escape sequences or specifiers are
3922				resolved. Any whitespace in the encoded version is ignored during decoding.
3923
3924				Note that C<StandardInputText> and C<StandardInputData> operate on the
3925				same data buffer, and may be mixed in order to configure both binary and textual data for the same input
3926				stream. The textual or binary data is joined strictly in the order the settings appear in the unit
3927				file. Assigning an empty string to either will reset the data buffer.
3928
3929				Please keep in mind that in order to maintain readability long unit file settings may be split into
3930				multiple lines, by suffixing each line (except for the last) with a C<\\> character (see
3931				L<systemd.unit(5)> for
3932				details). This is particularly useful for large data configured with these two options. Example:',
3933				'type' => 'leaf',
3934				'value_type' => 'uniline'
3935				},
3936				'StandardInputData',
3937				{
3938				'description' => 'Configures arbitrary textual or binary data to pass via file descriptor 0 (STDIN) to
3939				the executed processes. These settings have no effect unless C<StandardInput> is set
3940				to C<data> (which is the default if C<StandardInput> is not set
3941				otherwise, but C<StandardInputText>/C<StandardInputData> is). Use
3942				this option to embed process input data directly in the unit file.
3943
3944				C<StandardInputText> accepts arbitrary textual data. C-style escapes for special
3945				characters as well as the usual C<%>-specifiers are resolved. Each time this setting is used
3946				the specified text is appended to the per-unit data buffer, followed by a newline character (thus every use
3947				appends a new line to the end of the buffer). Note that leading and trailing whitespace of lines configured
3948				with this option is removed. If an empty line is specified the buffer is cleared (hence, in order to insert an
3949				empty line, add an additional C<\\n> to the end or beginning of a line).
3950
3951				C<StandardInputData> accepts arbitrary binary data, encoded in L<Base64\|https://tools.ietf.org/html/rfc2045#section-6.8>. No escape sequences or specifiers are
3952				resolved. Any whitespace in the encoded version is ignored during decoding.
3953
3954				Note that C<StandardInputText> and C<StandardInputData> operate on the
3955				same data buffer, and may be mixed in order to configure both binary and textual data for the same input
3956				stream. The textual or binary data is joined strictly in the order the settings appear in the unit
3957				file. Assigning an empty string to either will reset the data buffer.
3958
3959				Please keep in mind that in order to maintain readability long unit file settings may be split into
3960				multiple lines, by suffixing each line (except for the last) with a C<\\> character (see
3961				L<systemd.unit(5)> for
3962				details). This is particularly useful for large data configured with these two options. Example:',
3963				'type' => 'leaf',
3964				'value_type' => 'uniline'
3965				},
3966				'LogLevelMax',
3967				{
3968				'description' => 'Configures filtering by log level of log messages generated by this unit. Takes a
3969				syslog log level, one of C<emerg> (lowest log level, only highest priority
3970				messages), C<alert>, C<crit>, C<err>, C<warning>,
3971				C<notice>, C<info>, C<debug> (highest log level, also lowest priority
3972				messages). See L<syslog(3)> for
3973				details. By default no filtering is applied (i.e. the default maximum log level is C<debug>). Use
3974				this option to configure the logging system to drop log messages of a specific service above the specified
3975				level. For example, set C<LogLevelMax>C<info> in order to turn off debug logging
3976				of a particularly chatty unit. Note that the configured level is applied to any log messages written by any
3977				of the processes belonging to this unit, as well as any log messages written by the system manager process
3978				(PID 1) in reference to this unit, sent via any supported logging protocol. The filtering is applied
3979				early in the logging pipeline, before any kind of further processing is done. Moreover, messages which pass
3980				through this filter successfully might still be dropped by filters applied at a later stage in the logging
3981				subsystem. For example, C<MaxLevelStore> configured in
3982				L<journald.conf(5)> might
3983				prohibit messages of higher log levels to be stored on disk, even though the per-unit
3984				C<LogLevelMax> permitted it to be processed.',
3985				'type' => 'leaf',
3986				'value_type' => 'uniline'
3987				},
3988				'LogExtraFields',
3989				{
3990				'description' => 'Configures additional log metadata fields to include in all log records generated by
3991				processes associated with this unit. This setting takes one or more journal field assignments in the
3992				format C<FIELD=VALUE> separated by whitespace. See
3993				L<systemd.journal-fields(7)>
3994				for details on the journal field concept. Even though the underlying journal implementation permits
3995				binary field values, this setting accepts only valid UTF-8 values. To include space characters in a
3996				journal field value, enclose the assignment in double quotes (").
3997				The usual specifiers are expanded in all assignments (see below). Note that this setting is not only
3998				useful for attaching additional metadata to log records of a unit, but given that all fields and
3999				values are indexed may also be used to implement cross-unit log record matching. Assign an empty
4000				string to reset the list.',
4001				'type' => 'leaf',
4002				'value_type' => 'uniline'
4003				},
4004				'LogRateLimitIntervalSec',
4005				{
4006				'description' => 'Configures the rate limiting that is applied to messages generated by this unit. If, in the
4007				time interval defined by C<LogRateLimitIntervalSec>, more messages than specified in
4008				C<LogRateLimitBurst> are logged by a service, all further messages within the interval are
4009				dropped until the interval is over. A message about the number of dropped messages is generated. The time
4010				specification for C<LogRateLimitIntervalSec> may be specified in the following units: "s",
4011				"min", "h", "ms", "us" (see
4012				L<systemd.time(7)> for details).
4013				The default settings are set by C<RateLimitIntervalSec> and C<RateLimitBurst>
4014				configured in L<journald.conf(5)>.
4015				',
4016				'type' => 'leaf',
4017				'value_type' => 'uniline'
4018				},
4019				'LogRateLimitBurst',
4020				{
4021				'description' => 'Configures the rate limiting that is applied to messages generated by this unit. If, in the
4022				time interval defined by C<LogRateLimitIntervalSec>, more messages than specified in
4023				C<LogRateLimitBurst> are logged by a service, all further messages within the interval are
4024				dropped until the interval is over. A message about the number of dropped messages is generated. The time
4025				specification for C<LogRateLimitIntervalSec> may be specified in the following units: "s",
4026				"min", "h", "ms", "us" (see
4027				L<systemd.time(7)> for details).
4028				The default settings are set by C<RateLimitIntervalSec> and C<RateLimitBurst>
4029				configured in L<journald.conf(5)>.
4030				',
4031				'type' => 'leaf',
4032				'value_type' => 'uniline'
4033				},
4034				'LogNamespace',
4035				{
4036				'description' => 'Run the unit\'s processes in the specified journal namespace. Expects a short
4037				user-defined string identifying the namespace. If not used the processes of the service are run in
4038				the default journal namespace, i.e. their log stream is collected and processed by
4039				C<systemd-journald.service>. If this option is used any log data generated by
4040				processes of this unit (regardless if via the syslog(), journal native logging
4041				or stdout/stderr logging) is collected and processed by an instance of the
4042				C<systemd-journald@.service> template unit, which manages the specified
4043				namespace. The log data is stored in a data store independent from the default log namespace\'s data
4044				store. See
4045				L<systemd-journald.service(8)>
4046				for details about journal namespaces.
4047
4048				Internally, journal namespaces are implemented through Linux mount namespacing and
4049				over-mounting the directory that contains the relevant C<AF_UNIX> sockets used for
4050				logging in the unit\'s mount namespace. Since mount namespaces are used this setting disconnects
4051				propagation of mounts from the unit\'s processes to the host, similar to how
4052				C<ReadOnlyPaths> and similar settings (see above) work. Journal namespaces may hence
4053				not be used for services that need to establish mount points on the host.
4054
4055				When this option is used the unit will automatically gain ordering and requirement dependencies
4056				on the two socket units associated with the C<systemd-journald@.service> instance
4057				so that they are automatically established prior to the unit starting up. Note that when this option
4058				is used log output of this service does not appear in the regular
4059				L<journalctl(1)>
4060				output, unless the C<--namespace=> option is used.',
4061				'type' => 'leaf',
4062				'value_type' => 'uniline'
4063				},
4064				'SyslogIdentifier',
4065				{
4066				'description' => 'Sets the process name ("syslog tag") to prefix log lines sent to
4067				the logging system or the kernel log buffer with. If not set, defaults to the process name of the
4068				executed process. This option is only useful when C<StandardOutput> or
4069				C<StandardError> are set to C<journal> or C<kmsg> (or to
4070				the same settings in combination with C<+console>) and only applies to log messages
4071				written to stdout or stderr.',
4072				'type' => 'leaf',
4073				'value_type' => 'uniline'
4074				},
4075				'SyslogFacility',
4076				{
4077				'description' => 'Sets the syslog facility identifier to use when logging. One of
4078				C<kern>, C<user>, C<mail>, C<daemon>,
4079				C<auth>, C<syslog>, C<lpr>, C<news>,
4080				C<uucp>, C<cron>, C<authpriv>, C<ftp>,
4081				C<local0>, C<local1>, C<local2>, C<local3>,
4082				C<local4>, C<local5>, C<local6> or
4083				C<local7>. See L<syslog(3)> for
4084				details. This option is only useful when C<StandardOutput> or
4085				C<StandardError> are set to C<journal> or C<kmsg> (or to
4086				the same settings in combination with C<+console>), and only applies to log messages
4087				written to stdout or stderr. Defaults to C<daemon>.',
4088				'type' => 'leaf',
4089				'value_type' => 'uniline'
4090				},
4091				'SyslogLevel',
4092				{
4093				'description' => 'The default syslog log level to use when logging to the logging system or
4094				the kernel log buffer. One of C<emerg>, C<alert>, C<crit>,
4095				C<err>, C<warning>, C<notice>, C<info>,
4096				C<debug>. See L<syslog(3)> for
4097				details. This option is only useful when C<StandardOutput> or
4098				C<StandardError> are set to C<journal> or
4099				C<kmsg> (or to the same settings in combination with C<+console>), and only applies
4100				to log messages written to stdout or stderr. Note that individual lines output by executed processes may be
4101				prefixed with a different log level which can be used to override the default log level specified here. The
4102				interpretation of these prefixes may be disabled with C<SyslogLevelPrefix>, see below. For
4103				details, see L<sd-daemon(3)>.
4104				Defaults to C<info>.',
4105				'type' => 'leaf',
4106				'value_type' => 'uniline'
4107				},
4108				'SyslogLevelPrefix',
4109				{
4110				'description' => 'Takes a boolean argument. If true and C<StandardOutput> or
4111				C<StandardError> are set to C<journal> or C<kmsg> (or to
4112				the same settings in combination with C<+console>), log lines written by the executed
4113				process that are prefixed with a log level will be processed with this log level set but the prefix
4114				removed. If set to false, the interpretation of these prefixes is disabled and the logged lines are
4115				passed on as-is. This only applies to log messages written to stdout or stderr. For details about
4116				this prefixing see
4117				L<sd-daemon(3)>.
4118				Defaults to true.',
4119				'type' => 'leaf',
4120				'value_type' => 'boolean',
4121				'write_as' => [
4122				'no',
4123				'yes'
4124				]
4125				},
4126				'TTYPath',
4127				{
4128				'description' => 'Sets the terminal device node to use if standard input, output, or error are connected to a TTY
4129				(see above). Defaults to C</dev/console>.',
4130				'type' => 'leaf',
4131				'value_type' => 'uniline'
4132				},
4133				'TTYReset',
4134				{
4135				'description' => 'Reset the terminal device specified with C<TTYPath> before and after
4136				execution. Defaults to C<no>.',
4137				'type' => 'leaf',
4138				'value_type' => 'uniline'
4139				},
4140				'TTYVHangup',
4141				{
4142				'description' => 'Disconnect all clients which have opened the terminal device specified with
4143				C<TTYPath> before and after execution. Defaults to C<no>.',
4144				'type' => 'leaf',
4145				'value_type' => 'uniline'
4146				},
4147				'TTYRows',
4148				{
4149				'description' => 'Configure the size of the TTY specified with C<TTYPath>. If unset or
4150				set to the empty string, the kernel default is used.',
4151				'type' => 'leaf',
4152				'value_type' => 'uniline'
4153				},
4154				'TTYColumns',
4155				{
4156				'description' => 'Configure the size of the TTY specified with C<TTYPath>. If unset or
4157				set to the empty string, the kernel default is used.',
4158				'type' => 'leaf',
4159				'value_type' => 'uniline'
4160				},
4161				'TTYVTDisallocate',
4162				{
4163				'description' => 'If the terminal device specified with C<TTYPath> is a virtual console
4164				terminal, try to deallocate the TTY before and after execution. This ensures that the screen and scrollback
4165				buffer is cleared. Defaults to C<no>.',
4166				'type' => 'leaf',
4167				'value_type' => 'uniline'
4168				},
4169				'LoadCredential',
4170				{
4171				'description' => "Pass a credential to the unit. Credentials are limited-size binary or textual objects
4172				that may be passed to unit processes. They are primarily used for passing cryptographic keys (both
4173				public and private) or certificates, user account information or identity information from host to
4174				services. The data is accessible from the unit's processes via the file system, at a read-only
4175				location that (if possible and permitted) is backed by non-swappable memory. The data is only
4176				accessible to the user associated with the unit, via the
4177				C<User>/C<DynamicUser> settings (as well as the superuser). When
4178				available, the location of credentials is exported as the C<\$CREDENTIALS_DIRECTORY>
4179				environment variable to the unit's processes.
4180
4181				The C<LoadCredential> setting takes a textual ID to use as name for a
4182				credential plus a file system path, separated by a colon. The ID must be a short ASCII string
4183				suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path
4184				is absolute it is opened as regular file and the credential data is read from it. If the absolute
4185				path refers to an C<AF_UNIX> stream socket in the file system a connection is made
4186				to it (only once at unit start-up) and the credential data read from the connection, providing an
4187				easy IPC integration point for dynamically transferring credentials from other services.
4188
4189				If the specified path is not absolute and itself qualifies as valid credential identifier it is
4190				attempted to find a credential that the service manager itself received under the specified name \x{2014}
4191				which may be used to propagate credentials from an invoking environment (e.g. a container manager
4192				that invoked the service manager) into a service. If no matching system credential is found, the
4193				directories C</etc/credstore/>, C</run/credstore/> and
4194				C</usr/lib/credstore/> are searched for files under the credential's name \x{2014} which
4195				hence are recommended locations for credential data on disk. If
4196				C<LoadCredentialEncrypted> is used C</run/credstore.encrypted/>,
4197				C</etc/credstore.encrypted/>, and
4198				C</usr/lib/credstore.encrypted/> are searched as well.
4199
4200				If the file system path is omitted it is chosen identical to the credential name, i.e. this is
4201				a terse way to declare credentials to inherit from the service manager into a service. This option
4202				may be used multiple times, each time defining an additional credential to pass to the unit.
4203
4204				If an absolute path referring to a directory is specified, every file in that directory
4205				(recursively) will be loaded as a separate credential. The ID for each credential will be the
4206				provided ID suffixed with C<_\$FILENAME> (e.g., C<Key_file1>). When
4207				loading from a directory, symlinks will be ignored.
4208
4209				The contents of the file/socket may be arbitrary binary or textual data, including newline
4210				characters and C<NUL> bytes.
4211
4212				The C<LoadCredentialEncrypted> setting is identical to
4213				C<LoadCredential>, except that the credential data is decrypted and authenticated
4214				before being passed on to the executed processes. Specifically, the referenced path should refer to a
4215				file or socket with an encrypted credential, as implemented by
4216				L<systemd-creds(1)>. This
4217				credential is loaded, decrypted, authenticated and then passed to the application in plaintext form,
4218				in the same way a regular credential specified via C<LoadCredential> would be. A
4219				credential configured this way may be symmetrically encrypted/authenticated with a secret key derived
4220				from the system's TPM2 security chip, or with a secret key stored in
4221				C</var/lib/systemd/credentials.secret>, or with both. Using encrypted and
4222				authenticated credentials improves security as credentials are not stored in plaintext and only
4223				authenticated and decrypted into plaintext the moment a service requiring them is started. Moreover,
4224				credentials may be bound to the local hardware and installations, so that they cannot easily be
4225				analyzed offline, or be generated externally.
4226
4227				The credential files/IPC sockets must be accessible to the service manager, but don't have to
4228				be directly accessible to the unit's processes: the credential data is read and copied into separate,
4229				read-only copies for the unit that are accessible to appropriately privileged processes. This is
4230				particularly useful in combination with C<DynamicUser> as this way privileged data
4231				can be made available to processes running under a dynamic UID (i.e. not a previously known one)
4232				without having to open up access to all users.
4233
4234				In order to reference the path a credential may be read from within a
4235				C<ExecStart> command line use C<\${CREDENTIALS_DIRECTORY}/mycred>,
4236				e.g. C<ExecStart=cat \${CREDENTIALS_DIRECTORY}/mycred>. In order to reference the path
4237				a credential may be read from within a C<Environment> line use
4238				C<%d/mycred>, e.g. C<Environment=MYCREDPATH=%d/mycred>.
4239
4240				Currently, an accumulated credential size limit of 1 MB per unit is enforced.
4241
4242				The service manager itself may receive system credentials that can be propagated to services
4243				from a hosting container manager or VM hypervisor. See the L<Container Interface\|https://systemd.io/CONTAINER_INTERFACE> documentation for details
4244				about the former. For the latter, use the qemu C<fw_cfg> node
4245				C<opt/io.systemd.credentials/>. Example qemu switch: C<-fw_cfg
4246				name=opt/io.systemd.credentials/mycred,string=supersecret>. They may also be specified on
4247				the kernel command line using the C<systemd.set_credential=> switch (see
4248				L<systemd(1)>)
4249				and from the UEFI firmware environment via
4250				L<systemd-stub(7)>.
4251
4252				If referencing an C<AF_UNIX> stream socket to connect to, the connection will
4253				originate from an abstract namespace socket, that includes information about the unit and the
4254				credential ID in its socket name. Use L<getpeername(2)>
4255				to query this information. The returned socket name is formatted as C<NUL>RANDOM C</unit/> UNITC</> ID, i.e. a C<NUL> byte (as required
4256				for abstract namespace socket names), followed by a random string (consisting of alphadecimal
4257				characters), followed by the literal string C</unit/>, followed by the requesting
4258				unit name, followed by the literal character C</>, followed by the textual credential
4259				ID requested. Example: C<\\0adf9d86b6eda275e/unit/foobar.service/credx> in case the
4260				credential C<credx> is requested for a unit C<foobar.service>. This
4261				functionality is useful for using a single listening socket to serve credentials to multiple
4262				consumers.
4263
4264				For further information see L<System and Service
4265				Credentials\|https://systemd.io/CREDENTIALS> documentation.",
4266				'type' => 'leaf',
4267				'value_type' => 'uniline'
4268				},
4269				'LoadCredentialEncrypted',
4270				{
4271				'description' => "Pass a credential to the unit. Credentials are limited-size binary or textual objects
4272				that may be passed to unit processes. They are primarily used for passing cryptographic keys (both
4273				public and private) or certificates, user account information or identity information from host to
4274				services. The data is accessible from the unit's processes via the file system, at a read-only
4275				location that (if possible and permitted) is backed by non-swappable memory. The data is only
4276				accessible to the user associated with the unit, via the
4277				C<User>/C<DynamicUser> settings (as well as the superuser). When
4278				available, the location of credentials is exported as the C<\$CREDENTIALS_DIRECTORY>
4279				environment variable to the unit's processes.
4280
4281				The C<LoadCredential> setting takes a textual ID to use as name for a
4282				credential plus a file system path, separated by a colon. The ID must be a short ASCII string
4283				suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path
4284				is absolute it is opened as regular file and the credential data is read from it. If the absolute
4285				path refers to an C<AF_UNIX> stream socket in the file system a connection is made
4286				to it (only once at unit start-up) and the credential data read from the connection, providing an
4287				easy IPC integration point for dynamically transferring credentials from other services.
4288
4289				If the specified path is not absolute and itself qualifies as valid credential identifier it is
4290				attempted to find a credential that the service manager itself received under the specified name \x{2014}
4291				which may be used to propagate credentials from an invoking environment (e.g. a container manager
4292				that invoked the service manager) into a service. If no matching system credential is found, the
4293				directories C</etc/credstore/>, C</run/credstore/> and
4294				C</usr/lib/credstore/> are searched for files under the credential's name \x{2014} which
4295				hence are recommended locations for credential data on disk. If
4296				C<LoadCredentialEncrypted> is used C</run/credstore.encrypted/>,
4297				C</etc/credstore.encrypted/>, and
4298				C</usr/lib/credstore.encrypted/> are searched as well.
4299
4300				If the file system path is omitted it is chosen identical to the credential name, i.e. this is
4301				a terse way to declare credentials to inherit from the service manager into a service. This option
4302				may be used multiple times, each time defining an additional credential to pass to the unit.
4303
4304				If an absolute path referring to a directory is specified, every file in that directory
4305				(recursively) will be loaded as a separate credential. The ID for each credential will be the
4306				provided ID suffixed with C<_\$FILENAME> (e.g., C<Key_file1>). When
4307				loading from a directory, symlinks will be ignored.
4308
4309				The contents of the file/socket may be arbitrary binary or textual data, including newline
4310				characters and C<NUL> bytes.
4311
4312				The C<LoadCredentialEncrypted> setting is identical to
4313				C<LoadCredential>, except that the credential data is decrypted and authenticated
4314				before being passed on to the executed processes. Specifically, the referenced path should refer to a
4315				file or socket with an encrypted credential, as implemented by
4316				L<systemd-creds(1)>. This
4317				credential is loaded, decrypted, authenticated and then passed to the application in plaintext form,
4318				in the same way a regular credential specified via C<LoadCredential> would be. A
4319				credential configured this way may be symmetrically encrypted/authenticated with a secret key derived
4320				from the system's TPM2 security chip, or with a secret key stored in
4321				C</var/lib/systemd/credentials.secret>, or with both. Using encrypted and
4322				authenticated credentials improves security as credentials are not stored in plaintext and only
4323				authenticated and decrypted into plaintext the moment a service requiring them is started. Moreover,
4324				credentials may be bound to the local hardware and installations, so that they cannot easily be
4325				analyzed offline, or be generated externally.
4326
4327				The credential files/IPC sockets must be accessible to the service manager, but don't have to
4328				be directly accessible to the unit's processes: the credential data is read and copied into separate,
4329				read-only copies for the unit that are accessible to appropriately privileged processes. This is
4330				particularly useful in combination with C<DynamicUser> as this way privileged data
4331				can be made available to processes running under a dynamic UID (i.e. not a previously known one)
4332				without having to open up access to all users.
4333
4334				In order to reference the path a credential may be read from within a
4335				C<ExecStart> command line use C<\${CREDENTIALS_DIRECTORY}/mycred>,
4336				e.g. C<ExecStart=cat \${CREDENTIALS_DIRECTORY}/mycred>. In order to reference the path
4337				a credential may be read from within a C<Environment> line use
4338				C<%d/mycred>, e.g. C<Environment=MYCREDPATH=%d/mycred>.
4339
4340				Currently, an accumulated credential size limit of 1 MB per unit is enforced.
4341
4342				The service manager itself may receive system credentials that can be propagated to services
4343				from a hosting container manager or VM hypervisor. See the L<Container Interface\|https://systemd.io/CONTAINER_INTERFACE> documentation for details
4344				about the former. For the latter, use the qemu C<fw_cfg> node
4345				C<opt/io.systemd.credentials/>. Example qemu switch: C<-fw_cfg
4346				name=opt/io.systemd.credentials/mycred,string=supersecret>. They may also be specified on
4347				the kernel command line using the C<systemd.set_credential=> switch (see
4348				L<systemd(1)>)
4349				and from the UEFI firmware environment via
4350				L<systemd-stub(7)>.
4351
4352				If referencing an C<AF_UNIX> stream socket to connect to, the connection will
4353				originate from an abstract namespace socket, that includes information about the unit and the
4354				credential ID in its socket name. Use L<getpeername(2)>
4355				to query this information. The returned socket name is formatted as C<NUL>RANDOM C</unit/> UNITC</> ID, i.e. a C<NUL> byte (as required
4356				for abstract namespace socket names), followed by a random string (consisting of alphadecimal
4357				characters), followed by the literal string C</unit/>, followed by the requesting
4358				unit name, followed by the literal character C</>, followed by the textual credential
4359				ID requested. Example: C<\\0adf9d86b6eda275e/unit/foobar.service/credx> in case the
4360				credential C<credx> is requested for a unit C<foobar.service>. This
4361				functionality is useful for using a single listening socket to serve credentials to multiple
4362				consumers.
4363
4364				For further information see L<System and Service
4365				Credentials\|https://systemd.io/CREDENTIALS> documentation.",
4366				'type' => 'leaf',
4367				'value_type' => 'uniline'
4368				},
4369				'SetCredential',
4370				{
4371				'description' => 'The C<SetCredential> setting is similar to
4372				C<LoadCredential> but accepts a literal value to use as data for the credential,
4373				instead of a file system path to read the data from. Do not use this option for data that is supposed
4374				to be secret, as it is accessible to unprivileged processes via IPC. It\'s only safe to use this for
4375				user IDs, public key material and similar non-sensitive data. For everything else use
4376				C<LoadCredential>. In order to embed binary data into the credential data use
4377				C-style escaping (i.e. C<\\n> to embed a newline, or C<\\x00> to embed
4378				a C<NUL> byte).
4379
4380				The C<SetCredentialEncrypted> setting is identical to
4381				C<SetCredential> but expects an encrypted credential in literal form as value. This
4382				allows embedding confidential credentials securely directly in unit files. Use
4383				L<systemd-creds(1)>\'
4384				C<-p> switch to generate suitable C<SetCredentialEncrypted> lines
4385				directly from plaintext credentials. For further details see
4386				C<LoadCredentialEncrypted> above.
4387
4388				If a credential of the same ID is listed in both C<LoadCredential> and
4389				C<SetCredential>, the latter will act as default if the former cannot be
4390				retrieved. In this case not being able to retrieve the credential from the path specified in
4391				C<LoadCredential> is not considered fatal.',
4392				'type' => 'leaf',
4393				'value_type' => 'uniline'
4394				},
4395				'SetCredentialEncrypted',
4396				{
4397				'description' => 'The C<SetCredential> setting is similar to
4398				C<LoadCredential> but accepts a literal value to use as data for the credential,
4399				instead of a file system path to read the data from. Do not use this option for data that is supposed
4400				to be secret, as it is accessible to unprivileged processes via IPC. It\'s only safe to use this for
4401				user IDs, public key material and similar non-sensitive data. For everything else use
4402				C<LoadCredential>. In order to embed binary data into the credential data use
4403				C-style escaping (i.e. C<\\n> to embed a newline, or C<\\x00> to embed
4404				a C<NUL> byte).
4405
4406				The C<SetCredentialEncrypted> setting is identical to
4407				C<SetCredential> but expects an encrypted credential in literal form as value. This
4408				allows embedding confidential credentials securely directly in unit files. Use
4409				L<systemd-creds(1)>\'
4410				C<-p> switch to generate suitable C<SetCredentialEncrypted> lines
4411				directly from plaintext credentials. For further details see
4412				C<LoadCredentialEncrypted> above.
4413
4414				If a credential of the same ID is listed in both C<LoadCredential> and
4415				C<SetCredential>, the latter will act as default if the former cannot be
4416				retrieved. In this case not being able to retrieve the credential from the path specified in
4417				C<LoadCredential> is not considered fatal.',
4418				'type' => 'leaf',
4419				'value_type' => 'uniline'
4420				},
4421				'UtmpIdentifier',
4422				{
4423				'description' => 'Takes a four character identifier string for an L<utmp(5)> and wtmp entry
4424				for this service. This should only be set for services such as getty implementations (such
4425				as L<agetty(8)>) where utmp/wtmp
4426				entries must be created and cleared before and after execution, or for services that shall be executed as if
4427				they were run by a getty process (see below). If the configured string is longer than four
4428				characters, it is truncated and the terminal four characters are used. This setting interprets %I style string
4429				replacements. This setting is unset by default, i.e. no utmp/wtmp entries are created or cleaned up for this
4430				service.',
4431				'type' => 'leaf',
4432				'value_type' => 'uniline'
4433				},
4434				'UtmpMode',
4435				{
4436				'choice' => [
4437				'init',
4438				'login',
4439				'user'
4440				],
4441				'description' => 'Takes one of C<init>, C<login> or C<user>. If
4442				C<UtmpIdentifier> is set, controls which type of L<utmp(5)>/wtmp entries
4443				for this service are generated. This setting has no effect unless C<UtmpIdentifier> is set
4444				too. If C<init> is set, only an C<INIT_PROCESS> entry is generated and the
4445				invoked process must implement a getty-compatible utmp/wtmp logic. If
4446				C<login> is set, first an C<INIT_PROCESS> entry, followed by a
4447				C<LOGIN_PROCESS> entry is generated. In this case, the invoked process must implement a
4448				L<login(1)>-compatible
4449				utmp/wtmp logic. If C<user> is set, first an C<INIT_PROCESS> entry, then a
4450				C<LOGIN_PROCESS> entry and finally a C<USER_PROCESS> entry is
4451				generated. In this case, the invoked process may be any process that is suitable to be run as session
4452				leader. Defaults to C<init>.',
4453				'type' => 'leaf',
4454				'value_type' => 'enum'
4455				}
4456				],
4457				'generated_by' => 'parse-man.pl from systemd 250 doc',
4458				'license' => 'LGPLv2.1+',
4459				'name' => 'Systemd::Common::Exec'
4460				}
4461				]
4462				;
4463