File Coverage

blib/lib/Config/Model/models/Systemd/Common/Exec.pl
Criterion Covered Total %
statement 18 18 100.0
branch n/a
condition n/a
subroutine 6 6 100.0
pod n/a
total 24 24 100.0


line stmt bran cond sub pod time code
1             #
2             # This file is part of Config-Model-Systemd
3             #
4             # This software is Copyright (c) 2008-2022 by Dominique Dumont.
5             #
6             # This is free software, licensed under:
7             #
8             # The GNU Lesser General Public License, Version 2.1, February 1999
9             #
10 4     4   20741 use strict;
  4     1   12  
  4     1   117  
  1         3728  
  1         19  
  1         88  
  1         3638  
  1         3  
  1         23  
11 4     4   22 use warnings;
  4     1   10  
  4     1   19602  
  1         10  
  1         3  
  1         5221  
  1         6  
  1         2  
  1         4957  
12              
13             return [
14             {
15             'accept' => [
16             '.*',
17             {
18             'type' => 'leaf',
19             'value_type' => 'uniline',
20             'warn' => 'Unexpected systemd parameter. Please contact cme author to update systemd model.'
21             }
22             ],
23             'class_description' => 'Unit configuration files for services, sockets, mount points, and swap devices share a subset of
24             configuration options which define the execution environment of spawned processes.
25              
26             This man page lists the configuration options shared by these four unit types. See
27             L<systemd.unit(5)> for the common
28             options of all unit configuration files, and
29             L<systemd.service(5)>,
30             L<systemd.socket(5)>,
31             L<systemd.swap(5)>, and
32             L<systemd.mount(5)> for more
33             information on the specific unit configuration files. The execution specific configuration options are configured
34             in the [Service], [Socket], [Mount], or [Swap] sections, depending on the unit type.
35              
36             In addition, options which control resources through Linux Control Groups (cgroups) are listed in
37             L<systemd.resource-control(5)>.
38             Those options complement options listed here.
39              
40             The following service exit codes are defined by the L<LSB specification|https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html>.
41              
42              
43              
44             The LSB specification suggests that error codes 200 and above are reserved for implementations. Some of them are
45             used by the service manager to indicate problems during process invocation:
46              
47              
48             Finally, the BSD operating systems define a set of exit codes, typically defined on Linux systems too:
49             This configuration class was generated from systemd documentation.
50             by L<parse-man.pl|https://github.com/dod38fr/config-model-systemd/contrib/parse-man.pl>
51             ',
52             'copyright' => [
53             '2010-2016 Lennart Poettering and others',
54             '2016 Dominique Dumont'
55             ],
56             'element' => [
57             'ExecSearchPath',
58             {
59             'cargo' => {
60             'type' => 'leaf',
61             'value_type' => 'uniline'
62             },
63             'description' => 'Takes a colon separated list of absolute paths relative to which the executable
64             used by the C<Exec*=> (e.g. C<ExecStart>,
65             C<ExecStop>, etc.) properties can be found. C<ExecSearchPath>
66             overrides C<$PATH> if C<$PATH> is not supplied by the user through
67             C<Environment>, C<EnvironmentFile> or
68             C<PassEnvironment>. Assigning an empty string removes previous assignments
69             and setting C<ExecSearchPath> to a value multiple times will append
70             to the previous setting.
71             ',
72             'type' => 'list'
73             },
74             'WorkingDirectory',
75             {
76             'description' => 'Takes a directory path relative to the service\'s root directory specified by
77             C<RootDirectory>, or the special value C<~>. Sets the working directory for
78             executed processes. If set to C<~>, the home directory of the user specified in
79             C<User> is used. If not set, defaults to the root directory when systemd is running as a
80             system instance and the respective user\'s home directory if run as user. If the setting is prefixed with the
81             C<-> character, a missing working directory is not considered fatal. If
82             C<RootDirectory>/C<RootImage> is not set, then
83             C<WorkingDirectory> is relative to the root of the system running the service manager. Note
84             that setting this parameter might result in additional dependencies to be added to the unit (see
85             above).',
86             'type' => 'leaf',
87             'value_type' => 'uniline'
88             },
89             'RootDirectory',
90             {
91             'description' => 'Takes a directory path relative to the host\'s root directory (i.e. the root of the system
92             running the service manager). Sets the root directory for executed processes, with the L<chroot(2)> system
93             call. If this is used, it must be ensured that the process binary and all its auxiliary files are available in
94             the chroot() jail. Note that setting this parameter might result in additional
95             dependencies to be added to the unit (see above).
96              
97             The C<MountAPIVFS> and C<PrivateUsers> settings are particularly useful
98             in conjunction with C<RootDirectory>. For details, see below.
99              
100             If C<RootDirectory>/C<RootImage> are used together with
101             C<NotifyAccess> the notification socket is automatically mounted from the host into
102             the root environment, to ensure the notification interface can work correctly.
103              
104             Note that services using C<RootDirectory>/C<RootImage> will
105             not be able to log via the syslog or journal protocols to the host logging infrastructure, unless the
106             relevant sockets are mounted from the host, specifically:',
107             'type' => 'leaf',
108             'value_type' => 'uniline'
109             },
110             'RootImage',
111             {
112             'description' => 'Takes a path to a block device node or regular file as argument. This call is similar
113             to C<RootDirectory> however mounts a file system hierarchy from a block device node
114             or loopback file instead of a directory. The device node or file system image file needs to contain a
115             file system without a partition table, or a file system within an MBR/MS-DOS or GPT partition table
116             with only a single Linux-compatible partition, or a set of file systems within a GPT partition table
117             that follows the L<Discoverable Partitions
118             Specification|https://systemd.io/DISCOVERABLE_PARTITIONS>.
119              
120             When C<DevicePolicy> is set to C<closed> or
121             C<strict>, or set to C<auto> and C<DeviceAllow> is
122             set, then this setting adds C</dev/loop-control> with C<rw> mode,
123             C<block-loop> and C<block-blkext> with C<rwm> mode
124             to C<DeviceAllow>. See
125             L<systemd.resource-control(5)>
126             for the details about C<DevicePolicy> or C<DeviceAllow>. Also, see
127             C<PrivateDevices> below, as it may change the setting of
128             C<DevicePolicy>.
129              
130             Units making use of C<RootImage> automatically gain an
131             C<After> dependency on C<systemd-udevd.service>.',
132             'type' => 'leaf',
133             'value_type' => 'uniline'
134             },
135             'RootImageOptions',
136             {
137             'description' => 'Takes a comma-separated list of mount options that will be used on disk images specified by
138             C<RootImage>. Optionally a partition name can be prefixed, followed by colon, in
139             case the image has multiple partitions, otherwise partition name C<root> is implied.
140             Options for multiple partitions can be specified in a single line with space separators. Assigning an empty
141             string removes previous assignments. Duplicated options are ignored. For a list of valid mount options, please
142             refer to
143             L<mount(8)>.
144              
145             Valid partition names follow the L<Discoverable Partitions Specification|https://systemd.io/DISCOVERABLE_PARTITIONS>:
146             C<root>, C<usr>, C<home>, C<srv>,
147             C<esp>, C<xbootldr>, C<tmp>,
148             C<var>.',
149             'type' => 'leaf',
150             'value_type' => 'uniline'
151             },
152             'RootHash',
153             {
154             'description' => 'Takes a data integrity (dm-verity) root hash specified in hexadecimal, or the path to a file
155             containing a root hash in ASCII hexadecimal format. This option enables data integrity checks using dm-verity,
156             if the used image contains the appropriate integrity data (see above) or if C<RootVerity> is used.
157             The specified hash must match the root hash of integrity data, and is usually at least 256 bits (and hence 64
158             formatted hexadecimal characters) long (in case of SHA256 for example). If this option is not specified, but
159             the image file carries the C<user.verity.roothash> extended file attribute (see L<xattr(7)>), then the root
160             hash is read from it, also as formatted hexadecimal characters. If the extended file attribute is not found (or
161             is not supported by the underlying file system), but a file with the C<.roothash> suffix is
162             found next to the image file, bearing otherwise the same name (except if the image has the
163             C<.raw> suffix, in which case the root hash file must not have it in its name), the root hash
164             is read from it and automatically used, also as formatted hexadecimal characters.
165              
166             If the disk image contains a separate C</usr/> partition it may also be
167             Verity protected, in which case the root hash may configured via an extended attribute
168             C<user.verity.usrhash> or a C<.usrhash> file adjacent to the disk
169             image. There\'s currently no option to configure the root hash for the C</usr/> file
170             system via the unit file directly.',
171             'type' => 'leaf',
172             'value_type' => 'uniline'
173             },
174             'RootHashSignature',
175             {
176             'description' => 'Takes a PKCS7 signature of the C<RootHash> option as a path to a
177             DER-encoded signature file, or as an ASCII base64 string encoding of a DER-encoded signature prefixed
178             by C<base64:>. The dm-verity volume will only be opened if the signature of the root
179             hash is valid and signed by a public key present in the kernel keyring. If this option is not
180             specified, but a file with the C<.roothash.p7s> suffix is found next to the image
181             file, bearing otherwise the same name (except if the image has the C<.raw> suffix,
182             in which case the signature file must not have it in its name), the signature is read from it and
183             automatically used.
184              
185             If the disk image contains a separate C</usr/> partition it may also be
186             Verity protected, in which case the signature for the root hash may configured via a
187             C<.usrhash.p7s> file adjacent to the disk image. There\'s currently no option to
188             configure the root hash signature for the C</usr/> via the unit file
189             directly.',
190             'type' => 'leaf',
191             'value_type' => 'uniline'
192             },
193             'RootVerity',
194             {
195             'description' => 'Takes the path to a data integrity (dm-verity) file. This option enables data integrity checks
196             using dm-verity, if C<RootImage> is used and a root-hash is passed and if the used image itself
197             does not contains the integrity data. The integrity data must be matched by the root hash. If this option is not
198             specified, but a file with the C<.verity> suffix is found next to the image file, bearing otherwise
199             the same name (except if the image has the C<.raw> suffix, in which case the verity data file must
200             not have it in its name), the verity data is read from it and automatically used.
201              
202             This option is supported only for disk images that contain a single file system, without an
203             enveloping partition table. Images that contain a GPT partition table should instead include both
204             root file system and matching Verity data in the same image, implementing the L<Discoverable Partitions Specification|https://systemd.io/DISCOVERABLE_PARTITIONS>.',
205             'type' => 'leaf',
206             'value_type' => 'uniline'
207             },
208             'MountAPIVFS',
209             {
210             'description' => 'Takes a boolean argument. If on, a private mount namespace for the unit\'s processes is created
211             and the API file systems C</proc/>, C</sys/>, C</dev/> and
212             C</run/> (as an empty C<tmpfs>) are mounted inside of it, unless they are
213             already mounted. Note that this option has no effect unless used in conjunction with
214             C<RootDirectory>/C<RootImage> as these four mounts are
215             generally mounted in the host anyway, and unless the root directory is changed, the private mount namespace
216             will be a 1:1 copy of the host\'s, and include these four mounts. Note that the C</dev/> file
217             system of the host is bind mounted if this option is used without C<PrivateDevices>. To run
218             the service with a private, minimal version of C</dev/>, combine this option with
219             C<PrivateDevices>.
220              
221             In order to allow propagating mounts at runtime in a safe manner, C</run/systemd/propagate>
222             on the host will be used to set up new mounts, and C</run/host/incoming/> in the private namespace
223             will be used as an intermediate step to store them before being moved to the final mount point.',
224             'type' => 'leaf',
225             'value_type' => 'boolean',
226             'write_as' => [
227             'no',
228             'yes'
229             ]
230             },
231             'ProtectProc',
232             {
233             'choice' => [
234             'noaccess',
235             'invisible',
236             'ptraceable',
237             'default'
238             ],
239             'description' => 'Takes one of C<noaccess>, C<invisible>,
240             C<ptraceable> or C<default> (which it defaults to). When set, this
241             controls the C<hidepid=> mount option of the C<procfs> instance for
242             the unit that controls which directories with process metainformation
243             (C</proc/PID>) are visible and accessible: when set to
244             C<noaccess> the ability to access most of other users\' process metadata in
245             C</proc/> is taken away for processes of the service. When set to
246             C<invisible> processes owned by other users are hidden from
247             C</proc/>. If C<ptraceable> all processes that cannot be
248             ptrace()\'ed by a process are hidden to it. If C<default> no
249             restrictions on C</proc/> access or visibility are made. For further details see
250             L<The /proc
251             Filesystem|https://docs.kernel.org/filesystems/proc.html#mount-options>. It is generally recommended to run most system services with this option set to
252             C<invisible>. This option is implemented via file system namespacing, and thus cannot
253             be used with services that shall be able to install mount points in the host file system
254             hierarchy. Note that the root user is unaffected by this option, so to be effective it has to be used
255             together with C<User> or C<DynamicUser=yes>, and also without the
256             C<CAP_SYS_PTRACE> capability, which also allows a process to bypass this feature. It
257             cannot be used for services that need to access metainformation about other users\' processes. This
258             option implies C<MountAPIVFS>.
259              
260             If the kernel doesn\'t support per-mount point C<hidepid=> mount options this
261             setting remains without effect, and the unit\'s processes will be able to access and see other process
262             as if the option was not used.',
263             'type' => 'leaf',
264             'value_type' => 'enum'
265             },
266             'ProcSubset',
267             {
268             'choice' => [
269             'all',
270             'pid'
271             ],
272             'description' => 'Takes one of C<all> (the default) and C<pid>. If
273             C<pid>, all files and directories not directly associated with process management and
274             introspection are made invisible in the C</proc/> file system configured for the
275             unit\'s processes. This controls the C<subset=> mount option of the
276             C<procfs> instance for the unit. For further details see L<The /proc
277             Filesystem|https://docs.kernel.org/filesystems/proc.html#mount-options>. Note that Linux exposes various kernel APIs via C</proc/>,
278             which are made unavailable with this setting. Since these APIs are used frequently this option is
279             useful only in a few, specific cases, and is not suitable for most non-trivial programs.
280              
281             Much like C<ProtectProc> above, this is implemented via file system mount
282             namespacing, and hence the same restrictions apply: it is only available to system services, it
283             disables mount propagation to the host mount table, and it implies
284             C<MountAPIVFS>. Also, like C<ProtectProc> this setting is gracefully
285             disabled if the used kernel does not support the C<subset=> mount option of
286             C<procfs>.',
287             'type' => 'leaf',
288             'value_type' => 'enum'
289             },
290             'BindPaths',
291             {
292             'cargo' => {
293             'type' => 'leaf',
294             'value_type' => 'uniline'
295             },
296             'description' => 'Configures unit-specific bind mounts. A bind mount makes a particular file or directory
297             available at an additional place in the unit\'s view of the file system. Any bind mounts created with this
298             option are specific to the unit, and are not visible in the host\'s mount table. This option expects a
299             whitespace separated list of bind mount definitions. Each definition consists of a colon-separated triple of
300             source path, destination path and option string, where the latter two are optional. If only a source path is
301             specified the source and destination is taken to be the same. The option string may be either
302             C<rbind> or C<norbind> for configuring a recursive or non-recursive bind
303             mount. If the destination path is omitted, the option string must be omitted too.
304             Each bind mount definition may be prefixed with C<->, in which case it will be ignored
305             when its source path does not exist.
306              
307             C<BindPaths> creates regular writable bind mounts (unless the source file system mount
308             is already marked read-only), while C<BindReadOnlyPaths> creates read-only bind mounts. These
309             settings may be used more than once, each usage appends to the unit\'s list of bind mounts. If the empty string
310             is assigned to either of these two options the entire list of bind mounts defined prior to this is reset. Note
311             that in this case both read-only and regular bind mounts are reset, regardless which of the two settings is
312             used.
313              
314             This option is particularly useful when C<RootDirectory>/C<RootImage>
315             is used. In this case the source path refers to a path on the host file system, while the destination path
316             refers to a path below the root directory of the unit.
317              
318             Note that the destination directory must exist or systemd must be able to create it. Thus, it
319             is not possible to use those options for mount points nested underneath paths specified in
320             C<InaccessiblePaths>, or under C</home/> and other protected
321             directories if C<ProtectHome=yes> is
322             specified. C<TemporaryFileSystem> with C<:ro> or
323             C<ProtectHome=tmpfs> should be used instead.',
324             'type' => 'list'
325             },
326             'BindReadOnlyPaths',
327             {
328             'cargo' => {
329             'type' => 'leaf',
330             'value_type' => 'uniline'
331             },
332             'description' => 'Configures unit-specific bind mounts. A bind mount makes a particular file or directory
333             available at an additional place in the unit\'s view of the file system. Any bind mounts created with this
334             option are specific to the unit, and are not visible in the host\'s mount table. This option expects a
335             whitespace separated list of bind mount definitions. Each definition consists of a colon-separated triple of
336             source path, destination path and option string, where the latter two are optional. If only a source path is
337             specified the source and destination is taken to be the same. The option string may be either
338             C<rbind> or C<norbind> for configuring a recursive or non-recursive bind
339             mount. If the destination path is omitted, the option string must be omitted too.
340             Each bind mount definition may be prefixed with C<->, in which case it will be ignored
341             when its source path does not exist.
342              
343             C<BindPaths> creates regular writable bind mounts (unless the source file system mount
344             is already marked read-only), while C<BindReadOnlyPaths> creates read-only bind mounts. These
345             settings may be used more than once, each usage appends to the unit\'s list of bind mounts. If the empty string
346             is assigned to either of these two options the entire list of bind mounts defined prior to this is reset. Note
347             that in this case both read-only and regular bind mounts are reset, regardless which of the two settings is
348             used.
349              
350             This option is particularly useful when C<RootDirectory>/C<RootImage>
351             is used. In this case the source path refers to a path on the host file system, while the destination path
352             refers to a path below the root directory of the unit.
353              
354             Note that the destination directory must exist or systemd must be able to create it. Thus, it
355             is not possible to use those options for mount points nested underneath paths specified in
356             C<InaccessiblePaths>, or under C</home/> and other protected
357             directories if C<ProtectHome=yes> is
358             specified. C<TemporaryFileSystem> with C<:ro> or
359             C<ProtectHome=tmpfs> should be used instead.',
360             'type' => 'list'
361             },
362             'MountImages',
363             {
364             'cargo' => {
365             'type' => 'leaf',
366             'value_type' => 'uniline'
367             },
368             'description' => 'This setting is similar to C<RootImage> in that it mounts a file
369             system hierarchy from a block device node or loopback file, but the destination directory can be
370             specified as well as mount options. This option expects a whitespace separated list of mount
371             definitions. Each definition consists of a colon-separated tuple of source path and destination
372             definitions, optionally followed by another colon and a list of mount options.
373              
374             Mount options may be defined as a single comma-separated list of options, in which case they
375             will be implicitly applied to the root partition on the image, or a series of colon-separated tuples
376             of partition name and mount options. Valid partition names and mount options are the same as for
377             C<RootImageOptions> setting described above.
378              
379             Each mount definition may be prefixed with C<->, in which case it will be
380             ignored when its source path does not exist. The source argument is a path to a block device node or
381             regular file. If source or destination contain a C<:>, it needs to be escaped as
382             C<\\:>. The device node or file system image file needs to follow the same rules as
383             specified for C<RootImage>. Any mounts created with this option are specific to the
384             unit, and are not visible in the host\'s mount table.
385              
386             These settings may be used more than once, each usage appends to the unit\'s list of mount
387             paths. If the empty string is assigned, the entire list of mount paths defined prior to this is
388             reset.
389              
390             Note that the destination directory must exist or systemd must be able to create it. Thus, it
391             is not possible to use those options for mount points nested underneath paths specified in
392             C<InaccessiblePaths>, or under C</home/> and other protected
393             directories if C<ProtectHome=yes> is specified.
394              
395             When C<DevicePolicy> is set to C<closed> or
396             C<strict>, or set to C<auto> and C<DeviceAllow> is
397             set, then this setting adds C</dev/loop-control> with C<rw> mode,
398             C<block-loop> and C<block-blkext> with C<rwm> mode
399             to C<DeviceAllow>. See
400             L<systemd.resource-control(5)>
401             for the details about C<DevicePolicy> or C<DeviceAllow>. Also, see
402             C<PrivateDevices> below, as it may change the setting of
403             C<DevicePolicy>.',
404             'type' => 'list'
405             },
406             'ExtensionImages',
407             {
408             'cargo' => {
409             'type' => 'leaf',
410             'value_type' => 'uniline'
411             },
412             'description' => 'This setting is similar to C<MountImages> in that it mounts a file
413             system hierarchy from a block device node or loopback file, but instead of providing a destination
414             path, an overlay will be set up. This option expects a whitespace separated list of mount
415             definitions. Each definition consists of a source path, optionally followed by a colon and a list of
416             mount options.
417              
418             A read-only OverlayFS will be set up on top of C</usr/> and
419             C</opt/> hierarchies. The order in which the images are listed will determine the
420             order in which the overlay is laid down: images specified first to last will result in overlayfs
421             layers bottom to top.
422              
423             Mount options may be defined as a single comma-separated list of options, in which case they
424             will be implicitly applied to the root partition on the image, or a series of colon-separated tuples
425             of partition name and mount options. Valid partition names and mount options are the same as for
426             C<RootImageOptions> setting described above.
427              
428             Each mount definition may be prefixed with C<->, in which case it will be
429             ignored when its source path does not exist. The source argument is a path to a block device node or
430             regular file. If the source path contains a C<:>, it needs to be escaped as
431             C<\\:>. The device node or file system image file needs to follow the same rules as
432             specified for C<RootImage>. Any mounts created with this option are specific to the
433             unit, and are not visible in the host\'s mount table.
434              
435             These settings may be used more than once, each usage appends to the unit\'s list of image
436             paths. If the empty string is assigned, the entire list of mount paths defined prior to this is
437             reset.
438              
439             Each image must carry a C</usr/lib/extension-release.d/extension-release.IMAGE>
440             file, with the appropriate metadata which matches C<RootImage>/C<RootDirectory>
441             or the host. See:
442             L<os-release(5)>.
443             To disable the safety check that the extension-release file name matches the image file name, the
444             C<x-systemd.relax-extension-release-check> mount option may be appended.
445              
446             When C<DevicePolicy> is set to C<closed> or
447             C<strict>, or set to C<auto> and C<DeviceAllow> is
448             set, then this setting adds C</dev/loop-control> with C<rw> mode,
449             C<block-loop> and C<block-blkext> with C<rwm> mode
450             to C<DeviceAllow>. See
451             L<systemd.resource-control(5)>
452             for the details about C<DevicePolicy> or C<DeviceAllow>. Also, see
453             C<PrivateDevices> below, as it may change the setting of
454             C<DevicePolicy>.',
455             'type' => 'list'
456             },
457             'ExtensionDirectories',
458             {
459             'cargo' => {
460             'type' => 'leaf',
461             'value_type' => 'uniline'
462             },
463             'description' => 'This setting is similar to C<BindReadOnlyPaths> in that it mounts a file
464             system hierarchy from a directory, but instead of providing a destination path, an overlay will be set
465             up. This option expects a whitespace separated list of source directories.
466              
467             A read-only OverlayFS will be set up on top of C</usr/> and
468             C</opt/> hierarchies. The order in which the directories are listed will determine
469             the order in which the overlay is laid down: directories specified first to last will result in overlayfs
470             layers bottom to top.
471              
472             Each directory listed in C<ExtensionDirectories> may be prefixed with C<->,
473             in which case it will be ignored when its source path does not exist. Any mounts created with this option are
474             specific to the unit, and are not visible in the host\'s mount table.
475              
476             These settings may be used more than once, each usage appends to the unit\'s list of directories
477             paths. If the empty string is assigned, the entire list of mount paths defined prior to this is
478             reset.
479              
480             Each directory must contain a C</usr/lib/extension-release.d/extension-release.IMAGE>
481             file, with the appropriate metadata which matches C<RootImage>/C<RootDirectory>
482             or the host. See:
483             L<os-release(5)>.
484              
485             Note that usage from user units requires overlayfs support in unprivileged user namespaces,
486             which was first introduced in kernel v5.11.',
487             'type' => 'list'
488             },
489             'User',
490             {
491             'description' => "Set the UNIX user or group that the processes are executed as, respectively. Takes a single
492             user or group name, or a numeric ID as argument. For system services (services run by the system service
493             manager, i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of
494             systemd --user), the default is C<root>, but C<User> may be
495             used to specify a different user. For user services of any other user, switching user identity is not
496             permitted, hence the only valid setting is the same user the user's service manager is running as. If no group
497             is set, the default group of the user is used. This setting does not affect commands whose command line is
498             prefixed with C<+>.
499              
500             Note that this enforces only weak restrictions on the user/group name syntax, but will generate
501             warnings in many cases where user/group names do not adhere to the following rules: the specified
502             name should consist only of the characters a-z, A-Z, 0-9, C<_> and
503             C<->, except for the first character which must be one of a-z, A-Z and
504             C<_> (i.e. digits and C<-> are not permitted as first character). The
505             user/group name must have at least one character, and at most 31. These restrictions are made in
506             order to avoid ambiguities and to ensure user/group names and unit files remain portable among Linux
507             systems. For further details on the names accepted and the names warned about see L<User/Group Name Syntax|https://systemd.io/USER_NAMES>.
508              
509             When used in conjunction with C<DynamicUser> the user/group name specified is
510             dynamically allocated at the time the service is started, and released at the time the service is
511             stopped \x{2014} unless it is already allocated statically (see below). If C<DynamicUser>
512             is not used the specified user and group must have been created statically in the user database no
513             later than the moment the service is started, for example using the
514             L<sysusers.d(5)>
515             facility, which is applied at boot or package install time. If the user does not exist by then
516             program invocation will fail.
517              
518             If the C<User> setting is used the supplementary group list is initialized
519             from the specified user's default group list, as defined in the system's user and group
520             database. Additional groups may be configured through the C<SupplementaryGroups>
521             setting (see below).",
522             'type' => 'leaf',
523             'value_type' => 'uniline'
524             },
525             'Group',
526             {
527             'description' => "Set the UNIX user or group that the processes are executed as, respectively. Takes a single
528             user or group name, or a numeric ID as argument. For system services (services run by the system service
529             manager, i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of
530             systemd --user), the default is C<root>, but C<User> may be
531             used to specify a different user. For user services of any other user, switching user identity is not
532             permitted, hence the only valid setting is the same user the user's service manager is running as. If no group
533             is set, the default group of the user is used. This setting does not affect commands whose command line is
534             prefixed with C<+>.
535              
536             Note that this enforces only weak restrictions on the user/group name syntax, but will generate
537             warnings in many cases where user/group names do not adhere to the following rules: the specified
538             name should consist only of the characters a-z, A-Z, 0-9, C<_> and
539             C<->, except for the first character which must be one of a-z, A-Z and
540             C<_> (i.e. digits and C<-> are not permitted as first character). The
541             user/group name must have at least one character, and at most 31. These restrictions are made in
542             order to avoid ambiguities and to ensure user/group names and unit files remain portable among Linux
543             systems. For further details on the names accepted and the names warned about see L<User/Group Name Syntax|https://systemd.io/USER_NAMES>.
544              
545             When used in conjunction with C<DynamicUser> the user/group name specified is
546             dynamically allocated at the time the service is started, and released at the time the service is
547             stopped \x{2014} unless it is already allocated statically (see below). If C<DynamicUser>
548             is not used the specified user and group must have been created statically in the user database no
549             later than the moment the service is started, for example using the
550             L<sysusers.d(5)>
551             facility, which is applied at boot or package install time. If the user does not exist by then
552             program invocation will fail.
553              
554             If the C<User> setting is used the supplementary group list is initialized
555             from the specified user's default group list, as defined in the system's user and group
556             database. Additional groups may be configured through the C<SupplementaryGroups>
557             setting (see below).",
558             'type' => 'leaf',
559             'value_type' => 'uniline'
560             },
561             'DynamicUser',
562             {
563             'description' => "Takes a boolean parameter. If set, a UNIX user and group pair is allocated
564             dynamically when the unit is started, and released as soon as it is stopped. The user and group will
565             not be added to C</etc/passwd> or C</etc/group>, but are managed
566             transiently during runtime. The
567             L<nss-systemd(8)> glibc
568             NSS module provides integration of these dynamic users/groups into the system's user and group
569             databases. The user and group name to use may be configured via C<User> and
570             C<Group> (see above). If these options are not used and dynamic user/group
571             allocation is enabled for a unit, the name of the dynamic user/group is implicitly derived from the
572             unit name. If the unit name without the type suffix qualifies as valid user name it is used directly,
573             otherwise a name incorporating a hash of it is used. If a statically allocated user or group of the
574             configured name already exists, it is used and no dynamic user/group is allocated. Note that if
575             C<User> is specified and the static group with the name exists, then it is required
576             that the static user with the name already exists. Similarly, if C<Group> is
577             specified and the static user with the name exists, then it is required that the static group with
578             the name already exists. Dynamic users/groups are allocated from the UID/GID range 61184\x{2026}65519. It is
579             recommended to avoid this range for regular system or login users. At any point in time each UID/GID
580             from this range is only assigned to zero or one dynamically allocated users/groups in use. However,
581             UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running as
582             part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by
583             these users/groups around, as a different unit might get the same UID/GID assigned later on, and thus
584             gain access to these files or directories. If C<DynamicUser> is enabled,
585             C<RemoveIPC> and C<PrivateTmp> are implied (and cannot be turned
586             off). This ensures that the lifetime of IPC objects and temporary files created by the executed
587             processes is bound to the runtime of the service, and hence the lifetime of the dynamic
588             user/group. Since C</tmp/> and C</var/tmp/> are usually the only
589             world-writable directories on a system this ensures that a unit making use of dynamic user/group
590             allocation cannot leave files around after unit termination. Furthermore
591             C<NoNewPrivileges> and C<RestrictSUIDSGID> are implicitly enabled
592             (and cannot be disabled), to ensure that processes invoked cannot take benefit or create SUID/SGID
593             files or directories. Moreover C<ProtectSystem=strict> and
594             C<ProtectHome=read-only> are implied, thus prohibiting the service to write to
595             arbitrary file system locations. In order to allow the service to write to certain directories, they
596             have to be allow-listed using C<ReadWritePaths>, but care must be taken so that
597             UID/GID recycling doesn't create security issues involving files created by the service. Use
598             C<RuntimeDirectory> (see below) in order to assign a writable runtime directory to a
599             service, owned by the dynamic user/group and removed automatically when the unit is terminated. Use
600             C<StateDirectory>, C<CacheDirectory> and
601             C<LogsDirectory> in order to assign a set of writable directories for specific
602             purposes to the service in a way that they are protected from vulnerabilities due to UID reuse (see
603             below). If this option is enabled, care should be taken that the unit's processes do not get access
604             to directories outside of these explicitly configured and managed ones. Specifically, do not use
605             C<BindPaths> and be careful with C<AF_UNIX> file descriptor
606             passing for directory file descriptors, as this would permit processes to create files or directories
607             owned by the dynamic user/group that are not subject to the lifecycle and access guarantees of the
608             service. Defaults to off.",
609             'type' => 'leaf',
610             'value_type' => 'boolean',
611             'write_as' => [
612             'no',
613             'yes'
614             ]
615             },
616             'SupplementaryGroups',
617             {
618             'cargo' => {
619             'type' => 'leaf',
620             'value_type' => 'uniline'
621             },
622             'description' => 'Sets the supplementary Unix groups the processes are executed as. This takes a space-separated
623             list of group names or IDs. This option may be specified more than once, in which case all listed groups are
624             set as supplementary groups. When the empty string is assigned, the list of supplementary groups is reset, and
625             all assignments prior to this one will have no effect. In any way, this option does not override, but extends
626             the list of supplementary groups configured in the system group database for the user. This does not affect
627             commands prefixed with C<+>.',
628             'type' => 'list'
629             },
630             'PAMName',
631             {
632             'description' => 'Sets the PAM service name to set up a session as. If set, the executed process will be
633             registered as a PAM session under the specified service name. This is only useful in conjunction with the
634             C<User> setting, and is otherwise ignored. If not set, no PAM session will be opened for the
635             executed processes. See L<pam(8)> for
636             details.
637              
638             Note that for each unit making use of this option a PAM session handler process will be maintained as
639             part of the unit and stays around as long as the unit is active, to ensure that appropriate actions can be
640             taken when the unit and hence the PAM session terminates. This process is named C<(sd-pam)> and
641             is an immediate child process of the unit\'s main process.
642              
643             Note that when this option is used for a unit it is very likely (depending on PAM configuration) that the
644             main unit process will be migrated to its own session scope unit when it is activated. This process will hence
645             be associated with two units: the unit it was originally started from (and for which
646             C<PAMName> was configured), and the session scope unit. Any child processes of that process
647             will however be associated with the session scope unit only. This has implications when used in combination
648             with C<NotifyAccess>C<all>, as these child processes will not be able to affect
649             changes in the original unit through notification messages. These messages will be considered belonging to the
650             session scope unit and not the original unit. It is hence not recommended to use C<PAMName> in
651             combination with C<NotifyAccess>C<all>.',
652             'type' => 'leaf',
653             'value_type' => 'uniline'
654             },
655             'CapabilityBoundingSet',
656             {
657             'description' => 'Controls which capabilities to include in the capability bounding set for the
658             executed process. See L<capabilities(7)>
659             for details. Takes a whitespace-separated list of capability names,
660             e.g. C<CAP_SYS_ADMIN>, C<CAP_DAC_OVERRIDE>,
661             C<CAP_SYS_PTRACE>. Capabilities listed will be included in the bounding set, all
662             others are removed. If the list of capabilities is prefixed with C<~>, all but the
663             listed capabilities will be included, the effect of the assignment inverted. Note that this option
664             also affects the respective capabilities in the effective, permitted and inheritable capability
665             sets. If this option is not used, the capability bounding set is not modified on process execution,
666             hence no limits on the capabilities of the process are enforced. This option may appear more than
667             once, in which case the bounding sets are merged by C<OR>, or by
668             C<AND> if the lines are prefixed with C<~> (see below). If the
669             empty string is assigned to this option, the bounding set is reset to the empty capability set, and
670             all prior settings have no effect. If set to C<~> (without any further argument),
671             the bounding set is reset to the full set of available capabilities, also undoing any previous
672             settings. This does not affect commands prefixed with C<+>.
673              
674             Use
675             L<systemd-analyze(1)>\'s
676             capability command to retrieve a list of capabilities defined on the local
677             system.
678              
679             Example: if a unit has the following,
680              
681             CapabilityBoundingSet=CAP_A CAP_B
682             CapabilityBoundingSet=CAP_B CAP_C
683              
684             then C<CAP_A>, C<CAP_B>, and
685             C<CAP_C> are set. If the second line is prefixed with
686             C<~>, e.g.,
687              
688             CapabilityBoundingSet=CAP_A CAP_B
689             CapabilityBoundingSet=~CAP_B CAP_C
690              
691             then, only C<CAP_A> is set.',
692             'type' => 'leaf',
693             'value_type' => 'uniline'
694             },
695             'AmbientCapabilities',
696             {
697             'description' => 'Controls which capabilities to include in the ambient capability set for the executed
698             process. Takes a whitespace-separated list of capability names, e.g. C<CAP_SYS_ADMIN>,
699             C<CAP_DAC_OVERRIDE>, C<CAP_SYS_PTRACE>. This option may appear more than
700             once, in which case the ambient capability sets are merged (see the above examples in
701             C<CapabilityBoundingSet>). If the list of capabilities is prefixed with C<~>,
702             all but the listed capabilities will be included, the effect of the assignment inverted. If the empty string is
703             assigned to this option, the ambient capability set is reset to the empty capability set, and all prior
704             settings have no effect. If set to C<~> (without any further argument), the ambient capability
705             set is reset to the full set of available capabilities, also undoing any previous settings. Note that adding
706             capabilities to the ambient capability set adds them to the process\'s inherited capability set.
707              
708             Ambient capability sets are useful if you want to execute a process as a non-privileged user but still want to
709             give it some capabilities. Note that in this case option C<keep-caps> is automatically added
710             to C<SecureBits> to retain the capabilities over the user
711             change. C<AmbientCapabilities> does not affect commands prefixed with
712             C<+>.',
713             'type' => 'leaf',
714             'value_type' => 'uniline'
715             },
716             'NoNewPrivileges',
717             {
718             'description' => 'Takes a boolean argument. If true, ensures that the service process and all its
719             children can never gain new privileges through execve() (e.g. via setuid or
720             setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that
721             a process and its children can never elevate privileges again. Defaults to false, but certain
722             settings override this and ignore the value of this setting. This is the case when
723             C<DynamicUser>, C<LockPersonality>,
724             C<MemoryDenyWriteExecute>, C<PrivateDevices>,
725             C<ProtectClock>, C<ProtectHostname>,
726             C<ProtectKernelLogs>, C<ProtectKernelModules>,
727             C<ProtectKernelTunables>, C<RestrictAddressFamilies>,
728             C<RestrictNamespaces>, C<RestrictRealtime>,
729             C<RestrictSUIDSGID>, C<SystemCallArchitectures>,
730             C<SystemCallFilter>, or C<SystemCallLog> are specified. Note that
731             even if this setting is overridden by them, systemctl show shows the original
732             value of this setting. In case the service will be run in a new mount namespace anyway and SELinux is
733             disabled, all file systems are mounted with C<MS_NOSUID> flag. Also see L<No New Privileges
734             Flag|https://docs.kernel.org/userspace-api/no_new_privs.html>.
735              
736             Note that this setting only has an effect on the unit\'s processes themselves (or any processes
737             directly or indirectly forked off them). It has no effect on processes potentially invoked on request
738             of them through tools such as L<at(1p)>,
739             L<crontab(1p)>,
740             L<systemd-run(1)>, or
741             arbitrary IPC services.',
742             'type' => 'leaf',
743             'value_type' => 'boolean',
744             'write_as' => [
745             'no',
746             'yes'
747             ]
748             },
749             'SecureBits',
750             {
751             'description' => 'Controls the secure bits set for the executed process. Takes a space-separated combination of
752             options from the following list: C<keep-caps>, C<keep-caps-locked>,
753             C<no-setuid-fixup>, C<no-setuid-fixup-locked>, C<noroot>, and
754             C<noroot-locked>. This option may appear more than once, in which case the secure bits are
755             ORed. If the empty string is assigned to this option, the bits are reset to 0. This does not affect commands
756             prefixed with C<+>. See L<capabilities(7)> for
757             details.',
758             'type' => 'leaf',
759             'value_type' => 'uniline'
760             },
761             'SELinuxContext',
762             {
763             'description' => 'Set the SELinux security context of the executed process. If set, this will override the
764             automated domain transition. However, the policy still needs to authorize the transition. This directive is
765             ignored if SELinux is disabled. If prefixed by C<->, failing to set the SELinux
766             security context will be ignored, but it\'s still possible that the subsequent
767             execve() may fail if the policy doesn\'t allow the transition for the
768             non-overridden context. This does not affect commands prefixed with C<+>. See
769             L<setexeccon(3)>
770             for details.',
771             'type' => 'leaf',
772             'value_type' => 'uniline'
773             },
774             'AppArmorProfile',
775             {
776             'description' => 'Takes a profile name as argument. The process executed by the unit will switch to
777             this profile when started. Profiles must already be loaded in the kernel, or the unit will fail. If
778             prefixed by C<->, all errors will be ignored. This setting has no effect if AppArmor
779             is not enabled. This setting does not affect commands prefixed with C<+>.',
780             'type' => 'leaf',
781             'value_type' => 'uniline'
782             },
783             'SmackProcessLabel',
784             {
785             'description' => 'Takes a C<SMACK64> security label as argument. The process executed by the unit
786             will be started under this label and SMACK will decide whether the process is allowed to run or not, based on
787             it. The process will continue to run under the label specified here unless the executable has its own
788             C<SMACK64EXEC> label, in which case the process will transition to run under that label. When not
789             specified, the label that systemd is running under is used. This directive is ignored if SMACK is
790             disabled.
791              
792             The value may be prefixed by C<->, in which case all errors will be ignored. An empty
793             value may be specified to unset previous assignments. This does not affect commands prefixed with
794             C<+>.',
795             'type' => 'leaf',
796             'value_type' => 'uniline'
797             },
798             'LimitCPU',
799             {
800             'description' => "Set soft and hard limits on various resources for executed processes. See
801             L<setrlimit(2)> for
802             details on the process resource limit concept. Process resource limits may be specified in two formats:
803             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
804             pair C<soft:hard> to set both limits individually
805             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
806             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
807             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
808             referring to time values, the usual time units ms, s, min, h and so on may be used (see
809             L<systemd.time(7)> for
810             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
811             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
812             implied. Also, note that the effective granularity of the limits might influence their
813             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
814             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
815             syntaxes: if prefixed with C<+> or C<->, the value is understood as
816             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
817             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
818              
819             Note that most process resource limits configured with these options are per-process, and
820             processes may fork in order to acquire a new set of resources that are accounted independently of the
821             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
822             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
823             controls listed in
824             L<systemd.resource-control(5)>
825             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
826             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
827             powerful (and working) replacement for C<LimitRSS>.
828              
829             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
830             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
831             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
832             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
833             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
834              
835             Resource limits not configured explicitly for a unit default to the value configured in the various
836             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
837             L<systemd-system.conf(5)>, and \x{2013}
838             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
839             services, see below).
840              
841             For system units these resource limits may be chosen freely. When these settings are configured
842             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
843             used to raise the limits above those set for the user manager itself when it was first invoked, as
844             the user's service manager generally lacks the privileges to do so. In user context these
845             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
846             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
847             available configuration mechanisms differ between operating systems, but typically require
848             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
849             setting limits on the system service encapsulating the user's service manager, i.e. the user's
850             instance of C<user\@.service>. After making such changes, make sure to restart the
851             user's service manager.",
852             'type' => 'leaf',
853             'value_type' => 'uniline'
854             },
855             'LimitFSIZE',
856             {
857             'description' => "Set soft and hard limits on various resources for executed processes. See
858             L<setrlimit(2)> for
859             details on the process resource limit concept. Process resource limits may be specified in two formats:
860             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
861             pair C<soft:hard> to set both limits individually
862             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
863             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
864             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
865             referring to time values, the usual time units ms, s, min, h and so on may be used (see
866             L<systemd.time(7)> for
867             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
868             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
869             implied. Also, note that the effective granularity of the limits might influence their
870             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
871             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
872             syntaxes: if prefixed with C<+> or C<->, the value is understood as
873             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
874             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
875              
876             Note that most process resource limits configured with these options are per-process, and
877             processes may fork in order to acquire a new set of resources that are accounted independently of the
878             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
879             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
880             controls listed in
881             L<systemd.resource-control(5)>
882             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
883             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
884             powerful (and working) replacement for C<LimitRSS>.
885              
886             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
887             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
888             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
889             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
890             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
891              
892             Resource limits not configured explicitly for a unit default to the value configured in the various
893             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
894             L<systemd-system.conf(5)>, and \x{2013}
895             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
896             services, see below).
897              
898             For system units these resource limits may be chosen freely. When these settings are configured
899             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
900             used to raise the limits above those set for the user manager itself when it was first invoked, as
901             the user's service manager generally lacks the privileges to do so. In user context these
902             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
903             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
904             available configuration mechanisms differ between operating systems, but typically require
905             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
906             setting limits on the system service encapsulating the user's service manager, i.e. the user's
907             instance of C<user\@.service>. After making such changes, make sure to restart the
908             user's service manager.",
909             'type' => 'leaf',
910             'value_type' => 'uniline'
911             },
912             'LimitDATA',
913             {
914             'description' => "Set soft and hard limits on various resources for executed processes. See
915             L<setrlimit(2)> for
916             details on the process resource limit concept. Process resource limits may be specified in two formats:
917             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
918             pair C<soft:hard> to set both limits individually
919             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
920             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
921             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
922             referring to time values, the usual time units ms, s, min, h and so on may be used (see
923             L<systemd.time(7)> for
924             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
925             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
926             implied. Also, note that the effective granularity of the limits might influence their
927             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
928             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
929             syntaxes: if prefixed with C<+> or C<->, the value is understood as
930             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
931             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
932              
933             Note that most process resource limits configured with these options are per-process, and
934             processes may fork in order to acquire a new set of resources that are accounted independently of the
935             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
936             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
937             controls listed in
938             L<systemd.resource-control(5)>
939             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
940             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
941             powerful (and working) replacement for C<LimitRSS>.
942              
943             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
944             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
945             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
946             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
947             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
948              
949             Resource limits not configured explicitly for a unit default to the value configured in the various
950             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
951             L<systemd-system.conf(5)>, and \x{2013}
952             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
953             services, see below).
954              
955             For system units these resource limits may be chosen freely. When these settings are configured
956             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
957             used to raise the limits above those set for the user manager itself when it was first invoked, as
958             the user's service manager generally lacks the privileges to do so. In user context these
959             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
960             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
961             available configuration mechanisms differ between operating systems, but typically require
962             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
963             setting limits on the system service encapsulating the user's service manager, i.e. the user's
964             instance of C<user\@.service>. After making such changes, make sure to restart the
965             user's service manager.",
966             'type' => 'leaf',
967             'value_type' => 'uniline'
968             },
969             'LimitSTACK',
970             {
971             'description' => "Set soft and hard limits on various resources for executed processes. See
972             L<setrlimit(2)> for
973             details on the process resource limit concept. Process resource limits may be specified in two formats:
974             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
975             pair C<soft:hard> to set both limits individually
976             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
977             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
978             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
979             referring to time values, the usual time units ms, s, min, h and so on may be used (see
980             L<systemd.time(7)> for
981             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
982             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
983             implied. Also, note that the effective granularity of the limits might influence their
984             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
985             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
986             syntaxes: if prefixed with C<+> or C<->, the value is understood as
987             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
988             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
989              
990             Note that most process resource limits configured with these options are per-process, and
991             processes may fork in order to acquire a new set of resources that are accounted independently of the
992             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
993             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
994             controls listed in
995             L<systemd.resource-control(5)>
996             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
997             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
998             powerful (and working) replacement for C<LimitRSS>.
999              
1000             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1001             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1002             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1003             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1004             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1005              
1006             Resource limits not configured explicitly for a unit default to the value configured in the various
1007             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1008             L<systemd-system.conf(5)>, and \x{2013}
1009             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1010             services, see below).
1011              
1012             For system units these resource limits may be chosen freely. When these settings are configured
1013             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1014             used to raise the limits above those set for the user manager itself when it was first invoked, as
1015             the user's service manager generally lacks the privileges to do so. In user context these
1016             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1017             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1018             available configuration mechanisms differ between operating systems, but typically require
1019             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1020             setting limits on the system service encapsulating the user's service manager, i.e. the user's
1021             instance of C<user\@.service>. After making such changes, make sure to restart the
1022             user's service manager.",
1023             'type' => 'leaf',
1024             'value_type' => 'uniline'
1025             },
1026             'LimitCORE',
1027             {
1028             'description' => "Set soft and hard limits on various resources for executed processes. See
1029             L<setrlimit(2)> for
1030             details on the process resource limit concept. Process resource limits may be specified in two formats:
1031             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1032             pair C<soft:hard> to set both limits individually
1033             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1034             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1035             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1036             referring to time values, the usual time units ms, s, min, h and so on may be used (see
1037             L<systemd.time(7)> for
1038             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1039             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1040             implied. Also, note that the effective granularity of the limits might influence their
1041             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1042             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1043             syntaxes: if prefixed with C<+> or C<->, the value is understood as
1044             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1045             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1046              
1047             Note that most process resource limits configured with these options are per-process, and
1048             processes may fork in order to acquire a new set of resources that are accounted independently of the
1049             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1050             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1051             controls listed in
1052             L<systemd.resource-control(5)>
1053             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1054             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1055             powerful (and working) replacement for C<LimitRSS>.
1056              
1057             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1058             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1059             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1060             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1061             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1062              
1063             Resource limits not configured explicitly for a unit default to the value configured in the various
1064             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1065             L<systemd-system.conf(5)>, and \x{2013}
1066             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1067             services, see below).
1068              
1069             For system units these resource limits may be chosen freely. When these settings are configured
1070             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1071             used to raise the limits above those set for the user manager itself when it was first invoked, as
1072             the user's service manager generally lacks the privileges to do so. In user context these
1073             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1074             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1075             available configuration mechanisms differ between operating systems, but typically require
1076             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1077             setting limits on the system service encapsulating the user's service manager, i.e. the user's
1078             instance of C<user\@.service>. After making such changes, make sure to restart the
1079             user's service manager.",
1080             'type' => 'leaf',
1081             'value_type' => 'uniline'
1082             },
1083             'LimitRSS',
1084             {
1085             'description' => "Set soft and hard limits on various resources for executed processes. See
1086             L<setrlimit(2)> for
1087             details on the process resource limit concept. Process resource limits may be specified in two formats:
1088             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1089             pair C<soft:hard> to set both limits individually
1090             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1091             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1092             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1093             referring to time values, the usual time units ms, s, min, h and so on may be used (see
1094             L<systemd.time(7)> for
1095             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1096             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1097             implied. Also, note that the effective granularity of the limits might influence their
1098             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1099             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1100             syntaxes: if prefixed with C<+> or C<->, the value is understood as
1101             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1102             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1103              
1104             Note that most process resource limits configured with these options are per-process, and
1105             processes may fork in order to acquire a new set of resources that are accounted independently of the
1106             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1107             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1108             controls listed in
1109             L<systemd.resource-control(5)>
1110             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1111             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1112             powerful (and working) replacement for C<LimitRSS>.
1113              
1114             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1115             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1116             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1117             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1118             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1119              
1120             Resource limits not configured explicitly for a unit default to the value configured in the various
1121             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1122             L<systemd-system.conf(5)>, and \x{2013}
1123             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1124             services, see below).
1125              
1126             For system units these resource limits may be chosen freely. When these settings are configured
1127             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1128             used to raise the limits above those set for the user manager itself when it was first invoked, as
1129             the user's service manager generally lacks the privileges to do so. In user context these
1130             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1131             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1132             available configuration mechanisms differ between operating systems, but typically require
1133             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1134             setting limits on the system service encapsulating the user's service manager, i.e. the user's
1135             instance of C<user\@.service>. After making such changes, make sure to restart the
1136             user's service manager.",
1137             'type' => 'leaf',
1138             'value_type' => 'uniline'
1139             },
1140             'LimitNOFILE',
1141             {
1142             'description' => "Set soft and hard limits on various resources for executed processes. See
1143             L<setrlimit(2)> for
1144             details on the process resource limit concept. Process resource limits may be specified in two formats:
1145             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1146             pair C<soft:hard> to set both limits individually
1147             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1148             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1149             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1150             referring to time values, the usual time units ms, s, min, h and so on may be used (see
1151             L<systemd.time(7)> for
1152             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1153             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1154             implied. Also, note that the effective granularity of the limits might influence their
1155             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1156             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1157             syntaxes: if prefixed with C<+> or C<->, the value is understood as
1158             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1159             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1160              
1161             Note that most process resource limits configured with these options are per-process, and
1162             processes may fork in order to acquire a new set of resources that are accounted independently of the
1163             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1164             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1165             controls listed in
1166             L<systemd.resource-control(5)>
1167             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1168             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1169             powerful (and working) replacement for C<LimitRSS>.
1170              
1171             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1172             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1173             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1174             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1175             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1176              
1177             Resource limits not configured explicitly for a unit default to the value configured in the various
1178             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1179             L<systemd-system.conf(5)>, and \x{2013}
1180             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1181             services, see below).
1182              
1183             For system units these resource limits may be chosen freely. When these settings are configured
1184             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1185             used to raise the limits above those set for the user manager itself when it was first invoked, as
1186             the user's service manager generally lacks the privileges to do so. In user context these
1187             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1188             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1189             available configuration mechanisms differ between operating systems, but typically require
1190             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1191             setting limits on the system service encapsulating the user's service manager, i.e. the user's
1192             instance of C<user\@.service>. After making such changes, make sure to restart the
1193             user's service manager.",
1194             'type' => 'leaf',
1195             'value_type' => 'uniline'
1196             },
1197             'LimitAS',
1198             {
1199             'description' => "Set soft and hard limits on various resources for executed processes. See
1200             L<setrlimit(2)> for
1201             details on the process resource limit concept. Process resource limits may be specified in two formats:
1202             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1203             pair C<soft:hard> to set both limits individually
1204             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1205             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1206             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1207             referring to time values, the usual time units ms, s, min, h and so on may be used (see
1208             L<systemd.time(7)> for
1209             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1210             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1211             implied. Also, note that the effective granularity of the limits might influence their
1212             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1213             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1214             syntaxes: if prefixed with C<+> or C<->, the value is understood as
1215             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1216             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1217              
1218             Note that most process resource limits configured with these options are per-process, and
1219             processes may fork in order to acquire a new set of resources that are accounted independently of the
1220             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1221             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1222             controls listed in
1223             L<systemd.resource-control(5)>
1224             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1225             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1226             powerful (and working) replacement for C<LimitRSS>.
1227              
1228             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1229             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1230             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1231             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1232             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1233              
1234             Resource limits not configured explicitly for a unit default to the value configured in the various
1235             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1236             L<systemd-system.conf(5)>, and \x{2013}
1237             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1238             services, see below).
1239              
1240             For system units these resource limits may be chosen freely. When these settings are configured
1241             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1242             used to raise the limits above those set for the user manager itself when it was first invoked, as
1243             the user's service manager generally lacks the privileges to do so. In user context these
1244             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1245             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1246             available configuration mechanisms differ between operating systems, but typically require
1247             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1248             setting limits on the system service encapsulating the user's service manager, i.e. the user's
1249             instance of C<user\@.service>. After making such changes, make sure to restart the
1250             user's service manager.",
1251             'type' => 'leaf',
1252             'value_type' => 'uniline'
1253             },
1254             'LimitNPROC',
1255             {
1256             'description' => "Set soft and hard limits on various resources for executed processes. See
1257             L<setrlimit(2)> for
1258             details on the process resource limit concept. Process resource limits may be specified in two formats:
1259             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1260             pair C<soft:hard> to set both limits individually
1261             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1262             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1263             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1264             referring to time values, the usual time units ms, s, min, h and so on may be used (see
1265             L<systemd.time(7)> for
1266             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1267             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1268             implied. Also, note that the effective granularity of the limits might influence their
1269             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1270             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1271             syntaxes: if prefixed with C<+> or C<->, the value is understood as
1272             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1273             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1274              
1275             Note that most process resource limits configured with these options are per-process, and
1276             processes may fork in order to acquire a new set of resources that are accounted independently of the
1277             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1278             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1279             controls listed in
1280             L<systemd.resource-control(5)>
1281             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1282             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1283             powerful (and working) replacement for C<LimitRSS>.
1284              
1285             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1286             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1287             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1288             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1289             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1290              
1291             Resource limits not configured explicitly for a unit default to the value configured in the various
1292             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1293             L<systemd-system.conf(5)>, and \x{2013}
1294             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1295             services, see below).
1296              
1297             For system units these resource limits may be chosen freely. When these settings are configured
1298             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1299             used to raise the limits above those set for the user manager itself when it was first invoked, as
1300             the user's service manager generally lacks the privileges to do so. In user context these
1301             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1302             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1303             available configuration mechanisms differ between operating systems, but typically require
1304             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1305             setting limits on the system service encapsulating the user's service manager, i.e. the user's
1306             instance of C<user\@.service>. After making such changes, make sure to restart the
1307             user's service manager.",
1308             'type' => 'leaf',
1309             'value_type' => 'uniline'
1310             },
1311             'LimitMEMLOCK',
1312             {
1313             'description' => "Set soft and hard limits on various resources for executed processes. See
1314             L<setrlimit(2)> for
1315             details on the process resource limit concept. Process resource limits may be specified in two formats:
1316             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1317             pair C<soft:hard> to set both limits individually
1318             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1319             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1320             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1321             referring to time values, the usual time units ms, s, min, h and so on may be used (see
1322             L<systemd.time(7)> for
1323             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1324             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1325             implied. Also, note that the effective granularity of the limits might influence their
1326             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1327             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1328             syntaxes: if prefixed with C<+> or C<->, the value is understood as
1329             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1330             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1331              
1332             Note that most process resource limits configured with these options are per-process, and
1333             processes may fork in order to acquire a new set of resources that are accounted independently of the
1334             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1335             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1336             controls listed in
1337             L<systemd.resource-control(5)>
1338             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1339             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1340             powerful (and working) replacement for C<LimitRSS>.
1341              
1342             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1343             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1344             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1345             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1346             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1347              
1348             Resource limits not configured explicitly for a unit default to the value configured in the various
1349             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1350             L<systemd-system.conf(5)>, and \x{2013}
1351             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1352             services, see below).
1353              
1354             For system units these resource limits may be chosen freely. When these settings are configured
1355             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1356             used to raise the limits above those set for the user manager itself when it was first invoked, as
1357             the user's service manager generally lacks the privileges to do so. In user context these
1358             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1359             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1360             available configuration mechanisms differ between operating systems, but typically require
1361             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1362             setting limits on the system service encapsulating the user's service manager, i.e. the user's
1363             instance of C<user\@.service>. After making such changes, make sure to restart the
1364             user's service manager.",
1365             'type' => 'leaf',
1366             'value_type' => 'uniline'
1367             },
1368             'LimitLOCKS',
1369             {
1370             'description' => "Set soft and hard limits on various resources for executed processes. See
1371             L<setrlimit(2)> for
1372             details on the process resource limit concept. Process resource limits may be specified in two formats:
1373             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1374             pair C<soft:hard> to set both limits individually
1375             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1376             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1377             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1378             referring to time values, the usual time units ms, s, min, h and so on may be used (see
1379             L<systemd.time(7)> for
1380             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1381             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1382             implied. Also, note that the effective granularity of the limits might influence their
1383             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1384             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1385             syntaxes: if prefixed with C<+> or C<->, the value is understood as
1386             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1387             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1388              
1389             Note that most process resource limits configured with these options are per-process, and
1390             processes may fork in order to acquire a new set of resources that are accounted independently of the
1391             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1392             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1393             controls listed in
1394             L<systemd.resource-control(5)>
1395             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1396             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1397             powerful (and working) replacement for C<LimitRSS>.
1398              
1399             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1400             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1401             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1402             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1403             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1404              
1405             Resource limits not configured explicitly for a unit default to the value configured in the various
1406             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1407             L<systemd-system.conf(5)>, and \x{2013}
1408             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1409             services, see below).
1410              
1411             For system units these resource limits may be chosen freely. When these settings are configured
1412             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1413             used to raise the limits above those set for the user manager itself when it was first invoked, as
1414             the user's service manager generally lacks the privileges to do so. In user context these
1415             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1416             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1417             available configuration mechanisms differ between operating systems, but typically require
1418             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1419             setting limits on the system service encapsulating the user's service manager, i.e. the user's
1420             instance of C<user\@.service>. After making such changes, make sure to restart the
1421             user's service manager.",
1422             'type' => 'leaf',
1423             'value_type' => 'uniline'
1424             },
1425             'LimitSIGPENDING',
1426             {
1427             'description' => "Set soft and hard limits on various resources for executed processes. See
1428             L<setrlimit(2)> for
1429             details on the process resource limit concept. Process resource limits may be specified in two formats:
1430             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1431             pair C<soft:hard> to set both limits individually
1432             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1433             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1434             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1435             referring to time values, the usual time units ms, s, min, h and so on may be used (see
1436             L<systemd.time(7)> for
1437             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1438             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1439             implied. Also, note that the effective granularity of the limits might influence their
1440             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1441             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1442             syntaxes: if prefixed with C<+> or C<->, the value is understood as
1443             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1444             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1445              
1446             Note that most process resource limits configured with these options are per-process, and
1447             processes may fork in order to acquire a new set of resources that are accounted independently of the
1448             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1449             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1450             controls listed in
1451             L<systemd.resource-control(5)>
1452             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1453             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1454             powerful (and working) replacement for C<LimitRSS>.
1455              
1456             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1457             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1458             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1459             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1460             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1461              
1462             Resource limits not configured explicitly for a unit default to the value configured in the various
1463             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1464             L<systemd-system.conf(5)>, and \x{2013}
1465             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1466             services, see below).
1467              
1468             For system units these resource limits may be chosen freely. When these settings are configured
1469             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1470             used to raise the limits above those set for the user manager itself when it was first invoked, as
1471             the user's service manager generally lacks the privileges to do so. In user context these
1472             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1473             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1474             available configuration mechanisms differ between operating systems, but typically require
1475             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1476             setting limits on the system service encapsulating the user's service manager, i.e. the user's
1477             instance of C<user\@.service>. After making such changes, make sure to restart the
1478             user's service manager.",
1479             'type' => 'leaf',
1480             'value_type' => 'uniline'
1481             },
1482             'LimitMSGQUEUE',
1483             {
1484             'description' => "Set soft and hard limits on various resources for executed processes. See
1485             L<setrlimit(2)> for
1486             details on the process resource limit concept. Process resource limits may be specified in two formats:
1487             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1488             pair C<soft:hard> to set both limits individually
1489             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1490             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1491             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1492             referring to time values, the usual time units ms, s, min, h and so on may be used (see
1493             L<systemd.time(7)> for
1494             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1495             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1496             implied. Also, note that the effective granularity of the limits might influence their
1497             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1498             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1499             syntaxes: if prefixed with C<+> or C<->, the value is understood as
1500             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1501             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1502              
1503             Note that most process resource limits configured with these options are per-process, and
1504             processes may fork in order to acquire a new set of resources that are accounted independently of the
1505             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1506             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1507             controls listed in
1508             L<systemd.resource-control(5)>
1509             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1510             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1511             powerful (and working) replacement for C<LimitRSS>.
1512              
1513             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1514             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1515             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1516             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1517             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1518              
1519             Resource limits not configured explicitly for a unit default to the value configured in the various
1520             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1521             L<systemd-system.conf(5)>, and \x{2013}
1522             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1523             services, see below).
1524              
1525             For system units these resource limits may be chosen freely. When these settings are configured
1526             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1527             used to raise the limits above those set for the user manager itself when it was first invoked, as
1528             the user's service manager generally lacks the privileges to do so. In user context these
1529             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1530             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1531             available configuration mechanisms differ between operating systems, but typically require
1532             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1533             setting limits on the system service encapsulating the user's service manager, i.e. the user's
1534             instance of C<user\@.service>. After making such changes, make sure to restart the
1535             user's service manager.",
1536             'type' => 'leaf',
1537             'value_type' => 'uniline'
1538             },
1539             'LimitNICE',
1540             {
1541             'description' => "Set soft and hard limits on various resources for executed processes. See
1542             L<setrlimit(2)> for
1543             details on the process resource limit concept. Process resource limits may be specified in two formats:
1544             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1545             pair C<soft:hard> to set both limits individually
1546             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1547             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1548             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1549             referring to time values, the usual time units ms, s, min, h and so on may be used (see
1550             L<systemd.time(7)> for
1551             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1552             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1553             implied. Also, note that the effective granularity of the limits might influence their
1554             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1555             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1556             syntaxes: if prefixed with C<+> or C<->, the value is understood as
1557             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1558             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1559              
1560             Note that most process resource limits configured with these options are per-process, and
1561             processes may fork in order to acquire a new set of resources that are accounted independently of the
1562             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1563             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1564             controls listed in
1565             L<systemd.resource-control(5)>
1566             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1567             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1568             powerful (and working) replacement for C<LimitRSS>.
1569              
1570             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1571             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1572             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1573             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1574             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1575              
1576             Resource limits not configured explicitly for a unit default to the value configured in the various
1577             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1578             L<systemd-system.conf(5)>, and \x{2013}
1579             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1580             services, see below).
1581              
1582             For system units these resource limits may be chosen freely. When these settings are configured
1583             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1584             used to raise the limits above those set for the user manager itself when it was first invoked, as
1585             the user's service manager generally lacks the privileges to do so. In user context these
1586             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1587             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1588             available configuration mechanisms differ between operating systems, but typically require
1589             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1590             setting limits on the system service encapsulating the user's service manager, i.e. the user's
1591             instance of C<user\@.service>. After making such changes, make sure to restart the
1592             user's service manager.",
1593             'type' => 'leaf',
1594             'value_type' => 'uniline'
1595             },
1596             'LimitRTPRIO',
1597             {
1598             'description' => "Set soft and hard limits on various resources for executed processes. See
1599             L<setrlimit(2)> for
1600             details on the process resource limit concept. Process resource limits may be specified in two formats:
1601             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1602             pair C<soft:hard> to set both limits individually
1603             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1604             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1605             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1606             referring to time values, the usual time units ms, s, min, h and so on may be used (see
1607             L<systemd.time(7)> for
1608             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1609             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1610             implied. Also, note that the effective granularity of the limits might influence their
1611             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1612             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1613             syntaxes: if prefixed with C<+> or C<->, the value is understood as
1614             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1615             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1616              
1617             Note that most process resource limits configured with these options are per-process, and
1618             processes may fork in order to acquire a new set of resources that are accounted independently of the
1619             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1620             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1621             controls listed in
1622             L<systemd.resource-control(5)>
1623             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1624             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1625             powerful (and working) replacement for C<LimitRSS>.
1626              
1627             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1628             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1629             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1630             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1631             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1632              
1633             Resource limits not configured explicitly for a unit default to the value configured in the various
1634             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1635             L<systemd-system.conf(5)>, and \x{2013}
1636             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1637             services, see below).
1638              
1639             For system units these resource limits may be chosen freely. When these settings are configured
1640             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1641             used to raise the limits above those set for the user manager itself when it was first invoked, as
1642             the user's service manager generally lacks the privileges to do so. In user context these
1643             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1644             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1645             available configuration mechanisms differ between operating systems, but typically require
1646             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1647             setting limits on the system service encapsulating the user's service manager, i.e. the user's
1648             instance of C<user\@.service>. After making such changes, make sure to restart the
1649             user's service manager.",
1650             'type' => 'leaf',
1651             'value_type' => 'uniline'
1652             },
1653             'LimitRTTIME',
1654             {
1655             'description' => "Set soft and hard limits on various resources for executed processes. See
1656             L<setrlimit(2)> for
1657             details on the process resource limit concept. Process resource limits may be specified in two formats:
1658             either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1659             pair C<soft:hard> to set both limits individually
1660             (e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1661             limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1662             be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1663             referring to time values, the usual time units ms, s, min, h and so on may be used (see
1664             L<systemd.time(7)> for
1665             details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1666             seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1667             implied. Also, note that the effective granularity of the limits might influence their
1668             enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1669             implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1670             syntaxes: if prefixed with C<+> or C<->, the value is understood as
1671             regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1672             raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1673              
1674             Note that most process resource limits configured with these options are per-process, and
1675             processes may fork in order to acquire a new set of resources that are accounted independently of the
1676             original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1677             implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1678             controls listed in
1679             L<systemd.resource-control(5)>
1680             over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1681             runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1682             powerful (and working) replacement for C<LimitRSS>.
1683              
1684             Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1685             not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1686             processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1687             enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1688             C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1689              
1690             Resource limits not configured explicitly for a unit default to the value configured in the various
1691             C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1692             L<systemd-system.conf(5)>, and \x{2013}
1693             if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1694             services, see below).
1695              
1696             For system units these resource limits may be chosen freely. When these settings are configured
1697             in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1698             used to raise the limits above those set for the user manager itself when it was first invoked, as
1699             the user's service manager generally lacks the privileges to do so. In user context these
1700             configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1701             to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1702             available configuration mechanisms differ between operating systems, but typically require
1703             privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1704             setting limits on the system service encapsulating the user's service manager, i.e. the user's
1705             instance of C<user\@.service>. After making such changes, make sure to restart the
1706             user's service manager.",
1707             'type' => 'leaf',
1708             'value_type' => 'uniline'
1709             },
1710             'UMask',
1711             {
1712             'description' => "Controls the file mode creation mask. Takes an access mode in octal notation. See
1713             L<umask(2)> for
1714             details. Defaults to 0022 for system units. For user units the default value is inherited from the
1715             per-user service manager (whose default is in turn inherited from the system service manager, and
1716             thus typically also is 0022 \x{2014} unless overridden by a PAM module). In order to change the per-user mask
1717             for all user services, consider setting the C<UMask> setting of the user's
1718             C<user\@.service> system service instance. The per-user umask may also be set via
1719             the C<umask> field of a user's L<JSON User
1720             Record|https://systemd.io/USER_RECORD> (for users managed by
1721             L<systemd-homed.service(8)>
1722             this field may be controlled via homectl --umask=). It may also be set via a PAM
1723             module, such as L<pam_umask(8)>.",
1724             'type' => 'leaf',
1725             'value_type' => 'uniline'
1726             },
1727             'CoredumpFilter',
1728             {
1729             'description' => 'Controls which types of memory mappings will be saved if the process dumps core
1730             (using the C</proc/pid/coredump_filter> file). Takes a
1731             whitespace-separated combination of mapping type names or numbers (with the default base 16). Mapping
1732             type names are C<private-anonymous>, C<shared-anonymous>,
1733             C<private-file-backed>, C<shared-file-backed>,
1734             C<elf-headers>, C<private-huge>,
1735             C<shared-huge>, C<private-dax>, C<shared-dax>,
1736             and the special values C<all> (all types) and C<default> (the
1737             kernel default of C<private-anonymous>C<shared-anonymous> C<elf-headers>C<private-huge>). See
1738             L<core(5)>
1739             for the meaning of the mapping types. When specified multiple times, all specified masks are
1740             ORed. When not set, or if the empty value is assigned, the inherited value is not changed.',
1741             'type' => 'leaf',
1742             'value_type' => 'uniline'
1743             },
1744             'KeyringMode',
1745             {
1746             'choice' => [
1747             'inherit',
1748             'private',
1749             'shared'
1750             ],
1751             'description' => 'Controls how the kernel session keyring is set up for the service (see L<session-keyring(7)> for
1752             details on the session keyring). Takes one of C<inherit>, C<private>,
1753             C<shared>. If set to C<inherit> no special keyring setup is done, and the kernel\'s
1754             default behaviour is applied. If C<private> is used a new session keyring is allocated when a
1755             service process is invoked, and it is not linked up with any user keyring. This is the recommended setting for
1756             system services, as this ensures that multiple services running under the same system user ID (in particular
1757             the root user) do not share their key material among each other. If C<shared> is used a new
1758             session keyring is allocated as for C<private>, but the user keyring of the user configured with
1759             C<User> is linked into it, so that keys assigned to the user may be requested by the unit\'s
1760             processes. In this modes multiple units running processes under the same user ID may share key material. Unless
1761             C<inherit> is selected the unique invocation ID for the unit (see below) is added as a protected
1762             key by the name C<invocation_id> to the newly created session keyring. Defaults to
1763             C<private> for services of the system service manager and to C<inherit> for
1764             non-service units and for services of the user service manager.',
1765             'type' => 'leaf',
1766             'value_type' => 'enum'
1767             },
1768             'OOMScoreAdjust',
1769             {
1770             'description' => 'Sets the adjustment value for the Linux kernel\'s Out-Of-Memory (OOM) killer score for
1771             executed processes. Takes an integer between -1000 (to disable OOM killing of processes of this unit)
1772             and 1000 (to make killing of processes of this unit under memory pressure very likely). See L<The /proc Filesystem|https://docs.kernel.org/filesystems/proc.html> for
1773             details. If not specified defaults to the OOM score adjustment level of the service manager itself,
1774             which is normally at 0.
1775              
1776             Use the C<OOMPolicy> setting of service units to configure how the service
1777             manager shall react to the kernel OOM killer or systemd-oomd terminating a process of the service. See
1778             L<systemd.service(5)>
1779             for details.',
1780             'max' => '1000',
1781             'min' => '-1000',
1782             'type' => 'leaf',
1783             'value_type' => 'integer'
1784             },
1785             'TimerSlackNSec',
1786             {
1787             'description' => 'Sets the timer slack in nanoseconds for the executed processes. The timer slack controls the
1788             accuracy of wake-ups triggered by timers. See
1789             L<prctl(2)> for more
1790             information. Note that in contrast to most other time span definitions this parameter takes an integer value in
1791             nano-seconds if no unit is specified. The usual time units are understood too.',
1792             'type' => 'leaf',
1793             'value_type' => 'uniline'
1794             },
1795             'Personality',
1796             {
1797             'choice' => [
1798             'x86',
1799             'x86-64',
1800             'ppc',
1801             'ppc-le',
1802             'ppc64',
1803             'ppc64-le',
1804             's390',
1805             's390x'
1806             ],
1807             'description' => 'Controls which kernel architecture L<uname(2)> shall report,
1808             when invoked by unit processes. Takes one of the architecture identifiers C<x86>,
1809             C<x86-64>, C<ppc>, C<ppc-le>, C<ppc64>,
1810             C<ppc64-le>, C<s390> or C<s390x>. Which personality
1811             architectures are supported depends on the system architecture. Usually the 64bit versions of the various
1812             system architectures support their immediate 32bit personality architecture counterpart, but no others. For
1813             example, C<x86-64> systems support the C<x86-64> and
1814             C<x86> personalities but no others. The personality feature is useful when running 32-bit
1815             services on a 64-bit host system. If not specified, the personality is left unmodified and thus reflects the
1816             personality of the host system\'s kernel.',
1817             'type' => 'leaf',
1818             'value_type' => 'enum'
1819             },
1820             'IgnoreSIGPIPE',
1821             {
1822             'description' => 'Takes a boolean argument. If true, causes C<SIGPIPE> to be ignored in the
1823             executed process. Defaults to true because C<SIGPIPE> generally is useful only in shell
1824             pipelines.',
1825             'type' => 'leaf',
1826             'value_type' => 'boolean',
1827             'write_as' => [
1828             'no',
1829             'yes'
1830             ]
1831             },
1832             'Nice',
1833             {
1834             'description' => 'Sets the default nice level (scheduling priority) for executed processes. Takes an
1835             integer between -20 (highest priority) and 19 (lowest priority). In case of resource contention,
1836             smaller values mean more resources will be made available to the unit\'s processes, larger values mean
1837             less resources will be made available. See
1838             L<setpriority(2)> for
1839             details.',
1840             'max' => '19',
1841             'min' => '-20',
1842             'type' => 'leaf',
1843             'value_type' => 'integer'
1844             },
1845             'CPUSchedulingPolicy',
1846             {
1847             'choice' => [
1848             'other',
1849             'batch',
1850             'idle',
1851             'fifo',
1852             'rr'
1853             ],
1854             'description' => 'Sets the CPU scheduling policy for executed processes. Takes one of C<other>,
1855             C<batch>, C<idle>, C<fifo> or C<rr>. See
1856             L<sched_setscheduler(2)> for
1857             details.',
1858             'type' => 'leaf',
1859             'value_type' => 'enum'
1860             },
1861             'CPUSchedulingPriority',
1862             {
1863             'description' => 'Sets the CPU scheduling priority for executed processes. The available priority range
1864             depends on the selected CPU scheduling policy (see above). For real-time scheduling policies an
1865             integer between 1 (lowest priority) and 99 (highest priority) can be used. In case of CPU resource
1866             contention, smaller values mean less CPU time is made available to the service, larger values mean
1867             more. See L<sched_setscheduler(2)>
1868             for details.',
1869             'type' => 'leaf',
1870             'value_type' => 'uniline'
1871             },
1872             'CPUSchedulingResetOnFork',
1873             {
1874             'description' => 'Takes a boolean argument. If true, elevated CPU scheduling priorities and policies
1875             will be reset when the executed processes call
1876             L<fork(2)>,
1877             and can hence not leak into child processes. See
1878             L<sched_setscheduler(2)>
1879             for details. Defaults to false.',
1880             'type' => 'leaf',
1881             'value_type' => 'boolean',
1882             'write_as' => [
1883             'no',
1884             'yes'
1885             ]
1886             },
1887             'CPUAffinity',
1888             {
1889             'cargo' => {
1890             'type' => 'leaf',
1891             'value_type' => 'uniline'
1892             },
1893             'description' => 'Controls the CPU affinity of the executed processes. Takes a list of CPU indices or ranges
1894             separated by either whitespace or commas. Alternatively, takes a special "numa" value in which case systemd
1895             automatically derives allowed CPU range based on the value of C<NUMAMask> option. CPU ranges
1896             are specified by the lower and upper CPU indices separated by a dash. This option may be specified more than
1897             once, in which case the specified CPU affinity masks are merged. If the empty string is assigned, the mask
1898             is reset, all assignments prior to this will have no effect. See
1899             L<sched_setaffinity(2)> for
1900             details.',
1901             'type' => 'list'
1902             },
1903             'NUMAPolicy',
1904             {
1905             'description' => 'Controls the NUMA memory policy of the executed processes. Takes a policy type, one of:
1906             C<default>, C<preferred>, C<bind>, C<interleave> and
1907             C<local>. A list of NUMA nodes that should be associated with the policy must be specified
1908             in C<NUMAMask>. For more details on each policy please see,
1909             L<set_mempolicy(2)>. For overall
1910             overview of NUMA support in Linux see,
1911             L<numa(7)>.
1912             ',
1913             'type' => 'leaf',
1914             'value_type' => 'uniline'
1915             },
1916             'NUMAMask',
1917             {
1918             'description' => 'Controls the NUMA node list which will be applied alongside with selected NUMA policy.
1919             Takes a list of NUMA nodes and has the same syntax as a list of CPUs for C<CPUAffinity>
1920             option or special "all" value which will include all available NUMA nodes in the mask. Note that the list
1921             of NUMA nodes is not required for C<default> and C<local>
1922             policies and for C<preferred> policy we expect a single NUMA node.',
1923             'type' => 'leaf',
1924             'value_type' => 'uniline'
1925             },
1926             'IOSchedulingClass',
1927             {
1928             'choice' => [
1929             '0',
1930             '1',
1931             '2',
1932             '3',
1933             'none',
1934             'realtime',
1935             'best-effort',
1936             'idle'
1937             ],
1938             'description' => 'Sets the I/O scheduling class for executed processes. Takes one of the strings
1939             C<realtime>, C<best-effort> or C<idle>. The kernel\'s
1940             default scheduling class is C<best-effort> at a priority of 4. If the empty string is
1941             assigned to this option, all prior assignments to both C<IOSchedulingClass> and
1942             C<IOSchedulingPriority> have no effect. See
1943             L<ioprio_set(2)> for
1944             details.',
1945             'type' => 'leaf',
1946             'value_type' => 'enum'
1947             },
1948             'IOSchedulingPriority',
1949             {
1950             'description' => 'Sets the I/O scheduling priority for executed processes. Takes an integer between 0
1951             (highest priority) and 7 (lowest priority). In case of I/O contention, smaller values mean more I/O
1952             bandwidth is made available to the unit\'s processes, larger values mean less bandwidth. The available
1953             priorities depend on the selected I/O scheduling class (see above). If the empty string is assigned
1954             to this option, all prior assignments to both C<IOSchedulingClass> and
1955             C<IOSchedulingPriority> have no effect. For the kernel\'s default scheduling class
1956             (C<best-effort>) this defaults to 4. See
1957             L<ioprio_set(2)> for
1958             details.',
1959             'max' => '7',
1960             'min' => '0',
1961             'type' => 'leaf',
1962             'upstream_default' => '4',
1963             'value_type' => 'integer'
1964             },
1965             'ProtectSystem',
1966             {
1967             'choice' => [
1968             'no',
1969             'yes',
1970             'full',
1971             'strict'
1972             ],
1973             'description' => 'Takes a boolean argument or the special values C<full> or
1974             C<strict>. If true, mounts the C</usr/> and the boot loader
1975             directories (C</boot> and C</efi>) read-only for processes
1976             invoked by this unit. If set to C<full>, the C</etc/> directory is
1977             mounted read-only, too. If set to C<strict> the entire file system hierarchy is
1978             mounted read-only, except for the API file system subtrees C</dev/>,
1979             C</proc/> and C</sys/> (protect these directories using
1980             C<PrivateDevices>, C<ProtectKernelTunables>,
1981             C<ProtectControlGroups>). This setting ensures that any modification of the vendor-supplied
1982             operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is
1983             recommended to enable this setting for all long-running services, unless they are involved with system updates
1984             or need to modify the operating system in other ways. If this option is used,
1985             C<ReadWritePaths> may be used to exclude specific directories from being made read-only. This
1986             setting is implied if C<DynamicUser> is set. This setting cannot ensure protection in all
1987             cases. In general it has the same limitations as C<ReadOnlyPaths>, see below. Defaults to
1988             off.',
1989             'replace' => {
1990             '0' => 'no',
1991             '1' => 'yes',
1992             'false' => 'no',
1993             'true' => 'yes'
1994             },
1995             'type' => 'leaf',
1996             'value_type' => 'enum'
1997             },
1998             'ProtectHome',
1999             {
2000             'choice' => [
2001             'no',
2002             'yes',
2003             'read-only',
2004             'tmpfs'
2005             ],
2006             'description' => 'Takes a boolean argument or the special values C<read-only> or
2007             C<tmpfs>. If true, the directories C</home/>,
2008             C</root>, and C</run/user> are made inaccessible and empty for
2009             processes invoked by this unit. If set to C<read-only>, the three directories are
2010             made read-only instead. If set to C<tmpfs>, temporary file systems are mounted on the
2011             three directories in read-only mode. The value C<tmpfs> is useful to hide home
2012             directories not relevant to the processes invoked by the unit, while still allowing necessary
2013             directories to be made visible when listed in C<BindPaths> or
2014             C<BindReadOnlyPaths>.
2015              
2016             Setting this to C<yes> is mostly equivalent to setting the three directories in
2017             C<InaccessiblePaths>. Similarly, C<read-only> is mostly equivalent to
2018             C<ReadOnlyPaths>, and C<tmpfs> is mostly equivalent to
2019             C<TemporaryFileSystem> with C<:ro>.
2020              
2021             It is recommended to enable this setting for all long-running services (in particular
2022             network-facing ones), to ensure they cannot get access to private user data, unless the services
2023             actually require access to the user\'s private data. This setting is implied if
2024             C<DynamicUser> is set. This setting cannot ensure protection in all cases. In
2025             general it has the same limitations as C<ReadOnlyPaths>, see below.',
2026             'replace' => {
2027             '0' => 'no',
2028             '1' => 'yes',
2029             'false' => 'no',
2030             'true' => 'yes'
2031             },
2032             'type' => 'leaf',
2033             'value_type' => 'enum'
2034             },
2035             'RuntimeDirectory',
2036             {
2037             'description' => 'These options take a whitespace-separated list of directory names. The specified
2038             directory names must be relative, and may not include C<..>. If set, when the unit is
2039             started, one or more directories by the specified names will be created (including their parents)
2040             below the locations defined in the following table. Also, the corresponding environment variable will
2041             be defined with the full paths of the directories. If multiple directories are set, then in the
2042             environment variable the paths are concatenated with colon (C<:>).
2043              
2044             In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2045             the unit is stopped. It is possible to preserve the specified directories in this case if
2046             C<RuntimeDirectoryPreserve> is configured to C<restart> or
2047             C<yes> (see below). The directories specified with C<StateDirectory>,
2048             C<CacheDirectory>, C<LogsDirectory>,
2049             C<ConfigurationDirectory> are not removed when the unit is stopped.
2050              
2051             Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2052             owned by the user and group specified in C<User> and C<Group>. If the
2053             specified directories already exist and their owning user or group do not match the configured ones, all files
2054             and directories below the specified directories as well as the directories themselves will have their file
2055             ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2056             already owned by the right user and group, files and directories below of them are left as-is, even if they do
2057             not match what is requested. The innermost specified directories will have their access mode adjusted to the
2058             what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2059             C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2060             C<ConfigurationDirectoryMode>.
2061              
2062             These options imply C<BindPaths> for the specified paths. When combined with
2063             C<RootDirectory> or C<RootImage> these paths always reside on the host and
2064             are mounted from there into the unit\'s file system namespace.
2065              
2066             If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2067             C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2068             C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2069             respectively, which are host directories made inaccessible to
2070             unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2071             user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2072             perspective of the host and from inside the unit, the relevant directories hence always appear
2073             directly below C</var/cache>, C</var/log> and
2074             C</var/lib>.
2075              
2076             Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2077             their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2078             runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2079             directory is cleaned up automatically after use. For runtime directories that require more complex or different
2080             configuration or lifetime guarantees, please consider using
2081             L<tmpfiles.d(5)>.
2082              
2083             C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2084             and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2085             The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2086             The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2087             options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2088             using the same first parameter, but a different second parameter.',
2089             'type' => 'leaf',
2090             'value_type' => 'uniline'
2091             },
2092             'StateDirectory',
2093             {
2094             'description' => 'These options take a whitespace-separated list of directory names. The specified
2095             directory names must be relative, and may not include C<..>. If set, when the unit is
2096             started, one or more directories by the specified names will be created (including their parents)
2097             below the locations defined in the following table. Also, the corresponding environment variable will
2098             be defined with the full paths of the directories. If multiple directories are set, then in the
2099             environment variable the paths are concatenated with colon (C<:>).
2100              
2101             In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2102             the unit is stopped. It is possible to preserve the specified directories in this case if
2103             C<RuntimeDirectoryPreserve> is configured to C<restart> or
2104             C<yes> (see below). The directories specified with C<StateDirectory>,
2105             C<CacheDirectory>, C<LogsDirectory>,
2106             C<ConfigurationDirectory> are not removed when the unit is stopped.
2107              
2108             Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2109             owned by the user and group specified in C<User> and C<Group>. If the
2110             specified directories already exist and their owning user or group do not match the configured ones, all files
2111             and directories below the specified directories as well as the directories themselves will have their file
2112             ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2113             already owned by the right user and group, files and directories below of them are left as-is, even if they do
2114             not match what is requested. The innermost specified directories will have their access mode adjusted to the
2115             what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2116             C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2117             C<ConfigurationDirectoryMode>.
2118              
2119             These options imply C<BindPaths> for the specified paths. When combined with
2120             C<RootDirectory> or C<RootImage> these paths always reside on the host and
2121             are mounted from there into the unit\'s file system namespace.
2122              
2123             If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2124             C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2125             C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2126             respectively, which are host directories made inaccessible to
2127             unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2128             user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2129             perspective of the host and from inside the unit, the relevant directories hence always appear
2130             directly below C</var/cache>, C</var/log> and
2131             C</var/lib>.
2132              
2133             Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2134             their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2135             runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2136             directory is cleaned up automatically after use. For runtime directories that require more complex or different
2137             configuration or lifetime guarantees, please consider using
2138             L<tmpfiles.d(5)>.
2139              
2140             C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2141             and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2142             The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2143             The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2144             options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2145             using the same first parameter, but a different second parameter.',
2146             'type' => 'leaf',
2147             'value_type' => 'uniline'
2148             },
2149             'CacheDirectory',
2150             {
2151             'description' => 'These options take a whitespace-separated list of directory names. The specified
2152             directory names must be relative, and may not include C<..>. If set, when the unit is
2153             started, one or more directories by the specified names will be created (including their parents)
2154             below the locations defined in the following table. Also, the corresponding environment variable will
2155             be defined with the full paths of the directories. If multiple directories are set, then in the
2156             environment variable the paths are concatenated with colon (C<:>).
2157              
2158             In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2159             the unit is stopped. It is possible to preserve the specified directories in this case if
2160             C<RuntimeDirectoryPreserve> is configured to C<restart> or
2161             C<yes> (see below). The directories specified with C<StateDirectory>,
2162             C<CacheDirectory>, C<LogsDirectory>,
2163             C<ConfigurationDirectory> are not removed when the unit is stopped.
2164              
2165             Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2166             owned by the user and group specified in C<User> and C<Group>. If the
2167             specified directories already exist and their owning user or group do not match the configured ones, all files
2168             and directories below the specified directories as well as the directories themselves will have their file
2169             ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2170             already owned by the right user and group, files and directories below of them are left as-is, even if they do
2171             not match what is requested. The innermost specified directories will have their access mode adjusted to the
2172             what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2173             C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2174             C<ConfigurationDirectoryMode>.
2175              
2176             These options imply C<BindPaths> for the specified paths. When combined with
2177             C<RootDirectory> or C<RootImage> these paths always reside on the host and
2178             are mounted from there into the unit\'s file system namespace.
2179              
2180             If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2181             C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2182             C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2183             respectively, which are host directories made inaccessible to
2184             unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2185             user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2186             perspective of the host and from inside the unit, the relevant directories hence always appear
2187             directly below C</var/cache>, C</var/log> and
2188             C</var/lib>.
2189              
2190             Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2191             their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2192             runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2193             directory is cleaned up automatically after use. For runtime directories that require more complex or different
2194             configuration or lifetime guarantees, please consider using
2195             L<tmpfiles.d(5)>.
2196              
2197             C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2198             and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2199             The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2200             The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2201             options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2202             using the same first parameter, but a different second parameter.',
2203             'type' => 'leaf',
2204             'value_type' => 'uniline'
2205             },
2206             'LogsDirectory',
2207             {
2208             'description' => 'These options take a whitespace-separated list of directory names. The specified
2209             directory names must be relative, and may not include C<..>. If set, when the unit is
2210             started, one or more directories by the specified names will be created (including their parents)
2211             below the locations defined in the following table. Also, the corresponding environment variable will
2212             be defined with the full paths of the directories. If multiple directories are set, then in the
2213             environment variable the paths are concatenated with colon (C<:>).
2214              
2215             In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2216             the unit is stopped. It is possible to preserve the specified directories in this case if
2217             C<RuntimeDirectoryPreserve> is configured to C<restart> or
2218             C<yes> (see below). The directories specified with C<StateDirectory>,
2219             C<CacheDirectory>, C<LogsDirectory>,
2220             C<ConfigurationDirectory> are not removed when the unit is stopped.
2221              
2222             Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2223             owned by the user and group specified in C<User> and C<Group>. If the
2224             specified directories already exist and their owning user or group do not match the configured ones, all files
2225             and directories below the specified directories as well as the directories themselves will have their file
2226             ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2227             already owned by the right user and group, files and directories below of them are left as-is, even if they do
2228             not match what is requested. The innermost specified directories will have their access mode adjusted to the
2229             what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2230             C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2231             C<ConfigurationDirectoryMode>.
2232              
2233             These options imply C<BindPaths> for the specified paths. When combined with
2234             C<RootDirectory> or C<RootImage> these paths always reside on the host and
2235             are mounted from there into the unit\'s file system namespace.
2236              
2237             If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2238             C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2239             C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2240             respectively, which are host directories made inaccessible to
2241             unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2242             user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2243             perspective of the host and from inside the unit, the relevant directories hence always appear
2244             directly below C</var/cache>, C</var/log> and
2245             C</var/lib>.
2246              
2247             Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2248             their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2249             runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2250             directory is cleaned up automatically after use. For runtime directories that require more complex or different
2251             configuration or lifetime guarantees, please consider using
2252             L<tmpfiles.d(5)>.
2253              
2254             C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2255             and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2256             The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2257             The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2258             options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2259             using the same first parameter, but a different second parameter.',
2260             'type' => 'leaf',
2261             'value_type' => 'uniline'
2262             },
2263             'ConfigurationDirectory',
2264             {
2265             'description' => 'These options take a whitespace-separated list of directory names. The specified
2266             directory names must be relative, and may not include C<..>. If set, when the unit is
2267             started, one or more directories by the specified names will be created (including their parents)
2268             below the locations defined in the following table. Also, the corresponding environment variable will
2269             be defined with the full paths of the directories. If multiple directories are set, then in the
2270             environment variable the paths are concatenated with colon (C<:>).
2271              
2272             In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2273             the unit is stopped. It is possible to preserve the specified directories in this case if
2274             C<RuntimeDirectoryPreserve> is configured to C<restart> or
2275             C<yes> (see below). The directories specified with C<StateDirectory>,
2276             C<CacheDirectory>, C<LogsDirectory>,
2277             C<ConfigurationDirectory> are not removed when the unit is stopped.
2278              
2279             Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2280             owned by the user and group specified in C<User> and C<Group>. If the
2281             specified directories already exist and their owning user or group do not match the configured ones, all files
2282             and directories below the specified directories as well as the directories themselves will have their file
2283             ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2284             already owned by the right user and group, files and directories below of them are left as-is, even if they do
2285             not match what is requested. The innermost specified directories will have their access mode adjusted to the
2286             what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2287             C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2288             C<ConfigurationDirectoryMode>.
2289              
2290             These options imply C<BindPaths> for the specified paths. When combined with
2291             C<RootDirectory> or C<RootImage> these paths always reside on the host and
2292             are mounted from there into the unit\'s file system namespace.
2293              
2294             If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2295             C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2296             C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2297             respectively, which are host directories made inaccessible to
2298             unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2299             user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2300             perspective of the host and from inside the unit, the relevant directories hence always appear
2301             directly below C</var/cache>, C</var/log> and
2302             C</var/lib>.
2303              
2304             Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2305             their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2306             runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2307             directory is cleaned up automatically after use. For runtime directories that require more complex or different
2308             configuration or lifetime guarantees, please consider using
2309             L<tmpfiles.d(5)>.
2310              
2311             C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2312             and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2313             The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2314             The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2315             options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2316             using the same first parameter, but a different second parameter.',
2317             'type' => 'leaf',
2318             'value_type' => 'uniline'
2319             },
2320             'RuntimeDirectoryMode',
2321             {
2322             'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2323             C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2324             C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2325             C<0755>. See "Permissions" in L<path_resolution(7)> for a
2326             discussion of the meaning of permission bits.',
2327             'type' => 'leaf',
2328             'value_type' => 'uniline'
2329             },
2330             'StateDirectoryMode',
2331             {
2332             'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2333             C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2334             C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2335             C<0755>. See "Permissions" in L<path_resolution(7)> for a
2336             discussion of the meaning of permission bits.',
2337             'type' => 'leaf',
2338             'value_type' => 'uniline'
2339             },
2340             'CacheDirectoryMode',
2341             {
2342             'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2343             C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2344             C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2345             C<0755>. See "Permissions" in L<path_resolution(7)> for a
2346             discussion of the meaning of permission bits.',
2347             'type' => 'leaf',
2348             'value_type' => 'uniline'
2349             },
2350             'LogsDirectoryMode',
2351             {
2352             'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2353             C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2354             C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2355             C<0755>. See "Permissions" in L<path_resolution(7)> for a
2356             discussion of the meaning of permission bits.',
2357             'type' => 'leaf',
2358             'value_type' => 'uniline'
2359             },
2360             'ConfigurationDirectoryMode',
2361             {
2362             'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2363             C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2364             C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2365             C<0755>. See "Permissions" in L<path_resolution(7)> for a
2366             discussion of the meaning of permission bits.',
2367             'type' => 'leaf',
2368             'value_type' => 'uniline'
2369             },
2370             'RuntimeDirectoryPreserve',
2371             {
2372             'choice' => [
2373             'no',
2374             'yes',
2375             'restart'
2376             ],
2377             'description' => 'Takes a boolean argument or C<restart>. If set to C<no> (the
2378             default), the directories specified in C<RuntimeDirectory> are always removed when the service
2379             stops. If set to C<restart> the directories are preserved when the service is both automatically
2380             and manually restarted. Here, the automatic restart means the operation specified in
2381             C<Restart>, and manual restart means the one triggered by systemctl restart
2382             foo.service. If set to C<yes>, then the directories are not removed when the service is
2383             stopped. Note that since the runtime directory C</run/> is a mount point of
2384             C<tmpfs>, then for system services the directories specified in
2385             C<RuntimeDirectory> are removed when the system is rebooted.',
2386             'replace' => {
2387             '0' => 'no',
2388             '1' => 'yes',
2389             'false' => 'no',
2390             'true' => 'yes'
2391             },
2392             'type' => 'leaf',
2393             'value_type' => 'enum'
2394             },
2395             'TimeoutCleanSec',
2396             {
2397             'description' => "Configures a timeout on the clean-up operation requested through systemctl
2398             clean \x{2026}, see
2399             L<systemctl(1)> for
2400             details. Takes the usual time values and defaults to C<infinity>, i.e. by default
2401             no timeout is applied. If a timeout is configured the clean operation will be aborted forcibly when
2402             the timeout is reached, potentially leaving resources on disk.",
2403             'type' => 'leaf',
2404             'value_type' => 'uniline'
2405             },
2406             'ReadWritePaths',
2407             {
2408             'cargo' => {
2409             'type' => 'leaf',
2410             'value_type' => 'uniline'
2411             },
2412             'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2413             to limit access a process has to the file system. Each setting takes a space-separated list of paths
2414             relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2415             paths contain symlinks, they are resolved relative to the root directory set with
2416             C<RootDirectory>/C<RootImage>.
2417              
2418             Paths listed in C<ReadWritePaths> are accessible from within the namespace
2419             with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2420             are accessible for reading only, writing will be refused even if the usual file access controls would
2421             permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2422             order to provide writable subdirectories within read-only directories. Use
2423             C<ReadWritePaths> in order to allow-list specific paths for write access if
2424             C<ProtectSystem=strict> is used.
2425              
2426             Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2427             the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2428             desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2429             C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2430             see C<TemporaryFileSystem>.
2431              
2432             Content in paths listed in C<NoExecPaths> are not executable even if the usual
2433             file access controls would permit this. Nest C<ExecPaths> inside of
2434             C<NoExecPaths> in order to provide executable content within non-executable
2435             directories.
2436              
2437             Non-directory paths may be specified as well. These options may be specified more than once,
2438             in which case all paths listed will have limited access from within the namespace. If the empty string is
2439             assigned to this option, the specific list is reset, and all prior assignments have no effect.
2440              
2441             Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2442             C<InaccessiblePaths>, C<ExecPaths> and
2443             C<NoExecPaths> may be prefixed with C<->, in which case they will be
2444             ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2445             directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2446             instead of relative to the root directory of the host (see above). When combining C<-> and
2447             C<+> on the same path make sure to specify C<-> first, and C<+>
2448             second.
2449              
2450             Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2451             host. This means that this setting may not be used for services which shall be able to install mount points in
2452             the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>,
2453             propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2454             unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2455             mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2456             i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2457             below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2458             not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2459             setting is not complete, and does not offer full protection.
2460              
2461             Note that the effect of these settings may be undone by privileged processes. In order to set up an
2462             effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2463             C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2464             C<SystemCallFilter=~@mount>.
2465              
2466             Simple allow-list example using these directives:
2467              
2468             [Service]
2469             ReadOnlyPaths=/
2470             ReadWritePaths=/var /run
2471             InaccessiblePaths=-/lost+found
2472             NoExecPaths=/
2473             ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2474              
2475             ',
2476             'type' => 'list'
2477             },
2478             'ReadOnlyPaths',
2479             {
2480             'cargo' => {
2481             'type' => 'leaf',
2482             'value_type' => 'uniline'
2483             },
2484             'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2485             to limit access a process has to the file system. Each setting takes a space-separated list of paths
2486             relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2487             paths contain symlinks, they are resolved relative to the root directory set with
2488             C<RootDirectory>/C<RootImage>.
2489              
2490             Paths listed in C<ReadWritePaths> are accessible from within the namespace
2491             with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2492             are accessible for reading only, writing will be refused even if the usual file access controls would
2493             permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2494             order to provide writable subdirectories within read-only directories. Use
2495             C<ReadWritePaths> in order to allow-list specific paths for write access if
2496             C<ProtectSystem=strict> is used.
2497              
2498             Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2499             the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2500             desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2501             C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2502             see C<TemporaryFileSystem>.
2503              
2504             Content in paths listed in C<NoExecPaths> are not executable even if the usual
2505             file access controls would permit this. Nest C<ExecPaths> inside of
2506             C<NoExecPaths> in order to provide executable content within non-executable
2507             directories.
2508              
2509             Non-directory paths may be specified as well. These options may be specified more than once,
2510             in which case all paths listed will have limited access from within the namespace. If the empty string is
2511             assigned to this option, the specific list is reset, and all prior assignments have no effect.
2512              
2513             Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2514             C<InaccessiblePaths>, C<ExecPaths> and
2515             C<NoExecPaths> may be prefixed with C<->, in which case they will be
2516             ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2517             directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2518             instead of relative to the root directory of the host (see above). When combining C<-> and
2519             C<+> on the same path make sure to specify C<-> first, and C<+>
2520             second.
2521              
2522             Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2523             host. This means that this setting may not be used for services which shall be able to install mount points in
2524             the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>,
2525             propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2526             unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2527             mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2528             i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2529             below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2530             not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2531             setting is not complete, and does not offer full protection.
2532              
2533             Note that the effect of these settings may be undone by privileged processes. In order to set up an
2534             effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2535             C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2536             C<SystemCallFilter=~@mount>.
2537              
2538             Simple allow-list example using these directives:
2539              
2540             [Service]
2541             ReadOnlyPaths=/
2542             ReadWritePaths=/var /run
2543             InaccessiblePaths=-/lost+found
2544             NoExecPaths=/
2545             ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2546              
2547             ',
2548             'type' => 'list'
2549             },
2550             'InaccessiblePaths',
2551             {
2552             'cargo' => {
2553             'type' => 'leaf',
2554             'value_type' => 'uniline'
2555             },
2556             'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2557             to limit access a process has to the file system. Each setting takes a space-separated list of paths
2558             relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2559             paths contain symlinks, they are resolved relative to the root directory set with
2560             C<RootDirectory>/C<RootImage>.
2561              
2562             Paths listed in C<ReadWritePaths> are accessible from within the namespace
2563             with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2564             are accessible for reading only, writing will be refused even if the usual file access controls would
2565             permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2566             order to provide writable subdirectories within read-only directories. Use
2567             C<ReadWritePaths> in order to allow-list specific paths for write access if
2568             C<ProtectSystem=strict> is used.
2569              
2570             Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2571             the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2572             desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2573             C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2574             see C<TemporaryFileSystem>.
2575              
2576             Content in paths listed in C<NoExecPaths> are not executable even if the usual
2577             file access controls would permit this. Nest C<ExecPaths> inside of
2578             C<NoExecPaths> in order to provide executable content within non-executable
2579             directories.
2580              
2581             Non-directory paths may be specified as well. These options may be specified more than once,
2582             in which case all paths listed will have limited access from within the namespace. If the empty string is
2583             assigned to this option, the specific list is reset, and all prior assignments have no effect.
2584              
2585             Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2586             C<InaccessiblePaths>, C<ExecPaths> and
2587             C<NoExecPaths> may be prefixed with C<->, in which case they will be
2588             ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2589             directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2590             instead of relative to the root directory of the host (see above). When combining C<-> and
2591             C<+> on the same path make sure to specify C<-> first, and C<+>
2592             second.
2593              
2594             Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2595             host. This means that this setting may not be used for services which shall be able to install mount points in
2596             the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>,
2597             propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2598             unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2599             mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2600             i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2601             below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2602             not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2603             setting is not complete, and does not offer full protection.
2604              
2605             Note that the effect of these settings may be undone by privileged processes. In order to set up an
2606             effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2607             C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2608             C<SystemCallFilter=~@mount>.
2609              
2610             Simple allow-list example using these directives:
2611              
2612             [Service]
2613             ReadOnlyPaths=/
2614             ReadWritePaths=/var /run
2615             InaccessiblePaths=-/lost+found
2616             NoExecPaths=/
2617             ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2618              
2619             ',
2620             'type' => 'list'
2621             },
2622             'ExecPaths',
2623             {
2624             'cargo' => {
2625             'type' => 'leaf',
2626             'value_type' => 'uniline'
2627             },
2628             'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2629             to limit access a process has to the file system. Each setting takes a space-separated list of paths
2630             relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2631             paths contain symlinks, they are resolved relative to the root directory set with
2632             C<RootDirectory>/C<RootImage>.
2633              
2634             Paths listed in C<ReadWritePaths> are accessible from within the namespace
2635             with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2636             are accessible for reading only, writing will be refused even if the usual file access controls would
2637             permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2638             order to provide writable subdirectories within read-only directories. Use
2639             C<ReadWritePaths> in order to allow-list specific paths for write access if
2640             C<ProtectSystem=strict> is used.
2641              
2642             Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2643             the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2644             desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2645             C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2646             see C<TemporaryFileSystem>.
2647              
2648             Content in paths listed in C<NoExecPaths> are not executable even if the usual
2649             file access controls would permit this. Nest C<ExecPaths> inside of
2650             C<NoExecPaths> in order to provide executable content within non-executable
2651             directories.
2652              
2653             Non-directory paths may be specified as well. These options may be specified more than once,
2654             in which case all paths listed will have limited access from within the namespace. If the empty string is
2655             assigned to this option, the specific list is reset, and all prior assignments have no effect.
2656              
2657             Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2658             C<InaccessiblePaths>, C<ExecPaths> and
2659             C<NoExecPaths> may be prefixed with C<->, in which case they will be
2660             ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2661             directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2662             instead of relative to the root directory of the host (see above). When combining C<-> and
2663             C<+> on the same path make sure to specify C<-> first, and C<+>
2664             second.
2665              
2666             Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2667             host. This means that this setting may not be used for services which shall be able to install mount points in
2668             the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>,
2669             propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2670             unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2671             mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2672             i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2673             below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2674             not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2675             setting is not complete, and does not offer full protection.
2676              
2677             Note that the effect of these settings may be undone by privileged processes. In order to set up an
2678             effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2679             C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2680             C<SystemCallFilter=~@mount>.
2681              
2682             Simple allow-list example using these directives:
2683              
2684             [Service]
2685             ReadOnlyPaths=/
2686             ReadWritePaths=/var /run
2687             InaccessiblePaths=-/lost+found
2688             NoExecPaths=/
2689             ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2690              
2691             ',
2692             'type' => 'list'
2693             },
2694             'NoExecPaths',
2695             {
2696             'cargo' => {
2697             'type' => 'leaf',
2698             'value_type' => 'uniline'
2699             },
2700             'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2701             to limit access a process has to the file system. Each setting takes a space-separated list of paths
2702             relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2703             paths contain symlinks, they are resolved relative to the root directory set with
2704             C<RootDirectory>/C<RootImage>.
2705              
2706             Paths listed in C<ReadWritePaths> are accessible from within the namespace
2707             with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2708             are accessible for reading only, writing will be refused even if the usual file access controls would
2709             permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2710             order to provide writable subdirectories within read-only directories. Use
2711             C<ReadWritePaths> in order to allow-list specific paths for write access if
2712             C<ProtectSystem=strict> is used.
2713              
2714             Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2715             the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2716             desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2717             C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2718             see C<TemporaryFileSystem>.
2719              
2720             Content in paths listed in C<NoExecPaths> are not executable even if the usual
2721             file access controls would permit this. Nest C<ExecPaths> inside of
2722             C<NoExecPaths> in order to provide executable content within non-executable
2723             directories.
2724              
2725             Non-directory paths may be specified as well. These options may be specified more than once,
2726             in which case all paths listed will have limited access from within the namespace. If the empty string is
2727             assigned to this option, the specific list is reset, and all prior assignments have no effect.
2728              
2729             Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2730             C<InaccessiblePaths>, C<ExecPaths> and
2731             C<NoExecPaths> may be prefixed with C<->, in which case they will be
2732             ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2733             directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2734             instead of relative to the root directory of the host (see above). When combining C<-> and
2735             C<+> on the same path make sure to specify C<-> first, and C<+>
2736             second.
2737              
2738             Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2739             host. This means that this setting may not be used for services which shall be able to install mount points in
2740             the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>,
2741             propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2742             unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2743             mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2744             i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2745             below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2746             not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2747             setting is not complete, and does not offer full protection.
2748              
2749             Note that the effect of these settings may be undone by privileged processes. In order to set up an
2750             effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2751             C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2752             C<SystemCallFilter=~@mount>.
2753              
2754             Simple allow-list example using these directives:
2755              
2756             [Service]
2757             ReadOnlyPaths=/
2758             ReadWritePaths=/var /run
2759             InaccessiblePaths=-/lost+found
2760             NoExecPaths=/
2761             ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2762              
2763             ',
2764             'type' => 'list'
2765             },
2766             'TemporaryFileSystem',
2767             {
2768             'cargo' => {
2769             'type' => 'leaf',
2770             'value_type' => 'uniline'
2771             },
2772             'description' => 'Takes a space-separated list of mount points for temporary file systems (tmpfs). If set, a new file
2773             system namespace is set up for executed processes, and a temporary file system is mounted on each mount point.
2774             This option may be specified more than once, in which case temporary file systems are mounted on all listed mount
2775             points. If the empty string is assigned to this option, the list is reset, and all prior assignments have no effect.
2776             Each mount point may optionally be suffixed with a colon (C<:>) and mount options such as
2777             C<size=10%> or C<ro>. By default, each temporary file system is mounted
2778             with C<nodev,strictatime,mode=0755>. These can be disabled by explicitly specifying the corresponding
2779             mount options, e.g., C<dev> or C<nostrictatime>.
2780              
2781             This is useful to hide files or directories not relevant to the processes invoked by the unit, while necessary
2782             files or directories can be still accessed by combining with C<BindPaths> or
2783             C<BindReadOnlyPaths>:
2784              
2785             Example: if a unit has the following,
2786              
2787             TemporaryFileSystem=/var:ro
2788             BindReadOnlyPaths=/var/lib/systemd
2789              
2790             then the invoked processes by the unit cannot see any files or directories under C</var/> except for
2791             C</var/lib/systemd> or its contents.',
2792             'type' => 'list'
2793             },
2794             'PrivateTmp',
2795             {
2796             'description' => 'Takes a boolean argument. If true, sets up a new file system namespace for the
2797             executed processes and mounts private C</tmp/> and C</var/tmp/>
2798             directories inside it that are not shared by processes outside of the namespace. This is useful to
2799             secure access to temporary files of the process, but makes sharing between processes via
2800             C</tmp/> or C</var/tmp/> impossible. If true, all temporary files
2801             created by a service in these directories will be removed after the service is stopped. Defaults to
2802             false. It is possible to run two or more units within the same private C</tmp/> and
2803             C</var/tmp/> namespace by using the C<JoinsNamespaceOf> directive,
2804             see L<systemd.unit(5)>
2805             for details. This setting is implied if C<DynamicUser> is set. For this setting, the
2806             same restrictions regarding mount propagation and privileges apply as for
2807             C<ReadOnlyPaths> and related calls, see above. Enabling this setting has the side
2808             effect of adding C<Requires> and C<After> dependencies on all mount
2809             units necessary to access C</tmp/> and C</var/tmp/>. Moreover an
2810             implicitly C<After> ordering on
2811             L<systemd-tmpfiles-setup.service(8)>
2812             is added.
2813              
2814             Note that the implementation of this setting might be impossible (for example if mount namespaces are not
2815             available), and the unit should be written in a way that does not solely rely on this setting for
2816             security.',
2817             'type' => 'leaf',
2818             'value_type' => 'boolean',
2819             'write_as' => [
2820             'no',
2821             'yes'
2822             ]
2823             },
2824             'PrivateDevices',
2825             {
2826             'description' => 'Takes a boolean argument. If true, sets up a new C</dev/> mount for
2827             the executed processes and only adds API pseudo devices such as C</dev/null>,
2828             C</dev/zero> or C</dev/random> (as well as the pseudo TTY
2829             subsystem) to it, but no physical devices such as C</dev/sda>, system memory
2830             C</dev/mem>, system ports C</dev/port> and others. This is useful
2831             to turn off physical device access by the executed process. Defaults to false.
2832              
2833             Enabling this option will install a system call filter to block low-level I/O system calls that
2834             are grouped in the C<@raw-io> set, remove C<CAP_MKNOD> and
2835             C<CAP_SYS_RAWIO> from the capability bounding set for the unit, and set
2836             C<DevicePolicy=closed> (see
2837             L<systemd.resource-control(5)>
2838             for details). Note that using this setting will disconnect propagation of mounts from the service to
2839             the host (propagation in the opposite direction continues to work). This means that this setting may
2840             not be used for services which shall be able to install mount points in the main mount namespace. The
2841             new C</dev/> will be mounted read-only and \'noexec\'. The latter may break old
2842             programs which try to set up executable memory by using
2843             L<mmap(2)> of
2844             C</dev/zero> instead of using C<MAP_ANON>. For this setting the
2845             same restrictions regarding mount propagation and privileges apply as for
2846             C<ReadOnlyPaths> and related calls, see above. If turned on and if running in user
2847             mode, or in system mode, but without the C<CAP_SYS_ADMIN> capability (e.g. setting
2848             C<User>), C<NoNewPrivileges=yes> is implied.
2849              
2850             Note that the implementation of this setting might be impossible (for example if mount
2851             namespaces are not available), and the unit should be written in a way that does not solely rely on
2852             this setting for security.
2853              
2854             When access to some but not all devices must be possible, the C<DeviceAllow>
2855             setting might be used instead. See
2856             L<systemd.resource-control(5)>.
2857             ',
2858             'type' => 'leaf',
2859             'value_type' => 'boolean',
2860             'write_as' => [
2861             'no',
2862             'yes'
2863             ]
2864             },
2865             'PrivateNetwork',
2866             {
2867             'description' => 'Takes a boolean argument. If true, sets up a new network namespace for the executed processes
2868             and configures only the loopback network device C<lo> inside it. No other network devices will
2869             be available to the executed process. This is useful to turn off network access by the executed process.
2870             Defaults to false. It is possible to run two or more units within the same private network namespace by using
2871             the C<JoinsNamespaceOf> directive, see
2872             L<systemd.unit(5)> for
2873             details. Note that this option will disconnect all socket families from the host, including
2874             C<AF_NETLINK> and C<AF_UNIX>. Effectively, for
2875             C<AF_NETLINK> this means that device configuration events received from
2876             L<systemd-udevd.service(8)> are
2877             not delivered to the unit\'s processes. And for C<AF_UNIX> this has the effect that
2878             C<AF_UNIX> sockets in the abstract socket namespace of the host will become unavailable to
2879             the unit\'s processes (however, those located in the file system will continue to be accessible).
2880              
2881             Note that the implementation of this setting might be impossible (for example if network namespaces are
2882             not available), and the unit should be written in a way that does not solely rely on this setting for
2883             security.
2884              
2885             When this option is used on a socket unit any sockets bound on behalf of this unit will be
2886             bound within a private network namespace. This may be combined with
2887             C<JoinsNamespaceOf> to listen on sockets inside of network namespaces of other
2888             services.',
2889             'type' => 'leaf',
2890             'value_type' => 'boolean',
2891             'write_as' => [
2892             'no',
2893             'yes'
2894             ]
2895             },
2896             'NetworkNamespacePath',
2897             {
2898             'description' => 'Takes an absolute file system path refererring to a Linux network namespace
2899             pseudo-file (i.e. a file like C</proc/$PID/ns/net> or a bind mount or symlink to
2900             one). When set the invoked processes are added to the network namespace referenced by that path. The
2901             path has to point to a valid namespace file at the moment the processes are forked off. If this
2902             option is used C<PrivateNetwork> has no effect. If this option is used together with
2903             C<JoinsNamespaceOf> then it only has an effect if this unit is started before any of
2904             the listed units that have C<PrivateNetwork> or
2905             C<NetworkNamespacePath> configured, as otherwise the network namespace of those
2906             units is reused.
2907              
2908             When this option is used on a socket unit any sockets bound on behalf of this unit will be
2909             bound within the specified network namespace.',
2910             'type' => 'leaf',
2911             'value_type' => 'uniline'
2912             },
2913             'PrivateIPC',
2914             {
2915             'description' => 'Takes a boolean argument. If true, sets up a new IPC namespace for the executed processes.
2916             Each IPC namespace has its own set of System V IPC identifiers and its own POSIX message queue file system.
2917             This is useful to avoid name clash of IPC identifiers. Defaults to false. It is possible to run two or
2918             more units within the same private IPC namespace by using the C<JoinsNamespaceOf> directive,
2919             see L<systemd.unit(5)> for
2920             details.
2921              
2922             Note that IPC namespacing does not have an effect on
2923             C<AF_UNIX> sockets, which are the most common
2924             form of IPC used on Linux. Instead, C<AF_UNIX>
2925             sockets in the file system are subject to mount namespacing, and
2926             those in the abstract namespace are subject to network namespacing.
2927             IPC namespacing only has an effect on SysV IPC (which is mostly
2928             legacy) as well as POSIX message queues (for which
2929             C<AF_UNIX>/C<SOCK_SEQPACKET>
2930             sockets are typically a better replacement). IPC namespacing also
2931             has no effect on POSIX shared memory (which is subject to mount
2932             namespacing) either. See
2933             L<ipc_namespaces(7)> for
2934             the details.
2935              
2936             Note that the implementation of this setting might be impossible (for example if IPC namespaces are
2937             not available), and the unit should be written in a way that does not solely rely on this setting for
2938             security.',
2939             'type' => 'leaf',
2940             'value_type' => 'boolean',
2941             'write_as' => [
2942             'no',
2943             'yes'
2944             ]
2945             },
2946             'IPCNamespacePath',
2947             {
2948             'description' => 'Takes an absolute file system path refererring to a Linux IPC namespace
2949             pseudo-file (i.e. a file like C</proc/$PID/ns/ipc> or a bind mount or symlink to
2950             one). When set the invoked processes are added to the network namespace referenced by that path. The
2951             path has to point to a valid namespace file at the moment the processes are forked off. If this
2952             option is used C<PrivateIPC> has no effect. If this option is used together with
2953             C<JoinsNamespaceOf> then it only has an effect if this unit is started before any of
2954             the listed units that have C<PrivateIPC> or
2955             C<IPCNamespacePath> configured, as otherwise the network namespace of those
2956             units is reused.',
2957             'type' => 'leaf',
2958             'value_type' => 'uniline'
2959             },
2960             'PrivateUsers',
2961             {
2962             'description' => 'Takes a boolean argument. If true, sets up a new user namespace for the executed processes and
2963             configures a minimal user and group mapping, that maps the C<root> user and group as well as
2964             the unit\'s own user and group to themselves and everything else to the C<nobody> user and
2965             group. This is useful to securely detach the user and group databases used by the unit from the rest of the
2966             system, and thus to create an effective sandbox environment. All files, directories, processes, IPC objects and
2967             other resources owned by users/groups not equaling C<root> or the unit\'s own will stay visible
2968             from within the unit but appear owned by the C<nobody> user and group. If this mode is enabled,
2969             all unit processes are run without privileges in the host user namespace (regardless if the unit\'s own
2970             user/group is C<root> or not). Specifically this means that the process will have zero process
2971             capabilities on the host\'s user namespace, but full capabilities within the service\'s user namespace. Settings
2972             such as C<CapabilityBoundingSet> will affect only the latter, and there\'s no way to acquire
2973             additional capabilities in the host\'s user namespace. Defaults to off.
2974              
2975             When this setting is set up by a per-user instance of the service manager, the mapping of the
2976             C<root> user and group to itself is omitted (unless the user manager is root).
2977             Additionally, in the per-user instance manager case, the
2978             user namespace will be set up before most other namespaces. This means that combining
2979             C<PrivateUsers>C<true> with other namespaces will enable use of features not
2980             normally supported by the per-user instances of the service manager.
2981              
2982             This setting is particularly useful in conjunction with
2983             C<RootDirectory>/C<RootImage>, as the need to synchronize the user and group
2984             databases in the root directory and on the host is reduced, as the only users and groups who need to be matched
2985             are C<root>, C<nobody> and the unit\'s own user and group.
2986              
2987             Note that the implementation of this setting might be impossible (for example if user namespaces are not
2988             available), and the unit should be written in a way that does not solely rely on this setting for
2989             security.',
2990             'type' => 'leaf',
2991             'value_type' => 'boolean',
2992             'write_as' => [
2993             'no',
2994             'yes'
2995             ]
2996             },
2997             'ProtectHostname',
2998             {
2999             'description' => 'Takes a boolean argument. When set, sets up a new UTS namespace for the executed
3000             processes. In addition, changing hostname or domainname is prevented. Defaults to off.
3001              
3002             Note that the implementation of this setting might be impossible (for example if UTS namespaces
3003             are not available), and the unit should be written in a way that does not solely rely on this setting
3004             for security.
3005              
3006             Note that when this option is enabled for a service hostname changes no longer propagate from
3007             the system into the service, it is hence not suitable for services that need to take notice of system
3008             hostname changes dynamically.
3009              
3010             If this setting is on, but the unit doesn\'t have the C<CAP_SYS_ADMIN>
3011             capability (e.g. services for which C<User> is set),
3012             C<NoNewPrivileges=yes> is implied.',
3013             'type' => 'leaf',
3014             'value_type' => 'boolean',
3015             'write_as' => [
3016             'no',
3017             'yes'
3018             ]
3019             },
3020             'ProtectClock',
3021             {
3022             'description' => 'Takes a boolean argument. If set, writes to the hardware clock or system clock will be denied.
3023             It is recommended to turn this on for most services that do not need modify the clock. Defaults to off. Enabling
3024             this option removes C<CAP_SYS_TIME> and C<CAP_WAKE_ALARM> from the
3025             capability bounding set for this unit, installs a system call filter to block calls that can set the
3026             clock, and C<DeviceAllow=char-rtc r> is implied. This ensures C</dev/rtc0>,
3027             C</dev/rtc1>, etc. are made read-only to the service. See
3028             L<systemd.resource-control(5)>
3029             for the details about C<DeviceAllow>. If this setting is on, but the unit
3030             doesn\'t have the C<CAP_SYS_ADMIN> capability (e.g. services for which
3031             C<User> is set), C<NoNewPrivileges=yes> is implied.',
3032             'type' => 'leaf',
3033             'value_type' => 'boolean',
3034             'write_as' => [
3035             'no',
3036             'yes'
3037             ]
3038             },
3039             'ProtectKernelTunables',
3040             {
3041             'description' => 'Takes a boolean argument. If true, kernel variables accessible through
3042             C</proc/sys/>, C</sys/>, C</proc/sysrq-trigger>,
3043             C</proc/latency_stats>, C</proc/acpi>,
3044             C</proc/timer_stats>, C</proc/fs> and C</proc/irq> will
3045             be made read-only to all processes of the unit. Usually, tunable kernel variables should be initialized only at
3046             boot-time, for example with the
3047             L<sysctl.d(5)> mechanism. Few
3048             services need to write to these at runtime; it is hence recommended to turn this on for most services. For this
3049             setting the same restrictions regarding mount propagation and privileges apply as for
3050             C<ReadOnlyPaths> and related calls, see above. Defaults to off. If this
3051             setting is on, but the unit doesn\'t have the C<CAP_SYS_ADMIN> capability
3052             (e.g. services for which C<User> is set),
3053             C<NoNewPrivileges=yes> is implied. Note that this option does not prevent
3054             indirect changes to kernel tunables effected by IPC calls to other processes. However,
3055             C<InaccessiblePaths> may be used to make relevant IPC file system objects
3056             inaccessible. If C<ProtectKernelTunables> is set,
3057             C<MountAPIVFS=yes> is implied.',
3058             'type' => 'leaf',
3059             'value_type' => 'boolean',
3060             'write_as' => [
3061             'no',
3062             'yes'
3063             ]
3064             },
3065             'ProtectKernelModules',
3066             {
3067             'description' => 'Takes a boolean argument. If true, explicit module loading will be denied. This allows
3068             module load and unload operations to be turned off on modular kernels. It is recommended to turn this on for most services
3069             that do not need special file systems or extra kernel modules to work. Defaults to off. Enabling this option
3070             removes C<CAP_SYS_MODULE> from the capability bounding set for the unit, and installs a
3071             system call filter to block module system calls, also C</usr/lib/modules> is made
3072             inaccessible. For this setting the same restrictions regarding mount propagation and privileges apply as for
3073             C<ReadOnlyPaths> and related calls, see above. Note that limited automatic module loading due
3074             to user configuration or kernel mapping tables might still happen as side effect of requested user operations,
3075             both privileged and unprivileged. To disable module auto-load feature please see
3076             L<sysctl.d(5)>C<kernel.modules_disabled> mechanism and
3077             C</proc/sys/kernel/modules_disabled> documentation. If this setting is on,
3078             but the unit doesn\'t have the C<CAP_SYS_ADMIN> capability (e.g. services for
3079             which C<User> is set), C<NoNewPrivileges=yes> is implied.',
3080             'type' => 'leaf',
3081             'value_type' => 'boolean',
3082             'write_as' => [
3083             'no',
3084             'yes'
3085             ]
3086             },
3087             'ProtectKernelLogs',
3088             {
3089             'description' => 'Takes a boolean argument. If true, access to the kernel log ring buffer will be denied. It is
3090             recommended to turn this on for most services that do not need to read from or write to the kernel log ring
3091             buffer. Enabling this option removes C<CAP_SYSLOG> from the capability bounding set for this
3092             unit, and installs a system call filter to block the
3093             L<syslog(2)>
3094             system call (not to be confused with the libc API
3095             L<syslog(3)>
3096             for userspace logging). The kernel exposes its log buffer to userspace via C</dev/kmsg> and
3097             C</proc/kmsg>. If enabled, these are made inaccessible to all the processes in the unit.
3098             If this setting is on, but the unit doesn\'t have the C<CAP_SYS_ADMIN>
3099             capability (e.g. services for which C<User> is set),
3100             C<NoNewPrivileges=yes> is implied.',
3101             'type' => 'leaf',
3102             'value_type' => 'boolean',
3103             'write_as' => [
3104             'no',
3105             'yes'
3106             ]
3107             },
3108             'ProtectControlGroups',
3109             {
3110             'description' => 'Takes a boolean argument. If true, the Linux Control Groups (L<cgroups(7)>) hierarchies
3111             accessible through C</sys/fs/cgroup/> will be made read-only to all processes of the
3112             unit. Except for container managers no services should require write access to the control groups hierarchies;
3113             it is hence recommended to turn this on for most services. For this setting the same restrictions regarding
3114             mount propagation and privileges apply as for C<ReadOnlyPaths> and related calls, see
3115             above. Defaults to off. If C<ProtectControlGroups> is set, C<MountAPIVFS=yes>
3116             is implied.',
3117             'type' => 'leaf',
3118             'value_type' => 'boolean',
3119             'write_as' => [
3120             'no',
3121             'yes'
3122             ]
3123             },
3124             'RestrictAddressFamilies',
3125             {
3126             'description' => 'Restricts the set of socket address families accessible to the processes of this
3127             unit. Takes C<none>, or a space-separated list of address family names to
3128             allow-list, such as C<AF_UNIX>, C<AF_INET> or
3129             C<AF_INET6>. When C<none> is specified, then all address
3130             families will be denied. When prefixed with C<~> the listed address
3131             families will be applied as deny list, otherwise as allow list. Note that this restricts access
3132             to the
3133             L<socket(2)>
3134             system call only. Sockets passed into the process by other means (for example, by using socket
3135             activation with socket units, see
3136             L<systemd.socket(5)>)
3137             are unaffected. Also, sockets created with socketpair() (which creates connected
3138             AF_UNIX sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x,
3139             mips, mips-le, ppc, ppc-le, ppc64, ppc64-le and is ignored (but works correctly on other ABIs,
3140             including x86-64). Note that on systems supporting multiple ABIs (such as x86/x86-64) it is
3141             recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the
3142             restrictions of this option. Specifically, it is recommended to combine this option with
3143             C<SystemCallArchitectures=native> or similar. If running in user mode, or in system
3144             mode, but without the C<CAP_SYS_ADMIN> capability (e.g. setting
3145             C<User>), C<NoNewPrivileges=yes> is implied. By default, no
3146             restrictions apply, all address families are accessible to processes. If assigned the empty string,
3147             any previous address family restriction changes are undone. This setting does not affect commands
3148             prefixed with C<+>.
3149              
3150             Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive
3151             network protocols, such as C<AF_PACKET>. Note that in most cases, the local
3152             C<AF_UNIX> address family should be included in the configured allow list as it is frequently
3153             used for local communication, including for
3154             L<syslog(2)>
3155             logging.',
3156             'type' => 'leaf',
3157             'value_type' => 'uniline'
3158             },
3159             'RestrictFileSystems',
3160             {
3161             'description' => 'Restricts the set of filesystems processes of this unit can open files on. Takes a space-separated
3162             list of filesystem names. Any filesystem listed is made accessible to the unit\'s processes, access to filesystem
3163             types not listed is prohibited (allow-listing). If the first character of the list is C<~>, the
3164             effect is inverted: access to the filesystems listed is prohibited (deny-listing). If the empty string is assigned,
3165             access to filesystems is not restricted.
3166              
3167             If you specify both types of this option (i.e. allow-listing and deny-listing), the first encountered will take
3168             precedence and will dictate the default action (allow access to the filesystem or deny it). Then the next occurrences
3169             of this option will add or delete the listed filesystems from the set of the restricted filesystems, depending on its
3170             type and the default action.
3171              
3172             Example: if a unit has the following,
3173              
3174             RestrictFileSystems=ext4 tmpfs
3175             RestrictFileSystems=ext2 ext4
3176              
3177             then access to C<ext4>, C<tmpfs>, and C<ext2> is allowed
3178             and access to other filesystems is denied.
3179              
3180             Example: if a unit has the following,
3181              
3182             RestrictFileSystems=ext4 tmpfs
3183             RestrictFileSystems=~ext4
3184              
3185             then only access C<tmpfs> is allowed.
3186              
3187             Example: if a unit has the following,
3188              
3189             RestrictFileSystems=~ext4 tmpfs
3190             RestrictFileSystems=ext4
3191              
3192             then only access to C<tmpfs> is denied.
3193              
3194             As the number of possible filesystems is large, predefined sets of filesystems are provided. A set
3195             starts with C<@> character, followed by name of the set.
3196              
3197             Use
3198             L<systemd-analyze(1)>\'s
3199             filesystems command to retrieve a list of filesystems defined on the local
3200             system.
3201              
3202             Note that this setting might not be supported on some systems (for example if the LSM eBPF hook is
3203             not enabled in the underlying kernel or if not using the unified control group hierarchy). In that case this setting
3204             has no effect.',
3205             'type' => 'leaf',
3206             'value_type' => 'uniline'
3207             },
3208             'RestrictNamespaces',
3209             {
3210             'description' => "Restricts access to Linux namespace functionality for the processes of this unit. For details
3211             about Linux namespaces, see L<namespaces(7)>. Either
3212             takes a boolean argument, or a space-separated list of namespace type identifiers. If false (the default), no
3213             restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is
3214             prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of
3215             any combination of: C<cgroup>, C<ipc>, C<net>,
3216             C<mnt>, C<pid>, C<user> and C<uts>. Any
3217             namespace type listed is made accessible to the unit's processes, access to namespace types not listed is
3218             prohibited (allow-listing). By prepending the list with a single tilde character (C<~>) the
3219             effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are
3220             permitted (deny-listing). If the empty string is assigned, the default namespace restrictions are applied,
3221             which is equivalent to false. This option may appear more than once, in which case the namespace types are
3222             merged by C<OR>, or by C<AND> if the lines are prefixed with
3223             C<~> (see examples below). Internally, this setting limits access to the
3224             L<unshare(2)>,
3225             L<clone(2)> and
3226             L<setns(2)> system calls, taking
3227             the specified flags parameters into account. Note that \x{2014} if this option is used \x{2014} in addition to restricting
3228             creation and switching of the specified types of namespaces (or all of them, if true) access to the
3229             setns() system call with a zero flags parameter is prohibited. This setting is only
3230             supported on x86, x86-64, mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32, ppc64, ppc64-le, s390
3231             and s390x, and enforces no restrictions on other architectures. If running in user mode, or in system mode, but
3232             without the C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3233             C<NoNewPrivileges=yes> is implied.
3234              
3235             Example: if a unit has the following,
3236              
3237             RestrictNamespaces=cgroup ipc
3238             RestrictNamespaces=cgroup net
3239              
3240             then C<cgroup>, C<ipc>, and C<net> are set.
3241             If the second line is prefixed with C<~>, e.g.,
3242              
3243             RestrictNamespaces=cgroup ipc
3244             RestrictNamespaces=~cgroup net
3245              
3246             then, only C<ipc> is set.",
3247             'type' => 'leaf',
3248             'value_type' => 'uniline'
3249             },
3250             'LockPersonality',
3251             {
3252             'description' => 'Takes a boolean argument. If set, locks down the L<personality(2)> system
3253             call so that the kernel execution domain may not be changed from the default or the personality selected with
3254             C<Personality> directive. This may be useful to improve security, because odd personality
3255             emulations may be poorly tested and source of vulnerabilities. If running in user mode, or in system mode, but
3256             without the C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3257             C<NoNewPrivileges=yes> is implied.',
3258             'type' => 'leaf',
3259             'value_type' => 'boolean',
3260             'write_as' => [
3261             'no',
3262             'yes'
3263             ]
3264             },
3265             'MemoryDenyWriteExecute',
3266             {
3267             'description' => 'Takes a boolean argument. If set, attempts to create memory mappings that are writable and
3268             executable at the same time, or to change existing memory mappings to become executable, or mapping shared
3269             memory segments as executable, are prohibited. Specifically, a system call filter is added that rejects
3270             L<mmap(2)> system calls with both
3271             C<PROT_EXEC> and C<PROT_WRITE> set,
3272             L<mprotect(2)> or
3273             L<pkey_mprotect(2)> system calls
3274             with C<PROT_EXEC> set and
3275             L<shmat(2)> system calls with
3276             C<SHM_EXEC> set. Note that this option is incompatible with programs and libraries that
3277             generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code
3278             "trampoline" feature of various C compilers. This option improves service security, as it makes harder for
3279             software exploits to change running code dynamically. However, the protection can be circumvented, if
3280             the service can write to a filesystem, which is not mounted with C<noexec> (such as
3281             C</dev/shm>), or it can use memfd_create(). This can be
3282             prevented by making such file systems inaccessible to the service
3283             (e.g. C<InaccessiblePaths=/dev/shm>) and installing further system call filters
3284             (C<SystemCallFilter=~memfd_create>). Note that this feature is fully available on
3285             x86-64, and partially on x86. Specifically, the shmat() protection is not
3286             available on x86. Note that on systems supporting multiple ABIs (such as x86/x86-64) it is
3287             recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the
3288             restrictions of this option. Specifically, it is recommended to combine this option with
3289             C<SystemCallArchitectures=native> or similar. If running in user mode, or in system
3290             mode, but without the C<CAP_SYS_ADMIN> capability (e.g. setting
3291             C<User>), C<NoNewPrivileges=yes> is implied.',
3292             'type' => 'leaf',
3293             'value_type' => 'boolean',
3294             'write_as' => [
3295             'no',
3296             'yes'
3297             ]
3298             },
3299             'RestrictRealtime',
3300             {
3301             'description' => 'Takes a boolean argument. If set, any attempts to enable realtime scheduling in a process of
3302             the unit are refused. This restricts access to realtime task scheduling policies such as
3303             C<SCHED_FIFO>, C<SCHED_RR> or C<SCHED_DEADLINE>. See
3304             L<sched(7)>
3305             for details about these scheduling policies. If running in user mode, or in system mode, but without the
3306             C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3307             C<NoNewPrivileges=yes> is implied. Realtime scheduling policies may be used to monopolize CPU
3308             time for longer periods of time, and may hence be used to lock up or otherwise trigger Denial-of-Service
3309             situations on the system. It is hence recommended to restrict access to realtime scheduling to the few programs
3310             that actually require them. Defaults to off.',
3311             'type' => 'leaf',
3312             'value_type' => 'boolean',
3313             'write_as' => [
3314             'no',
3315             'yes'
3316             ]
3317             },
3318             'RestrictSUIDSGID',
3319             {
3320             'description' => 'Takes a boolean argument. If set, any attempts to set the set-user-ID (SUID) or
3321             set-group-ID (SGID) bits on files or directories will be denied (for details on these bits see
3322             L<inode(7)>). If
3323             running in user mode, or in system mode, but without the C<CAP_SYS_ADMIN>
3324             capability (e.g. setting C<User>), C<NoNewPrivileges=yes> is
3325             implied. As the SUID/SGID bits are mechanisms to elevate privileges, and allow users to acquire the
3326             identity of other users, it is recommended to restrict creation of SUID/SGID files to the few
3327             programs that actually require them. Note that this restricts marking of any type of file system
3328             object with these bits, including both regular files and directories (where the SGID is a different
3329             meaning than for files, see documentation). This option is implied if C<DynamicUser>
3330             is enabled. Defaults to off.',
3331             'type' => 'leaf',
3332             'value_type' => 'boolean',
3333             'write_as' => [
3334             'no',
3335             'yes'
3336             ]
3337             },
3338             'RemoveIPC',
3339             {
3340             'description' => 'Takes a boolean parameter. If set, all System V and POSIX IPC objects owned by the user and
3341             group the processes of this unit are run as are removed when the unit is stopped. This setting only has an
3342             effect if at least one of C<User>, C<Group> and
3343             C<DynamicUser> are used. It has no effect on IPC objects owned by the root user. Specifically,
3344             this removes System V semaphores, as well as System V and POSIX shared memory segments and message queues. If
3345             multiple units use the same user or group the IPC objects are removed when the last of these units is
3346             stopped. This setting is implied if C<DynamicUser> is set.',
3347             'type' => 'leaf',
3348             'value_type' => 'boolean',
3349             'write_as' => [
3350             'no',
3351             'yes'
3352             ]
3353             },
3354             'PrivateMounts',
3355             {
3356             'description' => "Takes a boolean parameter. If set, the processes of this unit will be run in their own private
3357             file system (mount) namespace with all mount propagation from the processes towards the host's main file system
3358             namespace turned off. This means any file system mount points established or removed by the unit's processes
3359             will be private to them and not be visible to the host. However, file system mount points established or
3360             removed on the host will be propagated to the unit's processes. See L<mount_namespaces(7)> for
3361             details on file system namespaces. Defaults to off.
3362              
3363             When turned on, this executes three operations for each invoked process: a new
3364             C<CLONE_NEWNS> namespace is created, after which all existing mounts are remounted to
3365             C<MS_SLAVE> to disable propagation from the unit's processes to the host (but leaving
3366             propagation in the opposite direction in effect). Finally, the mounts are remounted again to the propagation
3367             mode configured with C<MountFlags>, see below.
3368              
3369             File system namespaces are set up individually for each process forked off by the service manager. Mounts
3370             established in the namespace of the process created by C<ExecStartPre> will hence be cleaned
3371             up automatically as soon as that process exits and will not be available to subsequent processes forked off for
3372             C<ExecStart> (and similar applies to the various other commands configured for
3373             units). Similarly, C<JoinsNamespaceOf> does not permit sharing kernel mount namespaces between
3374             units, it only enables sharing of the C</tmp/> and C</var/tmp/>
3375             directories.
3376              
3377             Other file system namespace unit settings \x{2014} C<PrivateMounts>,
3378             C<PrivateTmp>, C<PrivateDevices>, C<ProtectSystem>,
3379             C<ProtectHome>, C<ReadOnlyPaths>, C<InaccessiblePaths>,
3380             C<ReadWritePaths>, \x{2026} \x{2014} also enable file system namespacing in a fashion equivalent to this
3381             option. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are
3382             used.",
3383             'type' => 'leaf',
3384             'value_type' => 'boolean',
3385             'write_as' => [
3386             'no',
3387             'yes'
3388             ]
3389             },
3390             'MountFlags',
3391             {
3392             'description' => "Takes a mount propagation setting: C<shared>, C<slave> or
3393             C<private>, which controls whether file system mount points in the file system namespaces set up
3394             for this unit's processes will receive or propagate mounts and unmounts from other file system namespaces. See
3395             L<mount(2)>
3396             for details on mount propagation, and the three propagation flags in particular.
3397              
3398             This setting only controls the final propagation setting in effect on all mount
3399             points of the file system namespace created for each process of this unit. Other file system namespacing unit
3400             settings (see the discussion in C<PrivateMounts> above) will implicitly disable mount and
3401             unmount propagation from the unit's processes towards the host by changing the propagation setting of all mount
3402             points in the unit's file system namespace to C<slave> first. Setting this option to
3403             C<shared> does not reestablish propagation in that case.
3404              
3405             If not set \x{2013} but file system namespaces are enabled through another file system namespace unit setting \x{2013}
3406             C<shared> mount propagation is used, but \x{2014} as mentioned \x{2014} as C<slave> is applied
3407             first, propagation from the unit's processes to the host is still turned off.
3408              
3409             It is not recommended to use C<private> mount propagation for units, as this means
3410             temporary mounts (such as removable media) of the host will stay mounted and thus indefinitely busy in forked
3411             off processes, as unmount propagation events won't be received by the file system namespace of the unit.
3412              
3413             Usually, it is best to leave this setting unmodified, and use higher level file system namespacing
3414             options instead, in particular C<PrivateMounts>, see above.",
3415             'type' => 'leaf',
3416             'value_type' => 'uniline'
3417             },
3418             'SystemCallFilter',
3419             {
3420             'cargo' => {
3421             'type' => 'leaf',
3422             'value_type' => 'uniline'
3423             },
3424             'description' => "Takes a space-separated list of system call names. If this setting is used, all
3425             system calls executed by the unit processes except for the listed ones will result in immediate
3426             process termination with the C<SIGSYS> signal (allow-listing). (See
3427             C<SystemCallErrorNumber> below for changing the default action). If the first
3428             character of the list is C<~>, the effect is inverted: only the listed system calls
3429             will result in immediate process termination (deny-listing). Deny-listed system calls and system call
3430             groups may optionally be suffixed with a colon (C<:>) and C<errno>
3431             error number (between 0 and 4095) or errno name such as C<EPERM>,
3432             C<EACCES> or C<EUCLEAN> (see L<errno(3)> for a
3433             full list). This value will be returned when a deny-listed system call is triggered, instead of
3434             terminating the processes immediately. Special setting C<kill> can be used to
3435             explicitly specify killing. This value takes precedence over the one given in
3436             C<SystemCallErrorNumber>, see below. If running in user mode, or in system mode,
3437             but without the C<CAP_SYS_ADMIN> capability (e.g. setting
3438             C<User>), C<NoNewPrivileges=yes> is implied. This feature
3439             makes use of the Secure Computing Mode 2 interfaces of the kernel ('seccomp filtering') and is useful
3440             for enforcing a minimal sandboxing environment. Note that the execve(),
3441             exit(), exit_group(), getrlimit(),
3442             rt_sigreturn(), sigreturn() system calls and the system calls
3443             for querying time and sleeping are implicitly allow-listed and do not need to be listed
3444             explicitly. This option may be specified more than once, in which case the filter masks are
3445             merged. If the empty string is assigned, the filter is reset, all prior assignments will have no
3446             effect. This does not affect commands prefixed with C<+>.
3447              
3448             Note that on systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off
3449             alternative ABIs for services, so that they cannot be used to circumvent the restrictions of this
3450             option. Specifically, it is recommended to combine this option with
3451             C<SystemCallArchitectures=native> or similar.
3452              
3453             Note that strict system call filters may impact execution and error handling code paths of the service
3454             invocation. Specifically, access to the execve() system call is required for the execution
3455             of the service binary \x{2014} if it is blocked service invocation will necessarily fail. Also, if execution of the
3456             service binary fails for some reason (for example: missing service executable), the error handling logic might
3457             require access to an additional set of system calls in order to process and log this failure correctly. It
3458             might be necessary to temporarily disable system call filters in order to simplify debugging of such
3459             failures.
3460              
3461             If you specify both types of this option (i.e. allow-listing and deny-listing), the first
3462             encountered will take precedence and will dictate the default action (termination or approval of a
3463             system call). Then the next occurrences of this option will add or delete the listed system calls
3464             from the set of the filtered system calls, depending of its type and the default action. (For
3465             example, if you have started with an allow list rule for read() and
3466             write(), and right after it add a deny list rule for write(),
3467             then write() will be removed from the set.)
3468              
3469             As the number of possible system calls is large, predefined sets of system calls are provided. A set
3470             starts with C<\@> character, followed by name of the set.
3471             Currently predefined system call setsSetDescription\@aioAsynchronous I/O (L<io_setup(2)>, L<io_submit(2)>, and related calls)\@basic-ioSystem calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (L<read(2)>, L<write(2)>, and related calls)\@chownChanging file ownership (L<chown(2)>, L<fchownat(2)>, and related calls)\@clockSystem calls for changing the system clock (L<adjtimex(2)>, L<settimeofday(2)>, and related calls)\@cpu-emulationSystem calls for CPU emulation functionality (L<vm86(2)> and related calls)\@debugDebugging, performance monitoring and tracing functionality (L<ptrace(2)>, L<perf_event_open(2)> and related calls)\@file-systemFile system operations: opening, creating files and directories for read and write, renaming and removing them, reading file properties, or creating hard and symbolic links\@io-eventEvent loop system calls (L<poll(2)>, L<select(2)>, L<epoll(7)>, L<eventfd(2)> and related calls)\@ipcPipes, SysV IPC, POSIX Message Queues and other IPC (L<mq_overview(7)>, L<svipc(7)>)\@keyringKernel keyring access (L<keyctl(2)> and related calls)\@memlockLocking of memory in RAM (L<mlock(2)>, L<mlockall(2)> and related calls)\@moduleLoading and unloading of kernel modules (L<init_module(2)>, L<delete_module(2)> and related calls)\@mountMounting and unmounting of file systems (L<mount(2)>, L<chroot(2)>, and related calls)\@network-ioSocket I/O (including local AF_UNIX): L<socket(7)>, L<unix(7)>\@obsoleteUnusual, obsolete or unimplemented (L<create_module(2)>, L<gtty(2)>, \x{2026})\@privilegedAll system calls which need super-user capabilities (L<capabilities(7)>)\@processProcess control, execution, namespacing operations (L<clone(2)>, L<kill(2)>, L<namespaces(7)>, \x{2026})\@raw-ioRaw I/O port access (L<ioperm(2)>, L<iopl(2)>, pciconfig_read(), \x{2026})\@rebootSystem calls for rebooting and reboot preparation (L<reboot(2)>, kexec(), \x{2026})\@resourcesSystem calls for changing resource limits, memory and scheduling parameters (L<setrlimit(2)>, L<setpriority(2)>, \x{2026})\@setuidSystem calls for changing user ID and group ID credentials, (L<setuid(2)>, L<setgid(2)>, L<setresuid(2)>, \x{2026})\@signalSystem calls for manipulating and handling process signals (L<signal(2)>, L<sigprocmask(2)>, \x{2026})\@swapSystem calls for enabling/disabling swap devices (L<swapon(2)>, L<swapoff(2)>)\@syncSynchronizing files and memory to disk (L<fsync(2)>, L<msync(2)>, and related calls)\@system-serviceA reasonable set of system calls used by common system services, excluding any special purpose calls. This is the recommended starting point for allow-listing system calls for system services, as it contains what is typically needed by system services, but excludes overly specific interfaces. For example, the following APIs are excluded: C<\@clock>, C<\@mount>, C<\@swap>, C<\@reboot>.\@timerSystem calls for scheduling operations by time (L<alarm(2)>, L<timer_create(2)>, \x{2026})\@knownAll system calls defined by the kernel. This list is defined statically in systemd based on a kernel version that was available when this systemd version was released. It will become progressively more out-of-date as the kernel is updated.
3472             Note, that as new system calls are added to the kernel, additional system calls might be added to the groups
3473             above. Contents of the sets may also change between systemd versions. In addition, the list of system calls
3474             depends on the kernel version and architecture for which systemd was compiled. Use
3475             systemd-analyze\x{a0}syscall-filter to list the actual list of system calls in each
3476             filter.
3477              
3478             Generally, allow-listing system calls (rather than deny-listing) is the safer mode of
3479             operation. It is recommended to enforce system call allow lists for all long-running system
3480             services. Specifically, the following lines are a relatively safe basic choice for the majority of
3481             system services:
3482              
3483             Note that various kernel system calls are defined redundantly: there are multiple system calls
3484             for executing the same operation. For example, the pidfd_send_signal() system
3485             call may be used to execute operations similar to what can be done with the older
3486             kill() system call, hence blocking the latter without the former only provides
3487             weak protection. Since new system calls are added regularly to the kernel as development progresses,
3488             keeping system call deny lists comprehensive requires constant work. It is thus recommended to use
3489             allow-listing instead, which offers the benefit that new system calls are by default implicitly
3490             blocked until the allow list is updated.
3491              
3492             Also note that a number of system calls are required to be accessible for the dynamic linker to
3493             work. The dynamic linker is required for running most regular programs (specifically: all dynamic ELF
3494             binaries, which is how most distributions build packaged programs). This means that blocking these
3495             system calls (which include open(), openat() or
3496             mmap()) will make most programs typically shipped with generic distributions
3497             unusable.
3498              
3499             It is recommended to combine the file system namespacing related options with
3500             C<SystemCallFilter=~\@mount>, in order to prohibit the unit's processes to undo the
3501             mappings. Specifically these are the options C<PrivateTmp>,
3502             C<PrivateDevices>, C<ProtectSystem>, C<ProtectHome>,
3503             C<ProtectKernelTunables>, C<ProtectControlGroups>,
3504             C<ProtectKernelLogs>, C<ProtectClock>, C<ReadOnlyPaths>,
3505             C<InaccessiblePaths> and C<ReadWritePaths>.",
3506             'type' => 'list'
3507             },
3508             'SystemCallErrorNumber',
3509             {
3510             'description' => 'Takes an C<errno> error number (between 1 and 4095) or errno name
3511             such as C<EPERM>, C<EACCES> or C<EUCLEAN>, to
3512             return when the system call filter configured with C<SystemCallFilter> is triggered,
3513             instead of terminating the process immediately. See L<errno(3)> for a
3514             full list of error codes. When this setting is not used, or when the empty string or the special
3515             setting C<kill> is assigned, the process will be terminated immediately when the
3516             filter is triggered.',
3517             'type' => 'leaf',
3518             'value_type' => 'uniline'
3519             },
3520             'SystemCallArchitectures',
3521             {
3522             'description' => "Takes a space-separated list of architecture identifiers to include in the system call
3523             filter. The known architecture identifiers are the same as for C<ConditionArchitecture>
3524             described in L<systemd.unit(5)>,
3525             as well as C<x32>, C<mips64-n32>, C<mips64-le-n32>, and
3526             the special identifier C<native>. The special identifier C<native>
3527             implicitly maps to the native architecture of the system (or more precisely: to the architecture the system
3528             manager is compiled for). If running in user mode, or in system mode, but without the
3529             C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3530             C<NoNewPrivileges=yes> is implied. By default, this option is set to the empty list, i.e. no
3531             filtering is applied.
3532              
3533             If this setting is used, processes of this unit will only be permitted to call native system calls, and
3534             system calls of the specified architectures. For the purposes of this option, the x32 architecture is treated
3535             as including x86-64 system calls. However, this setting still fulfills its purpose, as explained below, on
3536             x32.
3537              
3538             System call filtering is not equally effective on all architectures. For example, on x86
3539             filtering of network socket-related calls is not possible, due to ABI limitations \x{2014} a limitation that x86-64
3540             does not have, however. On systems supporting multiple ABIs at the same time \x{2014} such as x86/x86-64 \x{2014} it is hence
3541             recommended to limit the set of permitted system call architectures so that secondary ABIs may not be used to
3542             circumvent the restrictions applied to the native ABI of the system. In particular, setting
3543             C<SystemCallArchitectures=native> is a good choice for disabling non-native ABIs.
3544              
3545             System call architectures may also be restricted system-wide via the
3546             C<SystemCallArchitectures> option in the global configuration. See
3547             L<systemd-system.conf(5)> for
3548             details.",
3549             'type' => 'leaf',
3550             'value_type' => 'uniline'
3551             },
3552             'SystemCallLog',
3553             {
3554             'cargo' => {
3555             'type' => 'leaf',
3556             'value_type' => 'uniline'
3557             },
3558             'description' => 'Takes a space-separated list of system call names. If this setting is used, all
3559             system calls executed by the unit processes for the listed ones will be logged. If the first
3560             character of the list is C<~>, the effect is inverted: all system calls except the
3561             listed system calls will be logged. If running in user mode, or in system mode, but without the
3562             C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3563             C<NoNewPrivileges=yes> is implied. This feature makes use of the Secure Computing
3564             Mode 2 interfaces of the kernel (\'seccomp filtering\') and is useful for auditing or setting up a
3565             minimal sandboxing environment. This option may be specified more than once, in which case the filter
3566             masks are merged. If the empty string is assigned, the filter is reset, all prior assignments will
3567             have no effect. This does not affect commands prefixed with C<+>.',
3568             'type' => 'list'
3569             },
3570             'Environment',
3571             {
3572             'cargo' => {
3573             'type' => 'leaf',
3574             'value_type' => 'uniline'
3575             },
3576             'description' => "Sets environment variables for executed processes. Each line is unquoted using the
3577             rules described in \"Quoting\" section in
3578             L<systemd.syntax(7)>
3579             and becomes a list of variable assignments. If you need to assign a value containing spaces or the
3580             equals sign to a variable, put quotes around the whole assignment. Variable expansion is not
3581             performed inside the strings and the C<\$> character has no special meaning. Specifier
3582             expansion is performed, see the \"Specifiers\" section in
3583             L<systemd.unit(5)>.
3584              
3585             This option may be specified more than once, in which case all listed variables will be set. If
3586             the same variable is listed twice, the later setting will override the earlier setting. If the empty
3587             string is assigned to this option, the list of environment variables is reset, all prior assignments
3588             have no effect.
3589              
3590             The names of the variables can contain ASCII letters, digits, and the underscore character.
3591             Variable names cannot be empty or start with a digit. In variable values, most characters are
3592             allowed, but non-printable characters are currently rejected.
3593              
3594             Example:
3595              
3596             Environment=\"VAR1=word1 word2\" VAR2=word3 \"VAR3=\$word 5 6\"
3597              
3598             gives three variables C<VAR1>,
3599             C<VAR2>, C<VAR3>
3600             with the values C<word1 word2>,
3601             C<word3>, C<\$word 5 6>.
3602              
3603             See L<environ(7)> for
3604             details about environment variables.
3605              
3606             Note that environment variables are not suitable for passing secrets (such as passwords, key
3607             material, \x{2026}) to service processes. Environment variables set for a unit are exposed to unprivileged
3608             clients via D-Bus IPC, and generally not understood as being data that requires protection. Moreover,
3609             environment variables are propagated down the process tree, including across security boundaries
3610             (such as setuid/setgid executables), and hence might leak to processes that should not have access to
3611             the secret data. Use C<LoadCredential>, C<LoadCredentialEncrypted>
3612             or C<SetCredentialEncrypted> (see below) to pass data to unit processes
3613             securely.",
3614             'type' => 'list'
3615             },
3616             'EnvironmentFile',
3617             {
3618             'cargo' => {
3619             'type' => 'leaf',
3620             'value_type' => 'uniline'
3621             },
3622             'description' => 'Similar to C<Environment>, but reads the environment variables from
3623             a text file. The text file should contain newline-separated variable assignments. Empty lines, lines
3624             without an C<=> separator, or lines starting with C<;> or
3625             C<#> will be ignored, which may be used for commenting. The file must be UTF-8
3626             encoded. Valid characters are L<unicode scalar values|https://www.unicode.org/glossary/#unicode_scalar_value> other than
3627             L<noncharacters|https://www.unicode.org/glossary/#noncharacter>, U+0000 NUL, and
3628             U+FEFF L<byte order mark|https://www.unicode.org/glossary/#byte_order_mark>.
3629             Control codes other than NUL are allowed.
3630              
3631             In the file, an unquoted value after the C<=> is parsed with the same backslash-escape
3632             rules as L<unquoted
3633             text|https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_01> in a POSIX shell, but unlike in a shell, interior whitespace is preserved and quotes after the
3634             first non-whitespace character are preserved. Leading and trailing whitespace (space, tab, carriage return) is
3635             discarded, but interior whitespace within the line is preserved verbatim. A line ending with a backslash will be
3636             continued to the following one, with the newline itself discarded. A backslash
3637             C<\\> followed by any character other than newline will preserve the following character, so that
3638             C<\\\\> will become the value C<\\>.
3639              
3640             In the file, a C<\'>-quoted value after the C<=> can span multiple lines
3641             and contain any character verbatim other than single quote, like L<single-quoted
3642             text|https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_02> in a POSIX shell. No backslash-escape sequences are recognized. Leading and trailing whitespace
3643             outside of the single quotes is discarded.
3644              
3645             In the file, a C<">-quoted value after the C<=> can span multiple lines,
3646             and the same escape sequences are recognized as in L<double-quoted
3647             text|https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_03> of a POSIX shell. Backslash (C<\\>) followed by any of C<"\\`$> will
3648             preserve that character. A backslash followed by newline is a line continuation, and the newline itself is
3649             discarded. A backslash followed by any other character is ignored; both the backslash and the following
3650             character are preserved verbatim. Leading and trailing whitespace outside of the double quotes is
3651             discarded.
3652              
3653             The argument passed should be an absolute filename or wildcard expression, optionally prefixed with
3654             C<->, which indicates that if the file does not exist, it will not be read and no error or
3655             warning message is logged. This option may be specified more than once in which case all specified files are
3656             read. If the empty string is assigned to this option, the list of file to read is reset, all prior assignments
3657             have no effect.
3658              
3659             The files listed with this directive will be read shortly before the process is executed (more
3660             specifically, after all processes from a previous unit state terminated. This means you can generate these
3661             files in one unit state, and read it with this option in the next. The files are read from the file
3662             system of the service manager, before any file system changes like bind mounts take place).
3663              
3664             Settings from these files override settings made with C<Environment>. If the same
3665             variable is set twice from these files, the files will be read in the order they are specified and the later
3666             setting will override the earlier setting.',
3667             'type' => 'list'
3668             },
3669             'PassEnvironment',
3670             {
3671             'cargo' => {
3672             'type' => 'leaf',
3673             'value_type' => 'uniline'
3674             },
3675             'description' => 'Pass environment variables set for the system service manager to executed processes. Takes a
3676             space-separated list of variable names. This option may be specified more than once, in which case all listed
3677             variables will be passed. If the empty string is assigned to this option, the list of environment variables to
3678             pass is reset, all prior assignments have no effect. Variables specified that are not set for the system
3679             manager will not be passed and will be silently ignored. Note that this option is only relevant for the system
3680             service manager, as system services by default do not automatically inherit any environment variables set for
3681             the service manager itself. However, in case of the user service manager all environment variables are passed
3682             to the executed processes anyway, hence this option is without effect for the user service manager.
3683              
3684             Variables set for invoked processes due to this setting are subject to being overridden by those
3685             configured with C<Environment> or C<EnvironmentFile>.
3686              
3687             Example:
3688              
3689             PassEnvironment=VAR1 VAR2 VAR3
3690              
3691             passes three variables C<VAR1>,
3692             C<VAR2>, C<VAR3>
3693             with the values set for those variables in PID1.
3694              
3695             See L<environ(7)> for details
3696             about environment variables.',
3697             'type' => 'list'
3698             },
3699             'UnsetEnvironment',
3700             {
3701             'cargo' => {
3702             'type' => 'leaf',
3703             'value_type' => 'uniline'
3704             },
3705             'description' => 'Explicitly unset environment variable assignments that would normally be passed from the
3706             service manager to invoked processes of this unit. Takes a space-separated list of variable names or variable
3707             assignments. This option may be specified more than once, in which case all listed variables/assignments will
3708             be unset. If the empty string is assigned to this option, the list of environment variables/assignments to
3709             unset is reset. If a variable assignment is specified (that is: a variable name, followed by
3710             C<=>, followed by its value), then any environment variable matching this precise assignment is
3711             removed. If a variable name is specified (that is a variable name without any following C<=> or
3712             value), then any assignment matching the variable name, regardless of its value is removed. Note that the
3713             effect of C<UnsetEnvironment> is applied as final step when the environment list passed to
3714             executed processes is compiled. That means it may undo assignments from any configuration source, including
3715             assignments made through C<Environment> or C<EnvironmentFile>, inherited from
3716             the system manager\'s global set of environment variables, inherited via C<PassEnvironment>,
3717             set by the service manager itself (such as C<$NOTIFY_SOCKET> and such), or set by a PAM module
3718             (in case C<PAMName> is used).
3719              
3720             See "Environment Variables in Spawned Processes" below for a description of how those
3721             settings combine to form the inherited environment. See L<environ(7)> for general
3722             information about environment variables.',
3723             'type' => 'list'
3724             },
3725             'StandardInput',
3726             {
3727             'choice' => [
3728             'null',
3729             'tty',
3730             'tty-force',
3731             'tty-fail',
3732             'data',
3733             'socket'
3734             ],
3735             'description' => "Controls where file descriptor 0 (STDIN) of the executed processes is connected to. Takes one
3736             of C<null>, C<tty>, C<tty-force>, C<tty-fail>,
3737             C<data>, C<file:path>, C<socket> or
3738             C<fd:name>.
3739              
3740             If C<null> is selected, standard input will be connected to C</dev/null>,
3741             i.e. all read attempts by the process will result in immediate EOF.
3742              
3743             If C<tty> is selected, standard input is connected to a TTY (as configured by
3744             C<TTYPath>, see below) and the executed process becomes the controlling process of the
3745             terminal. If the terminal is already being controlled by another process, the executed process waits until the
3746             current controlling process releases the terminal.
3747              
3748             C<tty-force> is similar to C<tty>, but the executed process is forcefully and
3749             immediately made the controlling process of the terminal, potentially removing previous controlling processes
3750             from the terminal.
3751              
3752             C<tty-fail> is similar to C<tty>, but if the terminal already has a
3753             controlling process start-up of the executed process fails.
3754              
3755             The C<data> option may be used to configure arbitrary textual or binary data to pass via
3756             standard input to the executed process. The data to pass is configured via
3757             C<StandardInputText>/C<StandardInputData> (see below). Note that the actual
3758             file descriptor type passed (memory file, regular file, UNIX pipe, \x{2026}) might depend on the kernel and available
3759             privileges. In any case, the file descriptor is read-only, and when read returns the specified data followed by
3760             EOF.
3761              
3762             The C<file:path> option may be used to connect a specific file
3763             system object to standard input. An absolute path following the C<:> character is expected,
3764             which may refer to a regular file, a FIFO or special file. If an C<AF_UNIX> socket in the
3765             file system is specified, a stream socket is connected to it. The latter is useful for connecting standard
3766             input of processes to arbitrary system services.
3767              
3768             The C<socket> option is valid in socket-activated services only, and requires the relevant
3769             socket unit file (see
3770             L<systemd.socket(5)> for details)
3771             to have C<Accept=yes> set, or to specify a single socket only. If this option is set, standard
3772             input will be connected to the socket the service was activated from, which is primarily useful for
3773             compatibility with daemons designed for use with the traditional L<inetd(8)> socket activation
3774             daemon.
3775              
3776             The C<fd:name> option connects standard input to a specific,
3777             named file descriptor provided by a socket unit. The name may be specified as part of this option, following a
3778             C<:> character (e.g. C<fd:foobar>). If no name is specified, the name
3779             C<stdin> is implied (i.e. C<fd> is equivalent to C<fd:stdin>).
3780             At least one socket unit defining the specified name must be provided via the C<Sockets>
3781             option, and the file descriptor name may differ from the name of its containing socket unit. If multiple
3782             matches are found, the first one will be used. See C<FileDescriptorName> in
3783             L<systemd.socket(5)> for more
3784             details about named file descriptors and their ordering.
3785              
3786             This setting defaults to C<null>, unless
3787             C<StandardInputText>/C<StandardInputData> are set, in which case it
3788             defaults to C<data>.",
3789             'type' => 'leaf',
3790             'value_type' => 'enum'
3791             },
3792             'StandardOutput',
3793             {
3794             'choice' => [
3795             'inherit',
3796             'null',
3797             'tty',
3798             'journal',
3799             'kmsg',
3800             'journal+console',
3801             'kmsg+console',
3802             'socket'
3803             ],
3804             'description' => "Controls where file descriptor 1 (stdout) of the executed processes is connected
3805             to. Takes one of C<inherit>, C<null>, C<tty>,
3806             C<journal>, C<kmsg>, C<journal+console>,
3807             C<kmsg+console>, C<file:path>,
3808             C<append:path>, C<truncate:path>,
3809             C<socket> or C<fd:name>.
3810              
3811             C<inherit> duplicates the file descriptor of standard input for standard output.
3812              
3813             C<null> connects standard output to C</dev/null>, i.e. everything written
3814             to it will be lost.
3815              
3816             C<tty> connects standard output to a tty (as configured via C<TTYPath>,
3817             see below). If the TTY is used for output only, the executed process will not become the controlling process of
3818             the terminal, and will not fail or wait for other processes to release the terminal.
3819              
3820             C<journal> connects standard output with the journal, which is accessible via
3821             L<journalctl(1)>. Note
3822             that everything that is written to kmsg (see below) is implicitly stored in the journal as well, the
3823             specific option listed below is hence a superset of this one. (Also note that any external,
3824             additional syslog daemons receive their log data from the journal, too, hence this is the option to
3825             use when logging shall be processed with such a daemon.)
3826              
3827             C<kmsg> connects standard output with the kernel log buffer which is accessible via
3828             L<dmesg(1)>,
3829             in addition to the journal. The journal daemon might be configured to send all logs to kmsg anyway, in which
3830             case this option is no different from C<journal>.
3831              
3832             C<journal+console> and C<kmsg+console> work in a similar way as the
3833             two options above but copy the output to the system console as well.
3834              
3835             The C<file:path> option may be used to connect a specific file
3836             system object to standard output. The semantics are similar to the same option of
3837             C<StandardInput>, see above. If path refers to a regular file
3838             on the filesystem, it is opened (created if it doesn't exist yet) for writing at the beginning of the file,
3839             but without truncating it.
3840             If standard input and output are directed to the same file path, it is opened only once \x{2014} for reading as well
3841             as writing \x{2014} and duplicated. This is particularly useful when the specified path refers to an
3842             C<AF_UNIX> socket in the file system, as in that case only a
3843             single stream connection is created for both input and output.
3844              
3845             C<append:path> is similar to
3846             C<file:path> above, but it opens the file in append mode.
3847              
3848             C<truncate:path> is similar to
3849             C<file:path> above, but it truncates the file when opening
3850             it. For units with multiple command lines, e.g. C<Type=oneshot> services with
3851             multiple C<ExecStart>, or services with C<ExecCondition>,
3852             C<ExecStartPre> or C<ExecStartPost>, the output file is reopened
3853             and therefore re-truncated for each command line. If the output file is truncated while another
3854             process still has the file open, e.g. by an C<ExecReload> running concurrently with
3855             an C<ExecStart>, and the other process continues writing to the file without
3856             adjusting its offset, then the space between the file pointers of the two processes may be filled
3857             with C<NUL> bytes, producing a sparse file. Thus,
3858             C<truncate:path> is typically only useful for units where
3859             only one process runs at a time, such as services with a single C<ExecStart> and no
3860             C<ExecStartPost>, C<ExecReload>, C<ExecStop> or
3861             similar.
3862              
3863             C<socket> connects standard output to a socket acquired via socket activation. The
3864             semantics are similar to the same option of C<StandardInput>, see above.
3865              
3866             The C<fd:name> option connects standard output to a
3867             specific, named file descriptor provided by a socket unit. A name may be specified as part of this
3868             option, following a C<:> character
3869             (e.g. C<fd:foobar>). If no name is specified, the name
3870             C<stdout> is implied (i.e. C<fd> is equivalent to
3871             C<fd:stdout>). At least one socket unit defining the specified name must be provided
3872             via the C<Sockets> option, and the file descriptor name may differ from the name of
3873             its containing socket unit. If multiple matches are found, the first one will be used. See
3874             C<FileDescriptorName> in
3875             L<systemd.socket(5)>
3876             for more details about named descriptors and their ordering.
3877              
3878             If the standard output (or error output, see below) of a unit is connected to the journal or
3879             the kernel log buffer, the unit will implicitly gain a dependency of type C<After>
3880             on C<systemd-journald.socket> (also see the \"Implicit Dependencies\" section
3881             above). Also note that in this case stdout (or stderr, see below) will be an
3882             C<AF_UNIX> stream socket, and not a pipe or FIFO that can be re-opened. This means
3883             when executing shell scripts the construct echo \"hello\" > /dev/stderr for
3884             writing text to stderr will not work. To mitigate this use the construct echo \"hello\"
3885             >&2 instead, which is mostly equivalent and avoids this pitfall.
3886              
3887             If C<StandardInput> is set to one of C<tty>, C<tty-force>,
3888             C<tty-fail>, C<socket>, or C<fd:name>, this
3889             setting defaults to C<inherit>.
3890              
3891             In other cases, this setting defaults to the value set with C<DefaultStandardOutput> in
3892             L<systemd-system.conf(5)>, which
3893             defaults to C<journal>. Note that setting this parameter might result in additional dependencies
3894             to be added to the unit (see above).",
3895             'type' => 'leaf',
3896             'value_type' => 'enum'
3897             },
3898             'StandardError',
3899             {
3900             'description' => 'Controls where file descriptor 2 (stderr) of the executed processes is connected to. The
3901             available options are identical to those of C<StandardOutput>, with some exceptions: if set to
3902             C<inherit> the file descriptor used for standard output is duplicated for standard error, while
3903             C<fd:name> will use a default file descriptor name of
3904             C<stderr>.
3905              
3906             This setting defaults to the value set with C<DefaultStandardError> in
3907             L<systemd-system.conf(5)>, which
3908             defaults to C<inherit>. Note that setting this parameter might result in additional dependencies
3909             to be added to the unit (see above).',
3910             'type' => 'leaf',
3911             'value_type' => 'uniline'
3912             },
3913             'StandardInputText',
3914             {
3915             'description' => 'Configures arbitrary textual or binary data to pass via file descriptor 0 (STDIN) to
3916             the executed processes. These settings have no effect unless C<StandardInput> is set
3917             to C<data> (which is the default if C<StandardInput> is not set
3918             otherwise, but C<StandardInputText>/C<StandardInputData> is). Use
3919             this option to embed process input data directly in the unit file.
3920              
3921             C<StandardInputText> accepts arbitrary textual data. C-style escapes for special
3922             characters as well as the usual C<%>-specifiers are resolved. Each time this setting is used
3923             the specified text is appended to the per-unit data buffer, followed by a newline character (thus every use
3924             appends a new line to the end of the buffer). Note that leading and trailing whitespace of lines configured
3925             with this option is removed. If an empty line is specified the buffer is cleared (hence, in order to insert an
3926             empty line, add an additional C<\\n> to the end or beginning of a line).
3927              
3928             C<StandardInputData> accepts arbitrary binary data, encoded in L<Base64|https://tools.ietf.org/html/rfc2045#section-6.8>. No escape sequences or specifiers are
3929             resolved. Any whitespace in the encoded version is ignored during decoding.
3930              
3931             Note that C<StandardInputText> and C<StandardInputData> operate on the
3932             same data buffer, and may be mixed in order to configure both binary and textual data for the same input
3933             stream. The textual or binary data is joined strictly in the order the settings appear in the unit
3934             file. Assigning an empty string to either will reset the data buffer.
3935              
3936             Please keep in mind that in order to maintain readability long unit file settings may be split into
3937             multiple lines, by suffixing each line (except for the last) with a C<\\> character (see
3938             L<systemd.unit(5)> for
3939             details). This is particularly useful for large data configured with these two options. Example:',
3940             'type' => 'leaf',
3941             'value_type' => 'uniline'
3942             },
3943             'StandardInputData',
3944             {
3945             'description' => 'Configures arbitrary textual or binary data to pass via file descriptor 0 (STDIN) to
3946             the executed processes. These settings have no effect unless C<StandardInput> is set
3947             to C<data> (which is the default if C<StandardInput> is not set
3948             otherwise, but C<StandardInputText>/C<StandardInputData> is). Use
3949             this option to embed process input data directly in the unit file.
3950              
3951             C<StandardInputText> accepts arbitrary textual data. C-style escapes for special
3952             characters as well as the usual C<%>-specifiers are resolved. Each time this setting is used
3953             the specified text is appended to the per-unit data buffer, followed by a newline character (thus every use
3954             appends a new line to the end of the buffer). Note that leading and trailing whitespace of lines configured
3955             with this option is removed. If an empty line is specified the buffer is cleared (hence, in order to insert an
3956             empty line, add an additional C<\\n> to the end or beginning of a line).
3957              
3958             C<StandardInputData> accepts arbitrary binary data, encoded in L<Base64|https://tools.ietf.org/html/rfc2045#section-6.8>. No escape sequences or specifiers are
3959             resolved. Any whitespace in the encoded version is ignored during decoding.
3960              
3961             Note that C<StandardInputText> and C<StandardInputData> operate on the
3962             same data buffer, and may be mixed in order to configure both binary and textual data for the same input
3963             stream. The textual or binary data is joined strictly in the order the settings appear in the unit
3964             file. Assigning an empty string to either will reset the data buffer.
3965              
3966             Please keep in mind that in order to maintain readability long unit file settings may be split into
3967             multiple lines, by suffixing each line (except for the last) with a C<\\> character (see
3968             L<systemd.unit(5)> for
3969             details). This is particularly useful for large data configured with these two options. Example:',
3970             'type' => 'leaf',
3971             'value_type' => 'uniline'
3972             },
3973             'LogLevelMax',
3974             {
3975             'description' => 'Configures filtering by log level of log messages generated by this unit. Takes a
3976             syslog log level, one of C<emerg> (lowest log level, only highest priority
3977             messages), C<alert>, C<crit>, C<err>, C<warning>,
3978             C<notice>, C<info>, C<debug> (highest log level, also lowest priority
3979             messages). See L<syslog(3)> for
3980             details. By default no filtering is applied (i.e. the default maximum log level is C<debug>). Use
3981             this option to configure the logging system to drop log messages of a specific service above the specified
3982             level. For example, set C<LogLevelMax>C<info> in order to turn off debug logging
3983             of a particularly chatty unit. Note that the configured level is applied to any log messages written by any
3984             of the processes belonging to this unit, as well as any log messages written by the system manager process
3985             (PID 1) in reference to this unit, sent via any supported logging protocol. The filtering is applied
3986             early in the logging pipeline, before any kind of further processing is done. Moreover, messages which pass
3987             through this filter successfully might still be dropped by filters applied at a later stage in the logging
3988             subsystem. For example, C<MaxLevelStore> configured in
3989             L<journald.conf(5)> might
3990             prohibit messages of higher log levels to be stored on disk, even though the per-unit
3991             C<LogLevelMax> permitted it to be processed.',
3992             'type' => 'leaf',
3993             'value_type' => 'uniline'
3994             },
3995             'LogExtraFields',
3996             {
3997             'description' => 'Configures additional log metadata fields to include in all log records generated by
3998             processes associated with this unit. This setting takes one or more journal field assignments in the
3999             format C<FIELD=VALUE> separated by whitespace. See
4000             L<systemd.journal-fields(7)>
4001             for details on the journal field concept. Even though the underlying journal implementation permits
4002             binary field values, this setting accepts only valid UTF-8 values. To include space characters in a
4003             journal field value, enclose the assignment in double quotes (").
4004             The usual specifiers are expanded in all assignments (see below). Note that this setting is not only
4005             useful for attaching additional metadata to log records of a unit, but given that all fields and
4006             values are indexed may also be used to implement cross-unit log record matching. Assign an empty
4007             string to reset the list.',
4008             'type' => 'leaf',
4009             'value_type' => 'uniline'
4010             },
4011             'LogRateLimitIntervalSec',
4012             {
4013             'description' => 'Configures the rate limiting that is applied to messages generated by this unit. If, in the
4014             time interval defined by C<LogRateLimitIntervalSec>, more messages than specified in
4015             C<LogRateLimitBurst> are logged by a service, all further messages within the interval are
4016             dropped until the interval is over. A message about the number of dropped messages is generated. The time
4017             specification for C<LogRateLimitIntervalSec> may be specified in the following units: "s",
4018             "min", "h", "ms", "us" (see
4019             L<systemd.time(7)> for details).
4020             The default settings are set by C<RateLimitIntervalSec> and C<RateLimitBurst>
4021             configured in L<journald.conf(5)>.
4022             ',
4023             'type' => 'leaf',
4024             'value_type' => 'uniline'
4025             },
4026             'LogRateLimitBurst',
4027             {
4028             'description' => 'Configures the rate limiting that is applied to messages generated by this unit. If, in the
4029             time interval defined by C<LogRateLimitIntervalSec>, more messages than specified in
4030             C<LogRateLimitBurst> are logged by a service, all further messages within the interval are
4031             dropped until the interval is over. A message about the number of dropped messages is generated. The time
4032             specification for C<LogRateLimitIntervalSec> may be specified in the following units: "s",
4033             "min", "h", "ms", "us" (see
4034             L<systemd.time(7)> for details).
4035             The default settings are set by C<RateLimitIntervalSec> and C<RateLimitBurst>
4036             configured in L<journald.conf(5)>.
4037             ',
4038             'type' => 'leaf',
4039             'value_type' => 'uniline'
4040             },
4041             'LogNamespace',
4042             {
4043             'description' => 'Run the unit\'s processes in the specified journal namespace. Expects a short
4044             user-defined string identifying the namespace. If not used the processes of the service are run in
4045             the default journal namespace, i.e. their log stream is collected and processed by
4046             C<systemd-journald.service>. If this option is used any log data generated by
4047             processes of this unit (regardless if via the syslog(), journal native logging
4048             or stdout/stderr logging) is collected and processed by an instance of the
4049             C<systemd-journald@.service> template unit, which manages the specified
4050             namespace. The log data is stored in a data store independent from the default log namespace\'s data
4051             store. See
4052             L<systemd-journald.service(8)>
4053             for details about journal namespaces.
4054              
4055             Internally, journal namespaces are implemented through Linux mount namespacing and
4056             over-mounting the directory that contains the relevant C<AF_UNIX> sockets used for
4057             logging in the unit\'s mount namespace. Since mount namespaces are used this setting disconnects
4058             propagation of mounts from the unit\'s processes to the host, similarly to how
4059             C<ReadOnlyPaths> and similar settings describe above work. Journal namespaces may hence
4060             not be used for services that need to establish mount points on the host.
4061              
4062             When this option is used the unit will automatically gain ordering and requirement dependencies
4063             on the two socket units associated with the C<systemd-journald@.service> instance
4064             so that they are automatically established prior to the unit starting up. Note that when this option
4065             is used log output of this service does not appear in the regular
4066             L<journalctl(1)>
4067             output, unless the C<--namespace=> option is used.',
4068             'type' => 'leaf',
4069             'value_type' => 'uniline'
4070             },
4071             'SyslogIdentifier',
4072             {
4073             'description' => 'Sets the process name ("syslog tag") to prefix log lines sent to
4074             the logging system or the kernel log buffer with. If not set, defaults to the process name of the
4075             executed process. This option is only useful when C<StandardOutput> or
4076             C<StandardError> are set to C<journal> or C<kmsg> (or to
4077             the same settings in combination with C<+console>) and only applies to log messages
4078             written to stdout or stderr.',
4079             'type' => 'leaf',
4080             'value_type' => 'uniline'
4081             },
4082             'SyslogFacility',
4083             {
4084             'description' => 'Sets the syslog facility identifier to use when logging. One of
4085             C<kern>, C<user>, C<mail>, C<daemon>,
4086             C<auth>, C<syslog>, C<lpr>, C<news>,
4087             C<uucp>, C<cron>, C<authpriv>, C<ftp>,
4088             C<local0>, C<local1>, C<local2>, C<local3>,
4089             C<local4>, C<local5>, C<local6> or
4090             C<local7>. See L<syslog(3)> for
4091             details. This option is only useful when C<StandardOutput> or
4092             C<StandardError> are set to C<journal> or C<kmsg> (or to
4093             the same settings in combination with C<+console>), and only applies to log messages
4094             written to stdout or stderr. Defaults to C<daemon>.',
4095             'type' => 'leaf',
4096             'value_type' => 'uniline'
4097             },
4098             'SyslogLevel',
4099             {
4100             'description' => 'The default syslog log level to use when logging to the logging system or
4101             the kernel log buffer. One of C<emerg>, C<alert>, C<crit>,
4102             C<err>, C<warning>, C<notice>, C<info>,
4103             C<debug>. See L<syslog(3)> for
4104             details. This option is only useful when C<StandardOutput> or
4105             C<StandardError> are set to C<journal> or
4106             C<kmsg> (or to the same settings in combination with C<+console>), and only applies
4107             to log messages written to stdout or stderr. Note that individual lines output by executed processes may be
4108             prefixed with a different log level which can be used to override the default log level specified here. The
4109             interpretation of these prefixes may be disabled with C<SyslogLevelPrefix>, see below. For
4110             details, see L<sd-daemon(3)>.
4111             Defaults to C<info>.',
4112             'type' => 'leaf',
4113             'value_type' => 'uniline'
4114             },
4115             'SyslogLevelPrefix',
4116             {
4117             'description' => 'Takes a boolean argument. If true and C<StandardOutput> or
4118             C<StandardError> are set to C<journal> or C<kmsg> (or to
4119             the same settings in combination with C<+console>), log lines written by the executed
4120             process that are prefixed with a log level will be processed with this log level set but the prefix
4121             removed. If set to false, the interpretation of these prefixes is disabled and the logged lines are
4122             passed on as-is. This only applies to log messages written to stdout or stderr. For details about
4123             this prefixing see
4124             L<sd-daemon(3)>.
4125             Defaults to true.',
4126             'type' => 'leaf',
4127             'value_type' => 'boolean',
4128             'write_as' => [
4129             'no',
4130             'yes'
4131             ]
4132             },
4133             'TTYPath',
4134             {
4135             'description' => 'Sets the terminal device node to use if standard input, output, or error are connected to a TTY
4136             (see above). Defaults to C</dev/console>.',
4137             'type' => 'leaf',
4138             'value_type' => 'uniline'
4139             },
4140             'TTYReset',
4141             {
4142             'description' => 'Reset the terminal device specified with C<TTYPath> before and after
4143             execution. Defaults to C<no>.',
4144             'type' => 'leaf',
4145             'value_type' => 'uniline'
4146             },
4147             'TTYVHangup',
4148             {
4149             'description' => 'Disconnect all clients which have opened the terminal device specified with
4150             C<TTYPath> before and after execution. Defaults to C<no>.',
4151             'type' => 'leaf',
4152             'value_type' => 'uniline'
4153             },
4154             'TTYRows',
4155             {
4156             'description' => 'Configure the size of the TTY specified with C<TTYPath>. If unset or
4157             set to the empty string, the kernel default is used.',
4158             'type' => 'leaf',
4159             'value_type' => 'uniline'
4160             },
4161             'TTYColumns',
4162             {
4163             'description' => 'Configure the size of the TTY specified with C<TTYPath>. If unset or
4164             set to the empty string, the kernel default is used.',
4165             'type' => 'leaf',
4166             'value_type' => 'uniline'
4167             },
4168             'TTYVTDisallocate',
4169             {
4170             'description' => 'If the terminal device specified with C<TTYPath> is a virtual console
4171             terminal, try to deallocate the TTY before and after execution. This ensures that the screen and scrollback
4172             buffer is cleared. Defaults to C<no>.',
4173             'type' => 'leaf',
4174             'value_type' => 'uniline'
4175             },
4176             'LoadCredential',
4177             {
4178             'description' => "Pass a credential to the unit. Credentials are limited-size binary or textual objects
4179             that may be passed to unit processes. They are primarily used for passing cryptographic keys (both
4180             public and private) or certificates, user account information or identity information from host to
4181             services. The data is accessible from the unit's processes via the file system, at a read-only
4182             location that (if possible and permitted) is backed by non-swappable memory. The data is only
4183             accessible to the user associated with the unit, via the
4184             C<User>/C<DynamicUser> settings (as well as the superuser). When
4185             available, the location of credentials is exported as the C<\$CREDENTIALS_DIRECTORY>
4186             environment variable to the unit's processes.
4187              
4188             The C<LoadCredential> setting takes a textual ID to use as name for a
4189             credential plus a file system path, separated by a colon. The ID must be a short ASCII string
4190             suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path
4191             is absolute it is opened as regular file and the credential data is read from it. If the absolute
4192             path refers to an C<AF_UNIX> stream socket in the file system a connection is made
4193             to it (only once at unit start-up) and the credential data read from the connection, providing an
4194             easy IPC integration point for dynamically transferring credentials from other services.
4195              
4196             If the specified path is not absolute and itself qualifies as valid credential identifier it is
4197             attempted to find a credential that the service manager itself received under the specified name \x{2014}
4198             which may be used to propagate credentials from an invoking environment (e.g. a container manager
4199             that invoked the service manager) into a service. If no matching system credential is found, the
4200             directories C</etc/credstore/>, C</run/credstore/> and
4201             C</usr/lib/credstore/> are searched for files under the credential's name \x{2014} which
4202             hence are recommended locations for credential data on disk. If
4203             C<LoadCredentialEncrypted> is used C</run/credstore.encrypted/>,
4204             C</etc/credstore.encrypted/>, and
4205             C</usr/lib/credstore.encrypted/> are searched as well.
4206              
4207             If the file system path is omitted it is chosen identical to the credential name, i.e. this is
4208             a terse way to declare credentials to inherit from the service manager into a service. This option
4209             may be used multiple times, each time defining an additional credential to pass to the unit.
4210              
4211             If an absolute path referring to a directory is specified, every file in that directory
4212             (recursively) will be loaded as a separate credential. The ID for each credential will be the
4213             provided ID suffixed with C<_\$FILENAME> (e.g., C<Key_file1>). When
4214             loading from a directory, symlinks will be ignored.
4215              
4216             The contents of the file/socket may be arbitrary binary or textual data, including newline
4217             characters and C<NUL> bytes.
4218              
4219             The C<LoadCredentialEncrypted> setting is identical to
4220             C<LoadCredential>, except that the credential data is decrypted and authenticated
4221             before being passed on to the executed processes. Specifically, the referenced path should refer to a
4222             file or socket with an encrypted credential, as implemented by
4223             L<systemd-creds(1)>. This
4224             credential is loaded, decrypted, authenticated and then passed to the application in plaintext form,
4225             in the same way a regular credential specified via C<LoadCredential> would be. A
4226             credential configured this way may be symmetrically encrypted/authenticated with a secret key derived
4227             from the system's TPM2 security chip, or with a secret key stored in
4228             C</var/lib/systemd/credentials.secret>, or with both. Using encrypted and
4229             authenticated credentials improves security as credentials are not stored in plaintext and only
4230             authenticated and decrypted into plaintext the moment a service requiring them is started. Moreover,
4231             credentials may be bound to the local hardware and installations, so that they cannot easily be
4232             analyzed offline, or be generated externally.
4233              
4234             The credential files/IPC sockets must be accessible to the service manager, but don't have to
4235             be directly accessible to the unit's processes: the credential data is read and copied into separate,
4236             read-only copies for the unit that are accessible to appropriately privileged processes. This is
4237             particularly useful in combination with C<DynamicUser> as this way privileged data
4238             can be made available to processes running under a dynamic UID (i.e. not a previously known one)
4239             without having to open up access to all users.
4240              
4241             In order to reference the path a credential may be read from within a
4242             C<ExecStart> command line use C<\${CREDENTIALS_DIRECTORY}/mycred>,
4243             e.g. C<ExecStart=cat \${CREDENTIALS_DIRECTORY}/mycred>. In order to reference the path
4244             a credential may be read from within a C<Environment> line use
4245             C<%d/mycred>, e.g. C<Environment=MYCREDPATH=%d/mycred>.
4246              
4247             Currently, an accumulated credential size limit of 1 MB per unit is enforced.
4248              
4249             The service manager itself may receive system credentials that can be propagated to services
4250             from a hosting container manager or VM hypervisor. See the L<Container Interface|https://systemd.io/CONTAINER_INTERFACE> documentation for details
4251             about the former. For the latter, pass L<DMI/SMBIOS|https://www.dmtf.org/standards/smbios> OEM string table entries (field type
4252             11) with a prefix of C<io.systemd.credential:> or
4253             C<io.systemd.credential.binary:>. In both cases a key/value pair separated by
4254             C<=> is expected, in the latter case the right-hand side is Base64 decoded when
4255             parsed (thus permitting binary data to be passed in). Example qemu switch: C<-smbios
4256             type=11,value=io.systemd.credential:xx=yy>, or C<-smbios
4257             type=11,value=io.systemd.credential.binary:rick=TmV2ZXIgR29ubmEgR2l2ZSBZb3UgVXA=>. Alternatively,
4258             use the qemu C<fw_cfg> node
4259             C<opt/io.systemd.credentials/>. Example qemu switch: C<-fw_cfg
4260             name=opt/io.systemd.credentials/mycred,string=supersecret>. They may also be specified on
4261             the kernel command line using the C<systemd.set_credential=> switch (see
4262             L<systemd(1)>) and from
4263             the UEFI firmware environment via
4264             L<systemd-stub(7)>.
4265              
4266             If referencing an C<AF_UNIX> stream socket to connect to, the connection will
4267             originate from an abstract namespace socket, that includes information about the unit and the
4268             credential ID in its socket name. Use L<getpeername(2)>
4269             to query this information. The returned socket name is formatted as C<NUL>RANDOM C</unit/> UNITC</> ID, i.e. a C<NUL> byte (as required
4270             for abstract namespace socket names), followed by a random string (consisting of alphadecimal
4271             characters), followed by the literal string C</unit/>, followed by the requesting
4272             unit name, followed by the literal character C</>, followed by the textual credential
4273             ID requested. Example: C<\\0adf9d86b6eda275e/unit/foobar.service/credx> in case the
4274             credential C<credx> is requested for a unit C<foobar.service>. This
4275             functionality is useful for using a single listening socket to serve credentials to multiple
4276             consumers.
4277              
4278             For further information see L<System and Service
4279             Credentials|https://systemd.io/CREDENTIALS> documentation.",
4280             'type' => 'leaf',
4281             'value_type' => 'uniline'
4282             },
4283             'LoadCredentialEncrypted',
4284             {
4285             'description' => "Pass a credential to the unit. Credentials are limited-size binary or textual objects
4286             that may be passed to unit processes. They are primarily used for passing cryptographic keys (both
4287             public and private) or certificates, user account information or identity information from host to
4288             services. The data is accessible from the unit's processes via the file system, at a read-only
4289             location that (if possible and permitted) is backed by non-swappable memory. The data is only
4290             accessible to the user associated with the unit, via the
4291             C<User>/C<DynamicUser> settings (as well as the superuser). When
4292             available, the location of credentials is exported as the C<\$CREDENTIALS_DIRECTORY>
4293             environment variable to the unit's processes.
4294              
4295             The C<LoadCredential> setting takes a textual ID to use as name for a
4296             credential plus a file system path, separated by a colon. The ID must be a short ASCII string
4297             suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path
4298             is absolute it is opened as regular file and the credential data is read from it. If the absolute
4299             path refers to an C<AF_UNIX> stream socket in the file system a connection is made
4300             to it (only once at unit start-up) and the credential data read from the connection, providing an
4301             easy IPC integration point for dynamically transferring credentials from other services.
4302              
4303             If the specified path is not absolute and itself qualifies as valid credential identifier it is
4304             attempted to find a credential that the service manager itself received under the specified name \x{2014}
4305             which may be used to propagate credentials from an invoking environment (e.g. a container manager
4306             that invoked the service manager) into a service. If no matching system credential is found, the
4307             directories C</etc/credstore/>, C</run/credstore/> and
4308             C</usr/lib/credstore/> are searched for files under the credential's name \x{2014} which
4309             hence are recommended locations for credential data on disk. If
4310             C<LoadCredentialEncrypted> is used C</run/credstore.encrypted/>,
4311             C</etc/credstore.encrypted/>, and
4312             C</usr/lib/credstore.encrypted/> are searched as well.
4313              
4314             If the file system path is omitted it is chosen identical to the credential name, i.e. this is
4315             a terse way to declare credentials to inherit from the service manager into a service. This option
4316             may be used multiple times, each time defining an additional credential to pass to the unit.
4317              
4318             If an absolute path referring to a directory is specified, every file in that directory
4319             (recursively) will be loaded as a separate credential. The ID for each credential will be the
4320             provided ID suffixed with C<_\$FILENAME> (e.g., C<Key_file1>). When
4321             loading from a directory, symlinks will be ignored.
4322              
4323             The contents of the file/socket may be arbitrary binary or textual data, including newline
4324             characters and C<NUL> bytes.
4325              
4326             The C<LoadCredentialEncrypted> setting is identical to
4327             C<LoadCredential>, except that the credential data is decrypted and authenticated
4328             before being passed on to the executed processes. Specifically, the referenced path should refer to a
4329             file or socket with an encrypted credential, as implemented by
4330             L<systemd-creds(1)>. This
4331             credential is loaded, decrypted, authenticated and then passed to the application in plaintext form,
4332             in the same way a regular credential specified via C<LoadCredential> would be. A
4333             credential configured this way may be symmetrically encrypted/authenticated with a secret key derived
4334             from the system's TPM2 security chip, or with a secret key stored in
4335             C</var/lib/systemd/credentials.secret>, or with both. Using encrypted and
4336             authenticated credentials improves security as credentials are not stored in plaintext and only
4337             authenticated and decrypted into plaintext the moment a service requiring them is started. Moreover,
4338             credentials may be bound to the local hardware and installations, so that they cannot easily be
4339             analyzed offline, or be generated externally.
4340              
4341             The credential files/IPC sockets must be accessible to the service manager, but don't have to
4342             be directly accessible to the unit's processes: the credential data is read and copied into separate,
4343             read-only copies for the unit that are accessible to appropriately privileged processes. This is
4344             particularly useful in combination with C<DynamicUser> as this way privileged data
4345             can be made available to processes running under a dynamic UID (i.e. not a previously known one)
4346             without having to open up access to all users.
4347              
4348             In order to reference the path a credential may be read from within a
4349             C<ExecStart> command line use C<\${CREDENTIALS_DIRECTORY}/mycred>,
4350             e.g. C<ExecStart=cat \${CREDENTIALS_DIRECTORY}/mycred>. In order to reference the path
4351             a credential may be read from within a C<Environment> line use
4352             C<%d/mycred>, e.g. C<Environment=MYCREDPATH=%d/mycred>.
4353              
4354             Currently, an accumulated credential size limit of 1 MB per unit is enforced.
4355              
4356             The service manager itself may receive system credentials that can be propagated to services
4357             from a hosting container manager or VM hypervisor. See the L<Container Interface|https://systemd.io/CONTAINER_INTERFACE> documentation for details
4358             about the former. For the latter, pass L<DMI/SMBIOS|https://www.dmtf.org/standards/smbios> OEM string table entries (field type
4359             11) with a prefix of C<io.systemd.credential:> or
4360             C<io.systemd.credential.binary:>. In both cases a key/value pair separated by
4361             C<=> is expected, in the latter case the right-hand side is Base64 decoded when
4362             parsed (thus permitting binary data to be passed in). Example qemu switch: C<-smbios
4363             type=11,value=io.systemd.credential:xx=yy>, or C<-smbios
4364             type=11,value=io.systemd.credential.binary:rick=TmV2ZXIgR29ubmEgR2l2ZSBZb3UgVXA=>. Alternatively,
4365             use the qemu C<fw_cfg> node
4366             C<opt/io.systemd.credentials/>. Example qemu switch: C<-fw_cfg
4367             name=opt/io.systemd.credentials/mycred,string=supersecret>. They may also be specified on
4368             the kernel command line using the C<systemd.set_credential=> switch (see
4369             L<systemd(1)>) and from
4370             the UEFI firmware environment via
4371             L<systemd-stub(7)>.
4372              
4373             If referencing an C<AF_UNIX> stream socket to connect to, the connection will
4374             originate from an abstract namespace socket, that includes information about the unit and the
4375             credential ID in its socket name. Use L<getpeername(2)>
4376             to query this information. The returned socket name is formatted as C<NUL>RANDOM C</unit/> UNITC</> ID, i.e. a C<NUL> byte (as required
4377             for abstract namespace socket names), followed by a random string (consisting of alphadecimal
4378             characters), followed by the literal string C</unit/>, followed by the requesting
4379             unit name, followed by the literal character C</>, followed by the textual credential
4380             ID requested. Example: C<\\0adf9d86b6eda275e/unit/foobar.service/credx> in case the
4381             credential C<credx> is requested for a unit C<foobar.service>. This
4382             functionality is useful for using a single listening socket to serve credentials to multiple
4383             consumers.
4384              
4385             For further information see L<System and Service
4386             Credentials|https://systemd.io/CREDENTIALS> documentation.",
4387             'type' => 'leaf',
4388             'value_type' => 'uniline'
4389             },
4390             'SetCredential',
4391             {
4392             'description' => 'The C<SetCredential> setting is similar to
4393             C<LoadCredential> but accepts a literal value to use as data for the credential,
4394             instead of a file system path to read the data from. Do not use this option for data that is supposed
4395             to be secret, as it is accessible to unprivileged processes via IPC. It\'s only safe to use this for
4396             user IDs, public key material and similar non-sensitive data. For everything else use
4397             C<LoadCredential>. In order to embed binary data into the credential data use
4398             C-style escaping (i.e. C<\\n> to embed a newline, or C<\\x00> to embed
4399             a C<NUL> byte).
4400              
4401             The C<SetCredentialEncrypted> setting is identical to
4402             C<SetCredential> but expects an encrypted credential in literal form as value. This
4403             allows embedding confidential credentials securely directly in unit files. Use
4404             L<systemd-creds(1)>\'
4405             C<-p> switch to generate suitable C<SetCredentialEncrypted> lines
4406             directly from plaintext credentials. For further details see
4407             C<LoadCredentialEncrypted> above.
4408              
4409             If a credential of the same ID is listed in both C<LoadCredential> and
4410             C<SetCredential>, the latter will act as default if the former cannot be
4411             retrieved. In this case not being able to retrieve the credential from the path specified in
4412             C<LoadCredential> is not considered fatal.',
4413             'type' => 'leaf',
4414             'value_type' => 'uniline'
4415             },
4416             'SetCredentialEncrypted',
4417             {
4418             'description' => 'The C<SetCredential> setting is similar to
4419             C<LoadCredential> but accepts a literal value to use as data for the credential,
4420             instead of a file system path to read the data from. Do not use this option for data that is supposed
4421             to be secret, as it is accessible to unprivileged processes via IPC. It\'s only safe to use this for
4422             user IDs, public key material and similar non-sensitive data. For everything else use
4423             C<LoadCredential>. In order to embed binary data into the credential data use
4424             C-style escaping (i.e. C<\\n> to embed a newline, or C<\\x00> to embed
4425             a C<NUL> byte).
4426              
4427             The C<SetCredentialEncrypted> setting is identical to
4428             C<SetCredential> but expects an encrypted credential in literal form as value. This
4429             allows embedding confidential credentials securely directly in unit files. Use
4430             L<systemd-creds(1)>\'
4431             C<-p> switch to generate suitable C<SetCredentialEncrypted> lines
4432             directly from plaintext credentials. For further details see
4433             C<LoadCredentialEncrypted> above.
4434              
4435             If a credential of the same ID is listed in both C<LoadCredential> and
4436             C<SetCredential>, the latter will act as default if the former cannot be
4437             retrieved. In this case not being able to retrieve the credential from the path specified in
4438             C<LoadCredential> is not considered fatal.',
4439             'type' => 'leaf',
4440             'value_type' => 'uniline'
4441             },
4442             'UtmpIdentifier',
4443             {
4444             'description' => 'Takes a four character identifier string for an L<utmp(5)> and wtmp entry
4445             for this service. This should only be set for services such as getty implementations (such
4446             as L<agetty(8)>) where utmp/wtmp
4447             entries must be created and cleared before and after execution, or for services that shall be executed as if
4448             they were run by a getty process (see below). If the configured string is longer than four
4449             characters, it is truncated and the terminal four characters are used. This setting interprets %I style string
4450             replacements. This setting is unset by default, i.e. no utmp/wtmp entries are created or cleaned up for this
4451             service.',
4452             'type' => 'leaf',
4453             'value_type' => 'uniline'
4454             },
4455             'UtmpMode',
4456             {
4457             'choice' => [
4458             'init',
4459             'login',
4460             'user'
4461             ],
4462             'description' => 'Takes one of C<init>, C<login> or C<user>. If
4463             C<UtmpIdentifier> is set, controls which type of L<utmp(5)>/wtmp entries
4464             for this service are generated. This setting has no effect unless C<UtmpIdentifier> is set
4465             too. If C<init> is set, only an C<INIT_PROCESS> entry is generated and the
4466             invoked process must implement a getty-compatible utmp/wtmp logic. If
4467             C<login> is set, first an C<INIT_PROCESS> entry, followed by a
4468             C<LOGIN_PROCESS> entry is generated. In this case, the invoked process must implement a
4469             L<login(1)>-compatible
4470             utmp/wtmp logic. If C<user> is set, first an C<INIT_PROCESS> entry, then a
4471             C<LOGIN_PROCESS> entry and finally a C<USER_PROCESS> entry is
4472             generated. In this case, the invoked process may be any process that is suitable to be run as session
4473             leader. Defaults to C<init>.',
4474             'type' => 'leaf',
4475             'value_type' => 'enum'
4476             }
4477             ],
4478             'generated_by' => 'parse-man.pl from systemd 252 doc',
4479             'license' => 'LGPLv2.1+',
4480             'name' => 'Systemd::Common::Exec'
4481             }
4482             ]
4483             ;
4484