File Coverage

blib/lib/Config/Model/models/Systemd/Common/Exec.pl

Criterion	Covered	Total	%
statement	18	18	100.0
branch			n/a
condition			n/a
subroutine	6	6	100.0
pod			n/a
total	24	24	100.0

line	stmt	sub	time	code
1				#
2				# This file is part of Config-Model-Systemd
3				#
4				# This software is Copyright (c) 2008-2022 by Dominique Dumont.
5				#
6				# This is free software, licensed under:
7				#
8				# The GNU Lesser General Public License, Version 2.1, February 1999
9				#
10	4	4	18050	use strict;
	4	1	9
	4	1	101
	1		3144
	1		2
	1		19
	1		3116
	1		2
	1		19
11	4	4	18	use warnings;
	4	1	8
	4	1	15822
	1		5
	1		2
	1		3830
	1		4
	1		3
	1		4241
12
13				return [
14				{
15				'accept' => [
16				'.*',
17				{
18				'type' => 'leaf',
19				'value_type' => 'uniline',
20				'warn' => 'Unexpected systemd parameter. Please contact cme author to update systemd model.'
21				}
22				],
23				'class_description' => 'Unit configuration files for services, sockets, mount points, and swap devices share a subset of
24				configuration options which define the execution environment of spawned processes.
25
26				This man page lists the configuration options shared by these four unit types. See
27				L<systemd.unit(5)> for the common
28				options of all unit configuration files, and
29				L<systemd.service(5)>,
30				L<systemd.socket(5)>,
31				L<systemd.swap(5)>, and
32				L<systemd.mount(5)> for more
33				information on the specific unit configuration files. The execution specific configuration options are configured
34				in the [Service], [Socket], [Mount], or [Swap] sections, depending on the unit type.
35
36				In addition, options which control resources through Linux Control Groups (cgroups) are listed in
37				L<systemd.resource-control(5)>.
38				Those options complement options listed here.
39
40				The following service exit codes are defined by the L<LSB specification\|https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html>.
41
42
43
44				The LSB specification suggests that error codes 200 and above are reserved for implementations. Some of them are
45				used by the service manager to indicate problems during process invocation:
46
47
48				Finally, the BSD operating systems define a set of exit codes, typically defined on Linux systems too:
49				This configuration class was generated from systemd documentation.
50				by L<parse-man.pl\|https://github.com/dod38fr/config-model-systemd/contrib/parse-man.pl>
51				',
52				'copyright' => [
53				'2010-2016 Lennart Poettering and others',
54				'2016 Dominique Dumont'
55				],
56				'element' => [
57				'ExecSearchPath',
58				{
59				'cargo' => {
60				'type' => 'leaf',
61				'value_type' => 'uniline'
62				},
63				'description' => 'Takes a colon separated list of absolute paths relative to which the executable
64				used by the C<Exec*=> (e.g. C<ExecStart>,
65				C<ExecStop>, etc.) properties can be found. C<ExecSearchPath>
66				overrides C<$PATH> if C<$PATH> is not supplied by the user through
67				C<Environment>, C<EnvironmentFile> or
68				C<PassEnvironment>. Assigning an empty string removes previous assignments
69				and setting C<ExecSearchPath> to a value multiple times will append
70				to the previous setting.
71				',
72				'type' => 'list'
73				},
74				'WorkingDirectory',
75				{
76				'description' => 'Takes a directory path relative to the service\'s root directory specified by
77				C<RootDirectory>, or the special value C<~>. Sets the working directory for
78				executed processes. If set to C<~>, the home directory of the user specified in
79				C<User> is used. If not set, defaults to the root directory when systemd is running as a
80				system instance and the respective user\'s home directory if run as user. If the setting is prefixed with the
81				C<-> character, a missing working directory is not considered fatal. If
82				C<RootDirectory>/C<RootImage> is not set, then
83				C<WorkingDirectory> is relative to the root of the system running the service manager. Note
84				that setting this parameter might result in additional dependencies to be added to the unit (see
85				above).',
86				'type' => 'leaf',
87				'value_type' => 'uniline'
88				},
89				'RootDirectory',
90				{
91				'description' => 'Takes a directory path relative to the host\'s root directory (i.e. the root of the system
92				running the service manager). Sets the root directory for executed processes, with the L<chroot(2)> system
93				call. If this is used, it must be ensured that the process binary and all its auxiliary files are available in
94				the chroot() jail. Note that setting this parameter might result in additional
95				dependencies to be added to the unit (see above).
96
97				The C<MountAPIVFS> and C<PrivateUsers> settings are particularly useful
98				in conjunction with C<RootDirectory>. For details, see below.
99
100				If C<RootDirectory>/C<RootImage> are used together with
101				C<NotifyAccess> the notification socket is automatically mounted from the host into
102				the root environment, to ensure the notification interface can work correctly.
103
104				Note that services using C<RootDirectory>/C<RootImage> will
105				not be able to log via the syslog or journal protocols to the host logging infrastructure, unless the
106				relevant sockets are mounted from the host, specifically:',
107				'type' => 'leaf',
108				'value_type' => 'uniline'
109				},
110				'RootImage',
111				{
112				'description' => 'Takes a path to a block device node or regular file as argument. This call is similar
113				to C<RootDirectory> however mounts a file system hierarchy from a block device node
114				or loopback file instead of a directory. The device node or file system image file needs to contain a
115				file system without a partition table, or a file system within an MBR/MS-DOS or GPT partition table
116				with only a single Linux-compatible partition, or a set of file systems within a GPT partition table
117				that follows the L<Discoverable Partitions
118				Specification\|https://systemd.io/DISCOVERABLE_PARTITIONS>.
119
120				When C<DevicePolicy> is set to C<closed> or
121				C<strict>, or set to C<auto> and C<DeviceAllow> is
122				set, then this setting adds C</dev/loop-control> with C<rw> mode,
123				C<block-loop> and C<block-blkext> with C<rwm> mode
124				to C<DeviceAllow>. See
125				L<systemd.resource-control(5)>
126				for the details about C<DevicePolicy> or C<DeviceAllow>. Also, see
127				C<PrivateDevices> below, as it may change the setting of
128				C<DevicePolicy>.
129
130				Units making use of C<RootImage> automatically gain an
131				C<After> dependency on C<systemd-udevd.service>.',
132				'type' => 'leaf',
133				'value_type' => 'uniline'
134				},
135				'RootImageOptions',
136				{
137				'description' => 'Takes a comma-separated list of mount options that will be used on disk images specified by
138				C<RootImage>. Optionally a partition name can be prefixed, followed by colon, in
139				case the image has multiple partitions, otherwise partition name C<root> is implied.
140				Options for multiple partitions can be specified in a single line with space separators. Assigning an empty
141				string removes previous assignments. Duplicated options are ignored. For a list of valid mount options, please
142				refer to
143				L<mount(8)>.
144
145				Valid partition names follow the L<Discoverable Partitions Specification\|https://systemd.io/DISCOVERABLE_PARTITIONS>:
146				C<root>, C<usr>, C<home>, C<srv>,
147				C<esp>, C<xbootldr>, C<tmp>,
148				C<var>.',
149				'type' => 'leaf',
150				'value_type' => 'uniline'
151				},
152				'RootHash',
153				{
154				'description' => 'Takes a data integrity (dm-verity) root hash specified in hexadecimal, or the path to a file
155				containing a root hash in ASCII hexadecimal format. This option enables data integrity checks using dm-verity,
156				if the used image contains the appropriate integrity data (see above) or if C<RootVerity> is used.
157				The specified hash must match the root hash of integrity data, and is usually at least 256 bits (and hence 64
158				formatted hexadecimal characters) long (in case of SHA256 for example). If this option is not specified, but
159				the image file carries the C<user.verity.roothash> extended file attribute (see L<xattr(7)>), then the root
160				hash is read from it, also as formatted hexadecimal characters. If the extended file attribute is not found (or
161				is not supported by the underlying file system), but a file with the C<.roothash> suffix is
162				found next to the image file, bearing otherwise the same name (except if the image has the
163				C<.raw> suffix, in which case the root hash file must not have it in its name), the root hash
164				is read from it and automatically used, also as formatted hexadecimal characters.
165
166				If the disk image contains a separate C</usr/> partition it may also be
167				Verity protected, in which case the root hash may configured via an extended attribute
168				C<user.verity.usrhash> or a C<.usrhash> file adjacent to the disk
169				image. There\'s currently no option to configure the root hash for the C</usr/> file
170				system via the unit file directly.',
171				'type' => 'leaf',
172				'value_type' => 'uniline'
173				},
174				'RootHashSignature',
175				{
176				'description' => 'Takes a PKCS7 signature of the C<RootHash> option as a path to a
177				DER-encoded signature file, or as an ASCII base64 string encoding of a DER-encoded signature prefixed
178				by C<base64:>. The dm-verity volume will only be opened if the signature of the root
179				hash is valid and signed by a public key present in the kernel keyring. If this option is not
180				specified, but a file with the C<.roothash.p7s> suffix is found next to the image
181				file, bearing otherwise the same name (except if the image has the C<.raw> suffix,
182				in which case the signature file must not have it in its name), the signature is read from it and
183				automatically used.
184
185				If the disk image contains a separate C</usr/> partition it may also be
186				Verity protected, in which case the signature for the root hash may configured via a
187				C<.usrhash.p7s> file adjacent to the disk image. There\'s currently no option to
188				configure the root hash signature for the C</usr/> via the unit file
189				directly.',
190				'type' => 'leaf',
191				'value_type' => 'uniline'
192				},
193				'RootVerity',
194				{
195				'description' => 'Takes the path to a data integrity (dm-verity) file. This option enables data integrity checks
196				using dm-verity, if C<RootImage> is used and a root-hash is passed and if the used image itself
197				does not contains the integrity data. The integrity data must be matched by the root hash. If this option is not
198				specified, but a file with the C<.verity> suffix is found next to the image file, bearing otherwise
199				the same name (except if the image has the C<.raw> suffix, in which case the verity data file must
200				not have it in its name), the verity data is read from it and automatically used.
201
202				This option is supported only for disk images that contain a single file system, without an
203				enveloping partition table. Images that contain a GPT partition table should instead include both
204				root file system and matching Verity data in the same image, implementing the L<Discoverable Partitions
205				Specification\|https://systemd.io/DISCOVERABLE_PARTITIONS>.',
206				'type' => 'leaf',
207				'value_type' => 'uniline'
208				},
209				'MountAPIVFS',
210				{
211				'description' => 'Takes a boolean argument. If on, a private mount namespace for the unit\'s processes is created
212				and the API file systems C</proc/>, C</sys/>, C</dev/> and
213				C</run/> (as an empty C<tmpfs>) are mounted inside of it, unless they are
214				already mounted. Note that this option has no effect unless used in conjunction with
215				C<RootDirectory>/C<RootImage> as these four mounts are
216				generally mounted in the host anyway, and unless the root directory is changed, the private mount namespace
217				will be a 1:1 copy of the host\'s, and include these four mounts. Note that the C</dev/> file
218				system of the host is bind mounted if this option is used without C<PrivateDevices>. To run
219				the service with a private, minimal version of C</dev/>, combine this option with
220				C<PrivateDevices>.
221
222				In order to allow propagating mounts at runtime in a safe manner, C</run/systemd/propagate>
223				on the host will be used to set up new mounts, and C</run/host/incoming/> in the private namespace
224				will be used as an intermediate step to store them before being moved to the final mount point.',
225				'type' => 'leaf',
226				'value_type' => 'boolean',
227				'write_as' => [
228				'no',
229				'yes'
230				]
231				},
232				'ProtectProc',
233				{
234				'choice' => [
235				'noaccess',
236				'invisible',
237				'ptraceable',
238				'default'
239				],
240				'description' => 'Takes one of C<noaccess>, C<invisible>,
241				C<ptraceable> or C<default> (which it defaults to). When set, this
242				controls the C<hidepid=> mount option of the C<procfs> instance for
243				the unit that controls which directories with process metainformation
244				(C</proc/PID>) are visible and accessible: when set to
245				C<noaccess> the ability to access most of other users\' process metadata in
246				C</proc/> is taken away for processes of the service. When set to
247				C<invisible> processes owned by other users are hidden from
248				C</proc/>. If C<ptraceable> all processes that cannot be
249				ptrace()\'ed by a process are hidden to it. If C<default> no
250				restrictions on C</proc/> access or visibility are made. For further details see
251				L<The /proc
252				Filesystem\|https://docs.kernel.org/filesystems/proc.html#mount-options>. It is generally recommended to run most system
253				services with this option set to
254				C<invisible>. This option is implemented via file system namespacing, and thus cannot
255				be used with services that shall be able to install mount points in the host file system
256				hierarchy. Note that the root user is unaffected by this option, so to be effective it has to be used
257				together with C<User> or C<DynamicUser=yes>, and also without the
258				C<CAP_SYS_PTRACE> capability, which also allows a process to bypass this feature. It
259				cannot be used for services that need to access metainformation about other users\' processes. This
260				option implies C<MountAPIVFS>.
261
262				If the kernel doesn\'t support per-mount point C<hidepid=> mount options this
263				setting remains without effect, and the unit\'s processes will be able to access and see other process
264				as if the option was not used.',
265				'type' => 'leaf',
266				'value_type' => 'enum'
267				},
268				'ProcSubset',
269				{
270				'choice' => [
271				'all',
272				'pid'
273				],
274				'description' => 'Takes one of C<all> (the default) and C<pid>. If
275				C<pid>, all files and directories not directly associated with process management and
276				introspection are made invisible in the C</proc/> file system configured for the
277				unit\'s processes. This controls the C<subset=> mount option of the
278				C<procfs> instance for the unit. For further details see L<The /proc
279				Filesystem\|https://docs.kernel.org/filesystems/proc.html#mount-options>. Note that Linux exposes various kernel APIs
280				via C</proc/>,
281				which are made unavailable with this setting. Since these APIs are used frequently this option is
282				useful only in a few, specific cases, and is not suitable for most non-trivial programs.
283
284				Much like C<ProtectProc> above, this is implemented via file system mount
285				namespacing, and hence the same restrictions apply: it is only available to system services, it
286				disables mount propagation to the host mount table, and it implies
287				C<MountAPIVFS>. Also, like C<ProtectProc> this setting is gracefully
288				disabled if the used kernel does not support the C<subset=> mount option of
289				C<procfs>.',
290				'type' => 'leaf',
291				'value_type' => 'enum'
292				},
293				'BindPaths',
294				{
295				'cargo' => {
296				'type' => 'leaf',
297				'value_type' => 'uniline'
298				},
299				'description' => 'Configures unit-specific bind mounts. A bind mount makes a particular file or directory
300				available at an additional place in the unit\'s view of the file system. Any bind mounts created with this
301				option are specific to the unit, and are not visible in the host\'s mount table. This option expects a
302				whitespace separated list of bind mount definitions. Each definition consists of a colon-separated triple of
303				source path, destination path and option string, where the latter two are optional. If only a source path is
304				specified the source and destination is taken to be the same. The option string may be either
305				C<rbind> or C<norbind> for configuring a recursive or non-recursive bind
306				mount. If the destination path is omitted, the option string must be omitted too.
307				Each bind mount definition may be prefixed with C<->, in which case it will be ignored
308				when its source path does not exist.
309
310				C<BindPaths> creates regular writable bind mounts (unless the source file system mount
311				is already marked read-only), while C<BindReadOnlyPaths> creates read-only bind mounts. These
312				settings may be used more than once, each usage appends to the unit\'s list of bind mounts. If the empty string
313				is assigned to either of these two options the entire list of bind mounts defined prior to this is reset. Note
314				that in this case both read-only and regular bind mounts are reset, regardless which of the two settings is
315				used.
316
317				This option is particularly useful when C<RootDirectory>/C<RootImage>
318				is used. In this case the source path refers to a path on the host file system, while the destination path
319				refers to a path below the root directory of the unit.
320
321				Note that the destination directory must exist or systemd must be able to create it. Thus, it
322				is not possible to use those options for mount points nested underneath paths specified in
323				C<InaccessiblePaths>, or under C</home/> and other protected
324				directories if C<ProtectHome=yes> is
325				specified. C<TemporaryFileSystem> with C<:ro> or
326				C<ProtectHome=tmpfs> should be used instead.',
327				'type' => 'list'
328				},
329				'BindReadOnlyPaths',
330				{
331				'cargo' => {
332				'type' => 'leaf',
333				'value_type' => 'uniline'
334				},
335				'description' => 'Configures unit-specific bind mounts. A bind mount makes a particular file or directory
336				available at an additional place in the unit\'s view of the file system. Any bind mounts created with this
337				option are specific to the unit, and are not visible in the host\'s mount table. This option expects a
338				whitespace separated list of bind mount definitions. Each definition consists of a colon-separated triple of
339				source path, destination path and option string, where the latter two are optional. If only a source path is
340				specified the source and destination is taken to be the same. The option string may be either
341				C<rbind> or C<norbind> for configuring a recursive or non-recursive bind
342				mount. If the destination path is omitted, the option string must be omitted too.
343				Each bind mount definition may be prefixed with C<->, in which case it will be ignored
344				when its source path does not exist.
345
346				C<BindPaths> creates regular writable bind mounts (unless the source file system mount
347				is already marked read-only), while C<BindReadOnlyPaths> creates read-only bind mounts. These
348				settings may be used more than once, each usage appends to the unit\'s list of bind mounts. If the empty string
349				is assigned to either of these two options the entire list of bind mounts defined prior to this is reset. Note
350				that in this case both read-only and regular bind mounts are reset, regardless which of the two settings is
351				used.
352
353				This option is particularly useful when C<RootDirectory>/C<RootImage>
354				is used. In this case the source path refers to a path on the host file system, while the destination path
355				refers to a path below the root directory of the unit.
356
357				Note that the destination directory must exist or systemd must be able to create it. Thus, it
358				is not possible to use those options for mount points nested underneath paths specified in
359				C<InaccessiblePaths>, or under C</home/> and other protected
360				directories if C<ProtectHome=yes> is
361				specified. C<TemporaryFileSystem> with C<:ro> or
362				C<ProtectHome=tmpfs> should be used instead.',
363				'type' => 'list'
364				},
365				'MountImages',
366				{
367				'cargo' => {
368				'type' => 'leaf',
369				'value_type' => 'uniline'
370				},
371				'description' => 'This setting is similar to C<RootImage> in that it mounts a file
372				system hierarchy from a block device node or loopback file, but the destination directory can be
373				specified as well as mount options. This option expects a whitespace separated list of mount
374				definitions. Each definition consists of a colon-separated tuple of source path and destination
375				definitions, optionally followed by another colon and a list of mount options.
376
377				Mount options may be defined as a single comma-separated list of options, in which case they
378				will be implicitly applied to the root partition on the image, or a series of colon-separated tuples
379				of partition name and mount options. Valid partition names and mount options are the same as for
380				C<RootImageOptions> setting described above.
381
382				Each mount definition may be prefixed with C<->, in which case it will be
383				ignored when its source path does not exist. The source argument is a path to a block device node or
384				regular file. If source or destination contain a C<:>, it needs to be escaped as
385				C<\\:>. The device node or file system image file needs to follow the same rules as
386				specified for C<RootImage>. Any mounts created with this option are specific to the
387				unit, and are not visible in the host\'s mount table.
388
389				These settings may be used more than once, each usage appends to the unit\'s list of mount
390				paths. If the empty string is assigned, the entire list of mount paths defined prior to this is
391				reset.
392
393				Note that the destination directory must exist or systemd must be able to create it. Thus, it
394				is not possible to use those options for mount points nested underneath paths specified in
395				C<InaccessiblePaths>, or under C</home/> and other protected
396				directories if C<ProtectHome=yes> is specified.
397
398				When C<DevicePolicy> is set to C<closed> or
399				C<strict>, or set to C<auto> and C<DeviceAllow> is
400				set, then this setting adds C</dev/loop-control> with C<rw> mode,
401				C<block-loop> and C<block-blkext> with C<rwm> mode
402				to C<DeviceAllow>. See
403				L<systemd.resource-control(5)>
404				for the details about C<DevicePolicy> or C<DeviceAllow>. Also, see
405				C<PrivateDevices> below, as it may change the setting of
406				C<DevicePolicy>.',
407				'type' => 'list'
408				},
409				'ExtensionImages',
410				{
411				'cargo' => {
412				'type' => 'leaf',
413				'value_type' => 'uniline'
414				},
415				'description' => 'This setting is similar to C<MountImages> in that it mounts a file
416				system hierarchy from a block device node or loopback file, but instead of providing a destination
417				path, an overlay will be set up. This option expects a whitespace separated list of mount
418				definitions. Each definition consists of a source path, optionally followed by a colon and a list of
419				mount options.
420
421				A read-only OverlayFS will be set up on top of C</usr/> and
422				C</opt/> hierarchies. The order in which the images are listed will determine the
423				order in which the overlay is laid down: images specified first to last will result in overlayfs
424				layers bottom to top.
425
426				Mount options may be defined as a single comma-separated list of options, in which case they
427				will be implicitly applied to the root partition on the image, or a series of colon-separated tuples
428				of partition name and mount options. Valid partition names and mount options are the same as for
429				C<RootImageOptions> setting described above.
430
431				Each mount definition may be prefixed with C<->, in which case it will be
432				ignored when its source path does not exist. The source argument is a path to a block device node or
433				regular file. If the source path contains a C<:>, it needs to be escaped as
434				C<\\:>. The device node or file system image file needs to follow the same rules as
435				specified for C<RootImage>. Any mounts created with this option are specific to the
436				unit, and are not visible in the host\'s mount table.
437
438				These settings may be used more than once, each usage appends to the unit\'s list of image
439				paths. If the empty string is assigned, the entire list of mount paths defined prior to this is
440				reset.
441
442				Each image must carry a C</usr/lib/extension-release.d/extension-release.IMAGE>
443				file, with the appropriate metadata which matches C<RootImage>/C<RootDirectory>
444				or the host. See:
445				L<os-release(5)>.
446				To disable the safety check that the extension-release file name matches the image file name, the
447				C<x-systemd.relax-extension-release-check> mount option may be appended.
448
449				When C<DevicePolicy> is set to C<closed> or
450				C<strict>, or set to C<auto> and C<DeviceAllow> is
451				set, then this setting adds C</dev/loop-control> with C<rw> mode,
452				C<block-loop> and C<block-blkext> with C<rwm> mode
453				to C<DeviceAllow>. See
454				L<systemd.resource-control(5)>
455				for the details about C<DevicePolicy> or C<DeviceAllow>. Also, see
456				C<PrivateDevices> below, as it may change the setting of
457				C<DevicePolicy>.',
458				'type' => 'list'
459				},
460				'ExtensionDirectories',
461				{
462				'cargo' => {
463				'type' => 'leaf',
464				'value_type' => 'uniline'
465				},
466				'description' => 'This setting is similar to C<BindReadOnlyPaths> in that it mounts a file
467				system hierarchy from a directory, but instead of providing a destination path, an overlay will be set
468				up. This option expects a whitespace separated list of source directories.
469
470				A read-only OverlayFS will be set up on top of C</usr/> and
471				C</opt/> hierarchies. The order in which the directories are listed will determine
472				the order in which the overlay is laid down: directories specified first to last will result in overlayfs
473				layers bottom to top.
474
475				Each directory listed in C<ExtensionDirectories> may be prefixed with C<->,
476				in which case it will be ignored when its source path does not exist. Any mounts created with this option are
477				specific to the unit, and are not visible in the host\'s mount table.
478
479				These settings may be used more than once, each usage appends to the unit\'s list of directories
480				paths. If the empty string is assigned, the entire list of mount paths defined prior to this is
481				reset.
482
483				Each directory must contain a C</usr/lib/extension-release.d/extension-release.IMAGE>
484				file, with the appropriate metadata which matches C<RootImage>/C<RootDirectory>
485				or the host. See:
486				L<os-release(5)>.
487
488				Note that usage from user units requires overlayfs support in unprivileged user namespaces,
489				which was first introduced in kernel v5.11.',
490				'type' => 'list'
491				},
492				'User',
493				{
494				'description' => "Set the UNIX user or group that the processes are executed as, respectively. Takes a single
495				user or group name, or a numeric ID as argument. For system services (services run by the system service
496				manager, i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of
497				systemd --user), the default is C<root>, but C<User> may be
498				used to specify a different user. For user services of any other user, switching user identity is not
499				permitted, hence the only valid setting is the same user the user's service manager is running as. If no group
500				is set, the default group of the user is used. This setting does not affect commands whose command line is
501				prefixed with C<+>.
502
503				Note that this enforces only weak restrictions on the user/group name syntax, but will generate
504				warnings in many cases where user/group names do not adhere to the following rules: the specified
505				name should consist only of the characters a-z, A-Z, 0-9, C<_> and
506				C<->, except for the first character which must be one of a-z, A-Z and
507				C<_> (i.e. digits and C<-> are not permitted as first character). The
508				user/group name must have at least one character, and at most 31. These restrictions are made in
509				order to avoid ambiguities and to ensure user/group names and unit files remain portable among Linux
510				systems. For further details on the names accepted and the names warned about see L<User/Group Name
511				Syntax\|https://systemd.io/USER_NAMES>.
512
513				When used in conjunction with C<DynamicUser> the user/group name specified is
514				dynamically allocated at the time the service is started, and released at the time the service is
515				stopped \x{2014} unless it is already allocated statically (see below). If C<DynamicUser>
516				is not used the specified user and group must have been created statically in the user database no
517				later than the moment the service is started, for example using the
518				L<sysusers.d(5)>
519				facility, which is applied at boot or package install time. If the user does not exist by then
520				program invocation will fail.
521
522				If the C<User> setting is used the supplementary group list is initialized
523				from the specified user's default group list, as defined in the system's user and group
524				database. Additional groups may be configured through the C<SupplementaryGroups>
525				setting (see below).",
526				'type' => 'leaf',
527				'value_type' => 'uniline'
528				},
529				'Group',
530				{
531				'description' => "Set the UNIX user or group that the processes are executed as, respectively. Takes a single
532				user or group name, or a numeric ID as argument. For system services (services run by the system service
533				manager, i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of
534				systemd --user), the default is C<root>, but C<User> may be
535				used to specify a different user. For user services of any other user, switching user identity is not
536				permitted, hence the only valid setting is the same user the user's service manager is running as. If no group
537				is set, the default group of the user is used. This setting does not affect commands whose command line is
538				prefixed with C<+>.
539
540				Note that this enforces only weak restrictions on the user/group name syntax, but will generate
541				warnings in many cases where user/group names do not adhere to the following rules: the specified
542				name should consist only of the characters a-z, A-Z, 0-9, C<_> and
543				C<->, except for the first character which must be one of a-z, A-Z and
544				C<_> (i.e. digits and C<-> are not permitted as first character). The
545				user/group name must have at least one character, and at most 31. These restrictions are made in
546				order to avoid ambiguities and to ensure user/group names and unit files remain portable among Linux
547				systems. For further details on the names accepted and the names warned about see L<User/Group Name
548				Syntax\|https://systemd.io/USER_NAMES>.
549
550				When used in conjunction with C<DynamicUser> the user/group name specified is
551				dynamically allocated at the time the service is started, and released at the time the service is
552				stopped \x{2014} unless it is already allocated statically (see below). If C<DynamicUser>
553				is not used the specified user and group must have been created statically in the user database no
554				later than the moment the service is started, for example using the
555				L<sysusers.d(5)>
556				facility, which is applied at boot or package install time. If the user does not exist by then
557				program invocation will fail.
558
559				If the C<User> setting is used the supplementary group list is initialized
560				from the specified user's default group list, as defined in the system's user and group
561				database. Additional groups may be configured through the C<SupplementaryGroups>
562				setting (see below).",
563				'type' => 'leaf',
564				'value_type' => 'uniline'
565				},
566				'DynamicUser',
567				{
568				'description' => "Takes a boolean parameter. If set, a UNIX user and group pair is allocated
569				dynamically when the unit is started, and released as soon as it is stopped. The user and group will
570				not be added to C</etc/passwd> or C</etc/group>, but are managed
571				transiently during runtime. The
572				L<nss-systemd(8)> glibc
573				NSS module provides integration of these dynamic users/groups into the system's user and group
574				databases. The user and group name to use may be configured via C<User> and
575				C<Group> (see above). If these options are not used and dynamic user/group
576				allocation is enabled for a unit, the name of the dynamic user/group is implicitly derived from the
577				unit name. If the unit name without the type suffix qualifies as valid user name it is used directly,
578				otherwise a name incorporating a hash of it is used. If a statically allocated user or group of the
579				configured name already exists, it is used and no dynamic user/group is allocated. Note that if
580				C<User> is specified and the static group with the name exists, then it is required
581				that the static user with the name already exists. Similarly, if C<Group> is
582				specified and the static user with the name exists, then it is required that the static group with
583				the name already exists. Dynamic users/groups are allocated from the UID/GID range 61184\x{2026}65519. It is
584				recommended to avoid this range for regular system or login users. At any point in time each UID/GID
585				from this range is only assigned to zero or one dynamically allocated users/groups in use. However,
586				UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running as
587				part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by
588				these users/groups around, as a different unit might get the same UID/GID assigned later on, and thus
589				gain access to these files or directories. If C<DynamicUser> is enabled,
590				C<RemoveIPC> and C<PrivateTmp> are implied (and cannot be turned
591				off). This ensures that the lifetime of IPC objects and temporary files created by the executed
592				processes is bound to the runtime of the service, and hence the lifetime of the dynamic
593				user/group. Since C</tmp/> and C</var/tmp/> are usually the only
594				world-writable directories on a system this ensures that a unit making use of dynamic user/group
595				allocation cannot leave files around after unit termination. Furthermore
596				C<NoNewPrivileges> and C<RestrictSUIDSGID> are implicitly enabled
597				(and cannot be disabled), to ensure that processes invoked cannot take benefit or create SUID/SGID
598				files or directories. Moreover C<ProtectSystem=strict> and
599				C<ProtectHome=read-only> are implied, thus prohibiting the service to write to
600				arbitrary file system locations. In order to allow the service to write to certain directories, they
601				have to be allow-listed using C<ReadWritePaths>, but care must be taken so that
602				UID/GID recycling doesn't create security issues involving files created by the service. Use
603				C<RuntimeDirectory> (see below) in order to assign a writable runtime directory to a
604				service, owned by the dynamic user/group and removed automatically when the unit is terminated. Use
605				C<StateDirectory>, C<CacheDirectory> and
606				C<LogsDirectory> in order to assign a set of writable directories for specific
607				purposes to the service in a way that they are protected from vulnerabilities due to UID reuse (see
608				below). If this option is enabled, care should be taken that the unit's processes do not get access
609				to directories outside of these explicitly configured and managed ones. Specifically, do not use
610				C<BindPaths> and be careful with C<AF_UNIX> file descriptor
611				passing for directory file descriptors, as this would permit processes to create files or directories
612				owned by the dynamic user/group that are not subject to the lifecycle and access guarantees of the
613				service. Defaults to off.",
614				'type' => 'leaf',
615				'value_type' => 'boolean',
616				'write_as' => [
617				'no',
618				'yes'
619				]
620				},
621				'SupplementaryGroups',
622				{
623				'cargo' => {
624				'type' => 'leaf',
625				'value_type' => 'uniline'
626				},
627				'description' => 'Sets the supplementary Unix groups the processes are executed as. This takes a space-separated
628				list of group names or IDs. This option may be specified more than once, in which case all listed groups are
629				set as supplementary groups. When the empty string is assigned, the list of supplementary groups is reset, and
630				all assignments prior to this one will have no effect. In any way, this option does not override, but extends
631				the list of supplementary groups configured in the system group database for the user. This does not affect
632				commands prefixed with C<+>.',
633				'type' => 'list'
634				},
635				'PAMName',
636				{
637				'description' => 'Sets the PAM service name to set up a session as. If set, the executed process will be
638				registered as a PAM session under the specified service name. This is only useful in conjunction with the
639				C<User> setting, and is otherwise ignored. If not set, no PAM session will be opened for the
640				executed processes. See L<pam(8)> for
641				details.
642
643				Note that for each unit making use of this option a PAM session handler process will be maintained as
644				part of the unit and stays around as long as the unit is active, to ensure that appropriate actions can be
645				taken when the unit and hence the PAM session terminates. This process is named C<(sd-pam)> and
646				is an immediate child process of the unit\'s main process.
647
648				Note that when this option is used for a unit it is very likely (depending on PAM configuration) that the
649				main unit process will be migrated to its own session scope unit when it is activated. This process will hence
650				be associated with two units: the unit it was originally started from (and for which
651				C<PAMName> was configured), and the session scope unit. Any child processes of that process
652				will however be associated with the session scope unit only. This has implications when used in combination
653				with C<NotifyAccess>C<all>, as these child processes will not be able to affect
654				changes in the original unit through notification messages. These messages will be considered belonging to the
655				session scope unit and not the original unit. It is hence not recommended to use C<PAMName> in
656				combination with C<NotifyAccess>C<all>.',
657				'type' => 'leaf',
658				'value_type' => 'uniline'
659				},
660				'CapabilityBoundingSet',
661				{
662				'description' => 'Controls which capabilities to include in the capability bounding set for the
663				executed process. See L<capabilities(7)>
664				for details. Takes a whitespace-separated list of capability names,
665				e.g. C<CAP_SYS_ADMIN>, C<CAP_DAC_OVERRIDE>,
666				C<CAP_SYS_PTRACE>. Capabilities listed will be included in the bounding set, all
667				others are removed. If the list of capabilities is prefixed with C<~>, all but the
668				listed capabilities will be included, the effect of the assignment inverted. Note that this option
669				also affects the respective capabilities in the effective, permitted and inheritable capability
670				sets. If this option is not used, the capability bounding set is not modified on process execution,
671				hence no limits on the capabilities of the process are enforced. This option may appear more than
672				once, in which case the bounding sets are merged by C<OR>, or by
673				C<AND> if the lines are prefixed with C<~> (see below). If the
674				empty string is assigned to this option, the bounding set is reset to the empty capability set, and
675				all prior settings have no effect. If set to C<~> (without any further argument),
676				the bounding set is reset to the full set of available capabilities, also undoing any previous
677				settings. This does not affect commands prefixed with C<+>.
678
679				Use
680				L<systemd-analyze(1)>\'s
681				capability command to retrieve a list of capabilities defined on the local
682				system.
683
684				Example: if a unit has the following,
685
686				CapabilityBoundingSet=CAP_A CAP_B
687				CapabilityBoundingSet=CAP_B CAP_C
688
689				then C<CAP_A>, C<CAP_B>, and
690				C<CAP_C> are set. If the second line is prefixed with
691				C<~>, e.g.,
692
693				CapabilityBoundingSet=CAP_A CAP_B
694				CapabilityBoundingSet=~CAP_B CAP_C
695
696				then, only C<CAP_A> is set.',
697				'type' => 'leaf',
698				'value_type' => 'uniline'
699				},
700				'AmbientCapabilities',
701				{
702				'description' => 'Controls which capabilities to include in the ambient capability set for the executed
703				process. Takes a whitespace-separated list of capability names, e.g. C<CAP_SYS_ADMIN>,
704				C<CAP_DAC_OVERRIDE>, C<CAP_SYS_PTRACE>. This option may appear more than
705				once, in which case the ambient capability sets are merged (see the above examples in
706				C<CapabilityBoundingSet>). If the list of capabilities is prefixed with C<~>,
707				all but the listed capabilities will be included, the effect of the assignment inverted. If the empty string is
708				assigned to this option, the ambient capability set is reset to the empty capability set, and all prior
709				settings have no effect. If set to C<~> (without any further argument), the ambient capability
710				set is reset to the full set of available capabilities, also undoing any previous settings. Note that adding
711				capabilities to the ambient capability set adds them to the process\'s inherited capability set.
712
713				Ambient capability sets are useful if you want to execute a process as a non-privileged user but still want to
714				give it some capabilities. Note that in this case option C<keep-caps> is automatically added
715				to C<SecureBits> to retain the capabilities over the user
716				change. C<AmbientCapabilities> does not affect commands prefixed with
717				C<+>.',
718				'type' => 'leaf',
719				'value_type' => 'uniline'
720				},
721				'NoNewPrivileges',
722				{
723				'description' => 'Takes a boolean argument. If true, ensures that the service process and all its
724				children can never gain new privileges through execve() (e.g. via setuid or
725				setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that
726				a process and its children can never elevate privileges again. Defaults to false, but certain
727				settings override this and ignore the value of this setting. This is the case when
728				C<DynamicUser>, C<LockPersonality>,
729				C<MemoryDenyWriteExecute>, C<PrivateDevices>,
730				C<ProtectClock>, C<ProtectHostname>,
731				C<ProtectKernelLogs>, C<ProtectKernelModules>,
732				C<ProtectKernelTunables>, C<RestrictAddressFamilies>,
733				C<RestrictNamespaces>, C<RestrictRealtime>,
734				C<RestrictSUIDSGID>, C<SystemCallArchitectures>,
735				C<SystemCallFilter>, or C<SystemCallLog> are specified. Note that
736				even if this setting is overridden by them, systemctl show shows the original
737				value of this setting. In case the service will be run in a new mount namespace anyway and SELinux is
738				disabled, all file systems are mounted with C<MS_NOSUID> flag. Also see L<No New Privileges
739				Flag\|https://docs.kernel.org/userspace-api/no_new_privs.html>.
740
741				Note that this setting only has an effect on the unit\'s processes themselves (or any processes
742				directly or indirectly forked off them). It has no effect on processes potentially invoked on request
743				of them through tools such as L<at(1p)>,
744				L<crontab(1p)>,
745				L<systemd-run(1)>, or
746				arbitrary IPC services.',
747				'type' => 'leaf',
748				'value_type' => 'boolean',
749				'write_as' => [
750				'no',
751				'yes'
752				]
753				},
754				'SecureBits',
755				{
756				'description' => 'Controls the secure bits set for the executed process. Takes a space-separated combination of
757				options from the following list: C<keep-caps>, C<keep-caps-locked>,
758				C<no-setuid-fixup>, C<no-setuid-fixup-locked>, C<noroot>, and
759				C<noroot-locked>. This option may appear more than once, in which case the secure bits are
760				ORed. If the empty string is assigned to this option, the bits are reset to 0. This does not affect commands
761				prefixed with C<+>. See L<capabilities(7)> for
762				details.',
763				'type' => 'leaf',
764				'value_type' => 'uniline'
765				},
766				'SELinuxContext',
767				{
768				'description' => 'Set the SELinux security context of the executed process. If set, this will override the
769				automated domain transition. However, the policy still needs to authorize the transition. This directive is
770				ignored if SELinux is disabled. If prefixed by C<->, failing to set the SELinux
771				security context will be ignored, but it\'s still possible that the subsequent
772				execve() may fail if the policy doesn\'t allow the transition for the
773				non-overridden context. This does not affect commands prefixed with C<+>. See
774				L<setexeccon(3)>
775				for details.',
776				'type' => 'leaf',
777				'value_type' => 'uniline'
778				},
779				'AppArmorProfile',
780				{
781				'description' => 'Takes a profile name as argument. The process executed by the unit will switch to
782				this profile when started. Profiles must already be loaded in the kernel, or the unit will fail. If
783				prefixed by C<->, all errors will be ignored. This setting has no effect if AppArmor
784				is not enabled. This setting does not affect commands prefixed with C<+>.',
785				'type' => 'leaf',
786				'value_type' => 'uniline'
787				},
788				'SmackProcessLabel',
789				{
790				'description' => 'Takes a C<SMACK64> security label as argument. The process executed by the unit
791				will be started under this label and SMACK will decide whether the process is allowed to run or not, based on
792				it. The process will continue to run under the label specified here unless the executable has its own
793				C<SMACK64EXEC> label, in which case the process will transition to run under that label. When not
794				specified, the label that systemd is running under is used. This directive is ignored if SMACK is
795				disabled.
796
797				The value may be prefixed by C<->, in which case all errors will be ignored. An empty
798				value may be specified to unset previous assignments. This does not affect commands prefixed with
799				C<+>.',
800				'type' => 'leaf',
801				'value_type' => 'uniline'
802				},
803				'LimitCPU',
804				{
805				'description' => "Set soft and hard limits on various resources for executed processes. See
806				L<setrlimit(2)> for
807				details on the process resource limit concept. Process resource limits may be specified in two formats:
808				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
809				pair C<soft:hard> to set both limits individually
810				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
811				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
812				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
813				referring to time values, the usual time units ms, s, min, h and so on may be used (see
814				L<systemd.time(7)> for
815				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
816				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
817				implied. Also, note that the effective granularity of the limits might influence their
818				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
819				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
820				syntaxes: if prefixed with C<+> or C<->, the value is understood as
821				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
822				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
823
824				Note that most process resource limits configured with these options are per-process, and
825				processes may fork in order to acquire a new set of resources that are accounted independently of the
826				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
827				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
828				controls listed in
829				L<systemd.resource-control(5)>
830				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
831				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
832				powerful (and working) replacement for C<LimitRSS>.
833
834				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
835				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
836				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
837				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
838				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
839
840				Resource limits not configured explicitly for a unit default to the value configured in the various
841				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
842				L<systemd-system.conf(5)>, and \x{2013}
843				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
844				services, see below).
845
846				For system units these resource limits may be chosen freely. When these settings are configured
847				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
848				used to raise the limits above those set for the user manager itself when it was first invoked, as
849				the user's service manager generally lacks the privileges to do so. In user context these
850				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
851				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
852				available configuration mechanisms differ between operating systems, but typically require
853				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
854				setting limits on the system service encapsulating the user's service manager, i.e. the user's
855				instance of C<user\@.service>. After making such changes, make sure to restart the
856				user's service manager.",
857				'type' => 'leaf',
858				'value_type' => 'uniline'
859				},
860				'LimitFSIZE',
861				{
862				'description' => "Set soft and hard limits on various resources for executed processes. See
863				L<setrlimit(2)> for
864				details on the process resource limit concept. Process resource limits may be specified in two formats:
865				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
866				pair C<soft:hard> to set both limits individually
867				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
868				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
869				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
870				referring to time values, the usual time units ms, s, min, h and so on may be used (see
871				L<systemd.time(7)> for
872				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
873				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
874				implied. Also, note that the effective granularity of the limits might influence their
875				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
876				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
877				syntaxes: if prefixed with C<+> or C<->, the value is understood as
878				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
879				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
880
881				Note that most process resource limits configured with these options are per-process, and
882				processes may fork in order to acquire a new set of resources that are accounted independently of the
883				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
884				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
885				controls listed in
886				L<systemd.resource-control(5)>
887				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
888				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
889				powerful (and working) replacement for C<LimitRSS>.
890
891				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
892				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
893				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
894				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
895				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
896
897				Resource limits not configured explicitly for a unit default to the value configured in the various
898				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
899				L<systemd-system.conf(5)>, and \x{2013}
900				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
901				services, see below).
902
903				For system units these resource limits may be chosen freely. When these settings are configured
904				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
905				used to raise the limits above those set for the user manager itself when it was first invoked, as
906				the user's service manager generally lacks the privileges to do so. In user context these
907				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
908				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
909				available configuration mechanisms differ between operating systems, but typically require
910				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
911				setting limits on the system service encapsulating the user's service manager, i.e. the user's
912				instance of C<user\@.service>. After making such changes, make sure to restart the
913				user's service manager.",
914				'type' => 'leaf',
915				'value_type' => 'uniline'
916				},
917				'LimitDATA',
918				{
919				'description' => "Set soft and hard limits on various resources for executed processes. See
920				L<setrlimit(2)> for
921				details on the process resource limit concept. Process resource limits may be specified in two formats:
922				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
923				pair C<soft:hard> to set both limits individually
924				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
925				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
926				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
927				referring to time values, the usual time units ms, s, min, h and so on may be used (see
928				L<systemd.time(7)> for
929				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
930				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
931				implied. Also, note that the effective granularity of the limits might influence their
932				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
933				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
934				syntaxes: if prefixed with C<+> or C<->, the value is understood as
935				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
936				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
937
938				Note that most process resource limits configured with these options are per-process, and
939				processes may fork in order to acquire a new set of resources that are accounted independently of the
940				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
941				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
942				controls listed in
943				L<systemd.resource-control(5)>
944				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
945				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
946				powerful (and working) replacement for C<LimitRSS>.
947
948				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
949				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
950				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
951				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
952				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
953
954				Resource limits not configured explicitly for a unit default to the value configured in the various
955				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
956				L<systemd-system.conf(5)>, and \x{2013}
957				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
958				services, see below).
959
960				For system units these resource limits may be chosen freely. When these settings are configured
961				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
962				used to raise the limits above those set for the user manager itself when it was first invoked, as
963				the user's service manager generally lacks the privileges to do so. In user context these
964				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
965				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
966				available configuration mechanisms differ between operating systems, but typically require
967				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
968				setting limits on the system service encapsulating the user's service manager, i.e. the user's
969				instance of C<user\@.service>. After making such changes, make sure to restart the
970				user's service manager.",
971				'type' => 'leaf',
972				'value_type' => 'uniline'
973				},
974				'LimitSTACK',
975				{
976				'description' => "Set soft and hard limits on various resources for executed processes. See
977				L<setrlimit(2)> for
978				details on the process resource limit concept. Process resource limits may be specified in two formats:
979				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
980				pair C<soft:hard> to set both limits individually
981				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
982				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
983				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
984				referring to time values, the usual time units ms, s, min, h and so on may be used (see
985				L<systemd.time(7)> for
986				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
987				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
988				implied. Also, note that the effective granularity of the limits might influence their
989				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
990				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
991				syntaxes: if prefixed with C<+> or C<->, the value is understood as
992				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
993				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
994
995				Note that most process resource limits configured with these options are per-process, and
996				processes may fork in order to acquire a new set of resources that are accounted independently of the
997				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
998				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
999				controls listed in
1000				L<systemd.resource-control(5)>
1001				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1002				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1003				powerful (and working) replacement for C<LimitRSS>.
1004
1005				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1006				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1007				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1008				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1009				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1010
1011				Resource limits not configured explicitly for a unit default to the value configured in the various
1012				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1013				L<systemd-system.conf(5)>, and \x{2013}
1014				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1015				services, see below).
1016
1017				For system units these resource limits may be chosen freely. When these settings are configured
1018				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1019				used to raise the limits above those set for the user manager itself when it was first invoked, as
1020				the user's service manager generally lacks the privileges to do so. In user context these
1021				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1022				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1023				available configuration mechanisms differ between operating systems, but typically require
1024				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1025				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1026				instance of C<user\@.service>. After making such changes, make sure to restart the
1027				user's service manager.",
1028				'type' => 'leaf',
1029				'value_type' => 'uniline'
1030				},
1031				'LimitCORE',
1032				{
1033				'description' => "Set soft and hard limits on various resources for executed processes. See
1034				L<setrlimit(2)> for
1035				details on the process resource limit concept. Process resource limits may be specified in two formats:
1036				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1037				pair C<soft:hard> to set both limits individually
1038				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1039				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1040				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1041				referring to time values, the usual time units ms, s, min, h and so on may be used (see
1042				L<systemd.time(7)> for
1043				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1044				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1045				implied. Also, note that the effective granularity of the limits might influence their
1046				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1047				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1048				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1049				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1050				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1051
1052				Note that most process resource limits configured with these options are per-process, and
1053				processes may fork in order to acquire a new set of resources that are accounted independently of the
1054				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1055				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1056				controls listed in
1057				L<systemd.resource-control(5)>
1058				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1059				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1060				powerful (and working) replacement for C<LimitRSS>.
1061
1062				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1063				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1064				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1065				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1066				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1067
1068				Resource limits not configured explicitly for a unit default to the value configured in the various
1069				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1070				L<systemd-system.conf(5)>, and \x{2013}
1071				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1072				services, see below).
1073
1074				For system units these resource limits may be chosen freely. When these settings are configured
1075				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1076				used to raise the limits above those set for the user manager itself when it was first invoked, as
1077				the user's service manager generally lacks the privileges to do so. In user context these
1078				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1079				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1080				available configuration mechanisms differ between operating systems, but typically require
1081				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1082				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1083				instance of C<user\@.service>. After making such changes, make sure to restart the
1084				user's service manager.",
1085				'type' => 'leaf',
1086				'value_type' => 'uniline'
1087				},
1088				'LimitRSS',
1089				{
1090				'description' => "Set soft and hard limits on various resources for executed processes. See
1091				L<setrlimit(2)> for
1092				details on the process resource limit concept. Process resource limits may be specified in two formats:
1093				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1094				pair C<soft:hard> to set both limits individually
1095				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1096				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1097				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1098				referring to time values, the usual time units ms, s, min, h and so on may be used (see
1099				L<systemd.time(7)> for
1100				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1101				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1102				implied. Also, note that the effective granularity of the limits might influence their
1103				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1104				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1105				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1106				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1107				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1108
1109				Note that most process resource limits configured with these options are per-process, and
1110				processes may fork in order to acquire a new set of resources that are accounted independently of the
1111				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1112				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1113				controls listed in
1114				L<systemd.resource-control(5)>
1115				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1116				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1117				powerful (and working) replacement for C<LimitRSS>.
1118
1119				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1120				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1121				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1122				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1123				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1124
1125				Resource limits not configured explicitly for a unit default to the value configured in the various
1126				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1127				L<systemd-system.conf(5)>, and \x{2013}
1128				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1129				services, see below).
1130
1131				For system units these resource limits may be chosen freely. When these settings are configured
1132				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1133				used to raise the limits above those set for the user manager itself when it was first invoked, as
1134				the user's service manager generally lacks the privileges to do so. In user context these
1135				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1136				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1137				available configuration mechanisms differ between operating systems, but typically require
1138				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1139				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1140				instance of C<user\@.service>. After making such changes, make sure to restart the
1141				user's service manager.",
1142				'type' => 'leaf',
1143				'value_type' => 'uniline'
1144				},
1145				'LimitNOFILE',
1146				{
1147				'description' => "Set soft and hard limits on various resources for executed processes. See
1148				L<setrlimit(2)> for
1149				details on the process resource limit concept. Process resource limits may be specified in two formats:
1150				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1151				pair C<soft:hard> to set both limits individually
1152				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1153				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1154				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1155				referring to time values, the usual time units ms, s, min, h and so on may be used (see
1156				L<systemd.time(7)> for
1157				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1158				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1159				implied. Also, note that the effective granularity of the limits might influence their
1160				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1161				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1162				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1163				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1164				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1165
1166				Note that most process resource limits configured with these options are per-process, and
1167				processes may fork in order to acquire a new set of resources that are accounted independently of the
1168				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1169				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1170				controls listed in
1171				L<systemd.resource-control(5)>
1172				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1173				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1174				powerful (and working) replacement for C<LimitRSS>.
1175
1176				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1177				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1178				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1179				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1180				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1181
1182				Resource limits not configured explicitly for a unit default to the value configured in the various
1183				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1184				L<systemd-system.conf(5)>, and \x{2013}
1185				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1186				services, see below).
1187
1188				For system units these resource limits may be chosen freely. When these settings are configured
1189				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1190				used to raise the limits above those set for the user manager itself when it was first invoked, as
1191				the user's service manager generally lacks the privileges to do so. In user context these
1192				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1193				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1194				available configuration mechanisms differ between operating systems, but typically require
1195				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1196				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1197				instance of C<user\@.service>. After making such changes, make sure to restart the
1198				user's service manager.",
1199				'type' => 'leaf',
1200				'value_type' => 'uniline'
1201				},
1202				'LimitAS',
1203				{
1204				'description' => "Set soft and hard limits on various resources for executed processes. See
1205				L<setrlimit(2)> for
1206				details on the process resource limit concept. Process resource limits may be specified in two formats:
1207				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1208				pair C<soft:hard> to set both limits individually
1209				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1210				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1211				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1212				referring to time values, the usual time units ms, s, min, h and so on may be used (see
1213				L<systemd.time(7)> for
1214				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1215				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1216				implied. Also, note that the effective granularity of the limits might influence their
1217				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1218				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1219				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1220				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1221				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1222
1223				Note that most process resource limits configured with these options are per-process, and
1224				processes may fork in order to acquire a new set of resources that are accounted independently of the
1225				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1226				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1227				controls listed in
1228				L<systemd.resource-control(5)>
1229				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1230				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1231				powerful (and working) replacement for C<LimitRSS>.
1232
1233				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1234				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1235				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1236				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1237				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1238
1239				Resource limits not configured explicitly for a unit default to the value configured in the various
1240				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1241				L<systemd-system.conf(5)>, and \x{2013}
1242				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1243				services, see below).
1244
1245				For system units these resource limits may be chosen freely. When these settings are configured
1246				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1247				used to raise the limits above those set for the user manager itself when it was first invoked, as
1248				the user's service manager generally lacks the privileges to do so. In user context these
1249				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1250				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1251				available configuration mechanisms differ between operating systems, but typically require
1252				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1253				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1254				instance of C<user\@.service>. After making such changes, make sure to restart the
1255				user's service manager.",
1256				'type' => 'leaf',
1257				'value_type' => 'uniline'
1258				},
1259				'LimitNPROC',
1260				{
1261				'description' => "Set soft and hard limits on various resources for executed processes. See
1262				L<setrlimit(2)> for
1263				details on the process resource limit concept. Process resource limits may be specified in two formats:
1264				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1265				pair C<soft:hard> to set both limits individually
1266				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1267				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1268				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1269				referring to time values, the usual time units ms, s, min, h and so on may be used (see
1270				L<systemd.time(7)> for
1271				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1272				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1273				implied. Also, note that the effective granularity of the limits might influence their
1274				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1275				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1276				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1277				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1278				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1279
1280				Note that most process resource limits configured with these options are per-process, and
1281				processes may fork in order to acquire a new set of resources that are accounted independently of the
1282				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1283				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1284				controls listed in
1285				L<systemd.resource-control(5)>
1286				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1287				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1288				powerful (and working) replacement for C<LimitRSS>.
1289
1290				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1291				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1292				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1293				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1294				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1295
1296				Resource limits not configured explicitly for a unit default to the value configured in the various
1297				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1298				L<systemd-system.conf(5)>, and \x{2013}
1299				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1300				services, see below).
1301
1302				For system units these resource limits may be chosen freely. When these settings are configured
1303				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1304				used to raise the limits above those set for the user manager itself when it was first invoked, as
1305				the user's service manager generally lacks the privileges to do so. In user context these
1306				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1307				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1308				available configuration mechanisms differ between operating systems, but typically require
1309				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1310				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1311				instance of C<user\@.service>. After making such changes, make sure to restart the
1312				user's service manager.",
1313				'type' => 'leaf',
1314				'value_type' => 'uniline'
1315				},
1316				'LimitMEMLOCK',
1317				{
1318				'description' => "Set soft and hard limits on various resources for executed processes. See
1319				L<setrlimit(2)> for
1320				details on the process resource limit concept. Process resource limits may be specified in two formats:
1321				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1322				pair C<soft:hard> to set both limits individually
1323				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1324				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1325				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1326				referring to time values, the usual time units ms, s, min, h and so on may be used (see
1327				L<systemd.time(7)> for
1328				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1329				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1330				implied. Also, note that the effective granularity of the limits might influence their
1331				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1332				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1333				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1334				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1335				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1336
1337				Note that most process resource limits configured with these options are per-process, and
1338				processes may fork in order to acquire a new set of resources that are accounted independently of the
1339				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1340				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1341				controls listed in
1342				L<systemd.resource-control(5)>
1343				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1344				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1345				powerful (and working) replacement for C<LimitRSS>.
1346
1347				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1348				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1349				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1350				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1351				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1352
1353				Resource limits not configured explicitly for a unit default to the value configured in the various
1354				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1355				L<systemd-system.conf(5)>, and \x{2013}
1356				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1357				services, see below).
1358
1359				For system units these resource limits may be chosen freely. When these settings are configured
1360				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1361				used to raise the limits above those set for the user manager itself when it was first invoked, as
1362				the user's service manager generally lacks the privileges to do so. In user context these
1363				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1364				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1365				available configuration mechanisms differ between operating systems, but typically require
1366				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1367				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1368				instance of C<user\@.service>. After making such changes, make sure to restart the
1369				user's service manager.",
1370				'type' => 'leaf',
1371				'value_type' => 'uniline'
1372				},
1373				'LimitLOCKS',
1374				{
1375				'description' => "Set soft and hard limits on various resources for executed processes. See
1376				L<setrlimit(2)> for
1377				details on the process resource limit concept. Process resource limits may be specified in two formats:
1378				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1379				pair C<soft:hard> to set both limits individually
1380				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1381				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1382				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1383				referring to time values, the usual time units ms, s, min, h and so on may be used (see
1384				L<systemd.time(7)> for
1385				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1386				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1387				implied. Also, note that the effective granularity of the limits might influence their
1388				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1389				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1390				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1391				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1392				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1393
1394				Note that most process resource limits configured with these options are per-process, and
1395				processes may fork in order to acquire a new set of resources that are accounted independently of the
1396				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1397				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1398				controls listed in
1399				L<systemd.resource-control(5)>
1400				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1401				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1402				powerful (and working) replacement for C<LimitRSS>.
1403
1404				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1405				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1406				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1407				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1408				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1409
1410				Resource limits not configured explicitly for a unit default to the value configured in the various
1411				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1412				L<systemd-system.conf(5)>, and \x{2013}
1413				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1414				services, see below).
1415
1416				For system units these resource limits may be chosen freely. When these settings are configured
1417				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1418				used to raise the limits above those set for the user manager itself when it was first invoked, as
1419				the user's service manager generally lacks the privileges to do so. In user context these
1420				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1421				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1422				available configuration mechanisms differ between operating systems, but typically require
1423				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1424				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1425				instance of C<user\@.service>. After making such changes, make sure to restart the
1426				user's service manager.",
1427				'type' => 'leaf',
1428				'value_type' => 'uniline'
1429				},
1430				'LimitSIGPENDING',
1431				{
1432				'description' => "Set soft and hard limits on various resources for executed processes. See
1433				L<setrlimit(2)> for
1434				details on the process resource limit concept. Process resource limits may be specified in two formats:
1435				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1436				pair C<soft:hard> to set both limits individually
1437				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1438				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1439				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1440				referring to time values, the usual time units ms, s, min, h and so on may be used (see
1441				L<systemd.time(7)> for
1442				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1443				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1444				implied. Also, note that the effective granularity of the limits might influence their
1445				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1446				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1447				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1448				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1449				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1450
1451				Note that most process resource limits configured with these options are per-process, and
1452				processes may fork in order to acquire a new set of resources that are accounted independently of the
1453				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1454				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1455				controls listed in
1456				L<systemd.resource-control(5)>
1457				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1458				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1459				powerful (and working) replacement for C<LimitRSS>.
1460
1461				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1462				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1463				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1464				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1465				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1466
1467				Resource limits not configured explicitly for a unit default to the value configured in the various
1468				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1469				L<systemd-system.conf(5)>, and \x{2013}
1470				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1471				services, see below).
1472
1473				For system units these resource limits may be chosen freely. When these settings are configured
1474				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1475				used to raise the limits above those set for the user manager itself when it was first invoked, as
1476				the user's service manager generally lacks the privileges to do so. In user context these
1477				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1478				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1479				available configuration mechanisms differ between operating systems, but typically require
1480				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1481				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1482				instance of C<user\@.service>. After making such changes, make sure to restart the
1483				user's service manager.",
1484				'type' => 'leaf',
1485				'value_type' => 'uniline'
1486				},
1487				'LimitMSGQUEUE',
1488				{
1489				'description' => "Set soft and hard limits on various resources for executed processes. See
1490				L<setrlimit(2)> for
1491				details on the process resource limit concept. Process resource limits may be specified in two formats:
1492				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1493				pair C<soft:hard> to set both limits individually
1494				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1495				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1496				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1497				referring to time values, the usual time units ms, s, min, h and so on may be used (see
1498				L<systemd.time(7)> for
1499				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1500				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1501				implied. Also, note that the effective granularity of the limits might influence their
1502				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1503				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1504				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1505				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1506				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1507
1508				Note that most process resource limits configured with these options are per-process, and
1509				processes may fork in order to acquire a new set of resources that are accounted independently of the
1510				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1511				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1512				controls listed in
1513				L<systemd.resource-control(5)>
1514				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1515				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1516				powerful (and working) replacement for C<LimitRSS>.
1517
1518				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1519				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1520				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1521				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1522				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1523
1524				Resource limits not configured explicitly for a unit default to the value configured in the various
1525				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1526				L<systemd-system.conf(5)>, and \x{2013}
1527				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1528				services, see below).
1529
1530				For system units these resource limits may be chosen freely. When these settings are configured
1531				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1532				used to raise the limits above those set for the user manager itself when it was first invoked, as
1533				the user's service manager generally lacks the privileges to do so. In user context these
1534				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1535				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1536				available configuration mechanisms differ between operating systems, but typically require
1537				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1538				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1539				instance of C<user\@.service>. After making such changes, make sure to restart the
1540				user's service manager.",
1541				'type' => 'leaf',
1542				'value_type' => 'uniline'
1543				},
1544				'LimitNICE',
1545				{
1546				'description' => "Set soft and hard limits on various resources for executed processes. See
1547				L<setrlimit(2)> for
1548				details on the process resource limit concept. Process resource limits may be specified in two formats:
1549				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1550				pair C<soft:hard> to set both limits individually
1551				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1552				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1553				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1554				referring to time values, the usual time units ms, s, min, h and so on may be used (see
1555				L<systemd.time(7)> for
1556				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1557				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1558				implied. Also, note that the effective granularity of the limits might influence their
1559				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1560				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1561				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1562				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1563				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1564
1565				Note that most process resource limits configured with these options are per-process, and
1566				processes may fork in order to acquire a new set of resources that are accounted independently of the
1567				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1568				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1569				controls listed in
1570				L<systemd.resource-control(5)>
1571				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1572				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1573				powerful (and working) replacement for C<LimitRSS>.
1574
1575				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1576				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1577				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1578				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1579				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1580
1581				Resource limits not configured explicitly for a unit default to the value configured in the various
1582				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1583				L<systemd-system.conf(5)>, and \x{2013}
1584				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1585				services, see below).
1586
1587				For system units these resource limits may be chosen freely. When these settings are configured
1588				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1589				used to raise the limits above those set for the user manager itself when it was first invoked, as
1590				the user's service manager generally lacks the privileges to do so. In user context these
1591				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1592				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1593				available configuration mechanisms differ between operating systems, but typically require
1594				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1595				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1596				instance of C<user\@.service>. After making such changes, make sure to restart the
1597				user's service manager.",
1598				'type' => 'leaf',
1599				'value_type' => 'uniline'
1600				},
1601				'LimitRTPRIO',
1602				{
1603				'description' => "Set soft and hard limits on various resources for executed processes. See
1604				L<setrlimit(2)> for
1605				details on the process resource limit concept. Process resource limits may be specified in two formats:
1606				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1607				pair C<soft:hard> to set both limits individually
1608				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1609				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1610				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1611				referring to time values, the usual time units ms, s, min, h and so on may be used (see
1612				L<systemd.time(7)> for
1613				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1614				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1615				implied. Also, note that the effective granularity of the limits might influence their
1616				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1617				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1618				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1619				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1620				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1621
1622				Note that most process resource limits configured with these options are per-process, and
1623				processes may fork in order to acquire a new set of resources that are accounted independently of the
1624				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1625				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1626				controls listed in
1627				L<systemd.resource-control(5)>
1628				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1629				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1630				powerful (and working) replacement for C<LimitRSS>.
1631
1632				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1633				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1634				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1635				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1636				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1637
1638				Resource limits not configured explicitly for a unit default to the value configured in the various
1639				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1640				L<systemd-system.conf(5)>, and \x{2013}
1641				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1642				services, see below).
1643
1644				For system units these resource limits may be chosen freely. When these settings are configured
1645				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1646				used to raise the limits above those set for the user manager itself when it was first invoked, as
1647				the user's service manager generally lacks the privileges to do so. In user context these
1648				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1649				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1650				available configuration mechanisms differ between operating systems, but typically require
1651				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1652				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1653				instance of C<user\@.service>. After making such changes, make sure to restart the
1654				user's service manager.",
1655				'type' => 'leaf',
1656				'value_type' => 'uniline'
1657				},
1658				'LimitRTTIME',
1659				{
1660				'description' => "Set soft and hard limits on various resources for executed processes. See
1661				L<setrlimit(2)> for
1662				details on the process resource limit concept. Process resource limits may be specified in two formats:
1663				either as single value to set a specific soft and hard limit to the same value, or as colon-separated
1664				pair C<soft:hard> to set both limits individually
1665				(e.g. C<LimitAS=4G:16G>). Use the string C<infinity> to configure no
1666				limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
1667				be used for resource limits measured in bytes (e.g. C<LimitAS=16G>). For the limits
1668				referring to time values, the usual time units ms, s, min, h and so on may be used (see
1669				L<systemd.time(7)> for
1670				details). Note that if no time unit is specified for C<LimitCPU> the default unit of
1671				seconds is implied, while for C<LimitRTTIME> the default unit of microseconds is
1672				implied. Also, note that the effective granularity of the limits might influence their
1673				enforcement. For example, time limits specified for C<LimitCPU> will be rounded up
1674				implicitly to multiples of 1s. For C<LimitNICE> the value may be specified in two
1675				syntaxes: if prefixed with C<+> or C<->, the value is understood as
1676				regular Linux nice value in the range -20\x{2026}19. If not prefixed like this the value is understood as
1677				raw resource limit parameter in the range 0\x{2026}40 (with 0 being equivalent to 1).
1678
1679				Note that most process resource limits configured with these options are per-process, and
1680				processes may fork in order to acquire a new set of resources that are accounted independently of the
1681				original process, and may thus escape limits set. Also note that C<LimitRSS> is not
1682				implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource
1683				controls listed in
1684				L<systemd.resource-control(5)>
1685				over these per-process limits, as they apply to services as a whole, may be altered dynamically at
1686				runtime, and are generally more expressive. For example, C<MemoryMax> is a more
1687				powerful (and working) replacement for C<LimitRSS>.
1688
1689				Note that C<LimitNPROC> will limit the number of processes from one (real) UID and
1690				not the number of processes started (forked) by the service. Therefore the limit is cumulative for all
1691				processes running under the same UID. Please also note that the C<LimitNPROC> will not be
1692				enforced if the service is running as root (and not dropping privileges). Due to these limitations,
1693				C<TasksMax> (see L<systemd.resource-control(5)>) is typically a better choice than C<LimitNPROC>.
1694
1695				Resource limits not configured explicitly for a unit default to the value configured in the various
1696				C<DefaultLimitCPU>, C<DefaultLimitFSIZE>, \x{2026} options available in
1697				L<systemd-system.conf(5)>, and \x{2013}
1698				if not configured there \x{2013} the kernel or per-user defaults, as defined by the OS (the latter only for user
1699				services, see below).
1700
1701				For system units these resource limits may be chosen freely. When these settings are configured
1702				in a user service (i.e. a service run by the per-user instance of the service manager) they cannot be
1703				used to raise the limits above those set for the user manager itself when it was first invoked, as
1704				the user's service manager generally lacks the privileges to do so. In user context these
1705				configuration options are hence only useful to lower the limits passed in or to raise the soft limit
1706				to the maximum of the hard limit as configured for the user. To raise the user's limits further, the
1707				available configuration mechanisms differ between operating systems, but typically require
1708				privileges. In most cases it is possible to configure higher per-user resource limits via PAM or by
1709				setting limits on the system service encapsulating the user's service manager, i.e. the user's
1710				instance of C<user\@.service>. After making such changes, make sure to restart the
1711				user's service manager.",
1712				'type' => 'leaf',
1713				'value_type' => 'uniline'
1714				},
1715				'UMask',
1716				{
1717				'description' => "Controls the file mode creation mask. Takes an access mode in octal notation. See
1718				L<umask(2)> for
1719				details. Defaults to 0022 for system units. For user units the default value is inherited from the
1720				per-user service manager (whose default is in turn inherited from the system service manager, and
1721				thus typically also is 0022 \x{2014} unless overridden by a PAM module). In order to change the per-user mask
1722				for all user services, consider setting the C<UMask> setting of the user's
1723				C<user\@.service> system service instance. The per-user umask may also be set via
1724				the C<umask> field of a user's L<JSON User
1725				Record\|https://systemd.io/USER_RECORD> (for users managed by
1726				L<systemd-homed.service(8)>
1727				this field may be controlled via homectl --umask=). It may also be set via a PAM
1728				module, such as L<pam_umask(8)>.",
1729				'type' => 'leaf',
1730				'value_type' => 'uniline'
1731				},
1732				'CoredumpFilter',
1733				{
1734				'description' => 'Controls which types of memory mappings will be saved if the process dumps core
1735				(using the C</proc/pid/coredump_filter> file). Takes a
1736				whitespace-separated combination of mapping type names or numbers (with the default base 16). Mapping
1737				type names are C<private-anonymous>, C<shared-anonymous>,
1738				C<private-file-backed>, C<shared-file-backed>,
1739				C<elf-headers>, C<private-huge>,
1740				C<shared-huge>, C<private-dax>, C<shared-dax>,
1741				and the special values C<all> (all types) and C<default> (the
1742				kernel default of C<private-anonymous>C<shared-anonymous> C<elf-headers>C<private-huge>). See
1743				L<core(5)>
1744				for the meaning of the mapping types. When specified multiple times, all specified masks are
1745				ORed. When not set, or if the empty value is assigned, the inherited value is not changed.',
1746				'type' => 'leaf',
1747				'value_type' => 'uniline'
1748				},
1749				'KeyringMode',
1750				{
1751				'choice' => [
1752				'inherit',
1753				'private',
1754				'shared'
1755				],
1756				'description' => 'Controls how the kernel session keyring is set up for the service (see L<session-keyring(7)> for
1757				details on the session keyring). Takes one of C<inherit>, C<private>,
1758				C<shared>. If set to C<inherit> no special keyring setup is done, and the kernel\'s
1759				default behaviour is applied. If C<private> is used a new session keyring is allocated when a
1760				service process is invoked, and it is not linked up with any user keyring. This is the recommended setting for
1761				system services, as this ensures that multiple services running under the same system user ID (in particular
1762				the root user) do not share their key material among each other. If C<shared> is used a new
1763				session keyring is allocated as for C<private>, but the user keyring of the user configured with
1764				C<User> is linked into it, so that keys assigned to the user may be requested by the unit\'s
1765				processes. In this modes multiple units running processes under the same user ID may share key material. Unless
1766				C<inherit> is selected the unique invocation ID for the unit (see below) is added as a protected
1767				key by the name C<invocation_id> to the newly created session keyring. Defaults to
1768				C<private> for services of the system service manager and to C<inherit> for
1769				non-service units and for services of the user service manager.',
1770				'type' => 'leaf',
1771				'value_type' => 'enum'
1772				},
1773				'OOMScoreAdjust',
1774				{
1775				'description' => 'Sets the adjustment value for the Linux kernel\'s Out-Of-Memory (OOM) killer score for
1776				executed processes. Takes an integer between -1000 (to disable OOM killing of processes of this unit)
1777				and 1000 (to make killing of processes of this unit under memory pressure very likely). See L<The /proc
1778				Filesystem\|https://docs.kernel.org/filesystems/proc.html> for
1779				details. If not specified defaults to the OOM score adjustment level of the service manager itself,
1780				which is normally at 0.
1781
1782				Use the C<OOMPolicy> setting of service units to configure how the service
1783				manager shall react to the kernel OOM killer or systemd-oomd terminating a process of the service. See
1784				L<systemd.service(5)>
1785				for details.',
1786				'max' => '1000',
1787				'min' => '-1000',
1788				'type' => 'leaf',
1789				'value_type' => 'integer'
1790				},
1791				'TimerSlackNSec',
1792				{
1793				'description' => 'Sets the timer slack in nanoseconds for the executed processes. The timer slack controls the
1794				accuracy of wake-ups triggered by timers. See
1795				L<prctl(2)> for more
1796				information. Note that in contrast to most other time span definitions this parameter takes an integer value in
1797				nano-seconds if no unit is specified. The usual time units are understood too.',
1798				'type' => 'leaf',
1799				'value_type' => 'uniline'
1800				},
1801				'Personality',
1802				{
1803				'choice' => [
1804				'x86',
1805				'x86-64',
1806				'ppc',
1807				'ppc-le',
1808				'ppc64',
1809				'ppc64-le',
1810				's390',
1811				's390x'
1812				],
1813				'description' => 'Controls which kernel architecture L<uname(2)> shall report,
1814				when invoked by unit processes. Takes one of the architecture identifiers C<x86>,
1815				C<x86-64>, C<ppc>, C<ppc-le>, C<ppc64>,
1816				C<ppc64-le>, C<s390> or C<s390x>. Which personality
1817				architectures are supported depends on the system architecture. Usually the 64bit versions of the various
1818				system architectures support their immediate 32bit personality architecture counterpart, but no others. For
1819				example, C<x86-64> systems support the C<x86-64> and
1820				C<x86> personalities but no others. The personality feature is useful when running 32-bit
1821				services on a 64-bit host system. If not specified, the personality is left unmodified and thus reflects the
1822				personality of the host system\'s kernel.',
1823				'type' => 'leaf',
1824				'value_type' => 'enum'
1825				},
1826				'IgnoreSIGPIPE',
1827				{
1828				'description' => 'Takes a boolean argument. If true, causes C<SIGPIPE> to be ignored in the
1829				executed process. Defaults to true because C<SIGPIPE> generally is useful only in shell
1830				pipelines.',
1831				'type' => 'leaf',
1832				'value_type' => 'boolean',
1833				'write_as' => [
1834				'no',
1835				'yes'
1836				]
1837				},
1838				'Nice',
1839				{
1840				'description' => 'Sets the default nice level (scheduling priority) for executed processes. Takes an
1841				integer between -20 (highest priority) and 19 (lowest priority). In case of resource contention,
1842				smaller values mean more resources will be made available to the unit\'s processes, larger values mean
1843				less resources will be made available. See
1844				L<setpriority(2)> for
1845				details.',
1846				'max' => '19',
1847				'min' => '-20',
1848				'type' => 'leaf',
1849				'value_type' => 'integer'
1850				},
1851				'CPUSchedulingPolicy',
1852				{
1853				'choice' => [
1854				'other',
1855				'batch',
1856				'idle',
1857				'fifo',
1858				'rr'
1859				],
1860				'description' => 'Sets the CPU scheduling policy for executed processes. Takes one of C<other>,
1861				C<batch>, C<idle>, C<fifo> or C<rr>. See
1862				L<sched_setscheduler(2)> for
1863				details.',
1864				'type' => 'leaf',
1865				'value_type' => 'enum'
1866				},
1867				'CPUSchedulingPriority',
1868				{
1869				'description' => 'Sets the CPU scheduling priority for executed processes. The available priority range
1870				depends on the selected CPU scheduling policy (see above). For real-time scheduling policies an
1871				integer between 1 (lowest priority) and 99 (highest priority) can be used. In case of CPU resource
1872				contention, smaller values mean less CPU time is made available to the service, larger values mean
1873				more. See L<sched_setscheduler(2)>
1874				for details.',
1875				'type' => 'leaf',
1876				'value_type' => 'uniline'
1877				},
1878				'CPUSchedulingResetOnFork',
1879				{
1880				'description' => 'Takes a boolean argument. If true, elevated CPU scheduling priorities and policies
1881				will be reset when the executed processes call
1882				L<fork(2)>,
1883				and can hence not leak into child processes. See
1884				L<sched_setscheduler(2)>
1885				for details. Defaults to false.',
1886				'type' => 'leaf',
1887				'value_type' => 'boolean',
1888				'write_as' => [
1889				'no',
1890				'yes'
1891				]
1892				},
1893				'CPUAffinity',
1894				{
1895				'cargo' => {
1896				'type' => 'leaf',
1897				'value_type' => 'uniline'
1898				},
1899				'description' => 'Controls the CPU affinity of the executed processes. Takes a list of CPU indices or ranges
1900				separated by either whitespace or commas. Alternatively, takes a special "numa" value in which case systemd
1901				automatically derives allowed CPU range based on the value of C<NUMAMask> option. CPU ranges
1902				are specified by the lower and upper CPU indices separated by a dash. This option may be specified more than
1903				once, in which case the specified CPU affinity masks are merged. If the empty string is assigned, the mask
1904				is reset, all assignments prior to this will have no effect. See
1905				L<sched_setaffinity(2)> for
1906				details.',
1907				'type' => 'list'
1908				},
1909				'NUMAPolicy',
1910				{
1911				'description' => 'Controls the NUMA memory policy of the executed processes. Takes a policy type, one of:
1912				C<default>, C<preferred>, C<bind>, C<interleave> and
1913				C<local>. A list of NUMA nodes that should be associated with the policy must be specified
1914				in C<NUMAMask>. For more details on each policy please see,
1915				L<set_mempolicy(2)>. For overall
1916				overview of NUMA support in Linux see,
1917				L<numa(7)>.
1918				',
1919				'type' => 'leaf',
1920				'value_type' => 'uniline'
1921				},
1922				'NUMAMask',
1923				{
1924				'description' => 'Controls the NUMA node list which will be applied alongside with selected NUMA policy.
1925				Takes a list of NUMA nodes and has the same syntax as a list of CPUs for C<CPUAffinity>
1926				option or special "all" value which will include all available NUMA nodes in the mask. Note that the list
1927				of NUMA nodes is not required for C<default> and C<local>
1928				policies and for C<preferred> policy we expect a single NUMA node.',
1929				'type' => 'leaf',
1930				'value_type' => 'uniline'
1931				},
1932				'IOSchedulingClass',
1933				{
1934				'choice' => [
1935				'0',
1936				'1',
1937				'2',
1938				'3',
1939				'none',
1940				'realtime',
1941				'best-effort',
1942				'idle'
1943				],
1944				'description' => 'Sets the I/O scheduling class for executed processes. Takes one of the strings
1945				C<realtime>, C<best-effort> or C<idle>. The kernel\'s
1946				default scheduling class is C<best-effort> at a priority of 4. If the empty string is
1947				assigned to this option, all prior assignments to both C<IOSchedulingClass> and
1948				C<IOSchedulingPriority> have no effect. See
1949				L<ioprio_set(2)> for
1950				details.',
1951				'type' => 'leaf',
1952				'value_type' => 'enum'
1953				},
1954				'IOSchedulingPriority',
1955				{
1956				'description' => 'Sets the I/O scheduling priority for executed processes. Takes an integer between 0
1957				(highest priority) and 7 (lowest priority). In case of I/O contention, smaller values mean more I/O
1958				bandwidth is made available to the unit\'s processes, larger values mean less bandwidth. The available
1959				priorities depend on the selected I/O scheduling class (see above). If the empty string is assigned
1960				to this option, all prior assignments to both C<IOSchedulingClass> and
1961				C<IOSchedulingPriority> have no effect. For the kernel\'s default scheduling class
1962				(C<best-effort>) this defaults to 4. See
1963				L<ioprio_set(2)> for
1964				details.',
1965				'max' => '7',
1966				'min' => '0',
1967				'type' => 'leaf',
1968				'upstream_default' => '4',
1969				'value_type' => 'integer'
1970				},
1971				'ProtectSystem',
1972				{
1973				'choice' => [
1974				'no',
1975				'yes',
1976				'full',
1977				'strict'
1978				],
1979				'description' => 'Takes a boolean argument or the special values C<full> or
1980				C<strict>. If true, mounts the C</usr/> and the boot loader
1981				directories (C</boot> and C</efi>) read-only for processes
1982				invoked by this unit. If set to C<full>, the C</etc/> directory is
1983				mounted read-only, too. If set to C<strict> the entire file system hierarchy is
1984				mounted read-only, except for the API file system subtrees C</dev/>,
1985				C</proc/> and C</sys/> (protect these directories using
1986				C<PrivateDevices>, C<ProtectKernelTunables>,
1987				C<ProtectControlGroups>). This setting ensures that any modification of the vendor-supplied
1988				operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is
1989				recommended to enable this setting for all long-running services, unless they are involved with system updates
1990				or need to modify the operating system in other ways. If this option is used,
1991				C<ReadWritePaths> may be used to exclude specific directories from being made read-only. This
1992				setting is implied if C<DynamicUser> is set. This setting cannot ensure protection in all
1993				cases. In general it has the same limitations as C<ReadOnlyPaths>, see below. Defaults to
1994				off.',
1995				'replace' => {
1996				'0' => 'no',
1997				'1' => 'yes',
1998				'false' => 'no',
1999				'true' => 'yes'
2000				},
2001				'type' => 'leaf',
2002				'value_type' => 'enum'
2003				},
2004				'ProtectHome',
2005				{
2006				'choice' => [
2007				'no',
2008				'yes',
2009				'read-only',
2010				'tmpfs'
2011				],
2012				'description' => 'Takes a boolean argument or the special values C<read-only> or
2013				C<tmpfs>. If true, the directories C</home/>,
2014				C</root>, and C</run/user> are made inaccessible and empty for
2015				processes invoked by this unit. If set to C<read-only>, the three directories are
2016				made read-only instead. If set to C<tmpfs>, temporary file systems are mounted on the
2017				three directories in read-only mode. The value C<tmpfs> is useful to hide home
2018				directories not relevant to the processes invoked by the unit, while still allowing necessary
2019				directories to be made visible when listed in C<BindPaths> or
2020				C<BindReadOnlyPaths>.
2021
2022				Setting this to C<yes> is mostly equivalent to setting the three directories in
2023				C<InaccessiblePaths>. Similarly, C<read-only> is mostly equivalent to
2024				C<ReadOnlyPaths>, and C<tmpfs> is mostly equivalent to
2025				C<TemporaryFileSystem> with C<:ro>.
2026
2027				It is recommended to enable this setting for all long-running services (in particular
2028				network-facing ones), to ensure they cannot get access to private user data, unless the services
2029				actually require access to the user\'s private data. This setting is implied if
2030				C<DynamicUser> is set. This setting cannot ensure protection in all cases. In
2031				general it has the same limitations as C<ReadOnlyPaths>, see below.',
2032				'replace' => {
2033				'0' => 'no',
2034				'1' => 'yes',
2035				'false' => 'no',
2036				'true' => 'yes'
2037				},
2038				'type' => 'leaf',
2039				'value_type' => 'enum'
2040				},
2041				'RuntimeDirectory',
2042				{
2043				'description' => 'These options take a whitespace-separated list of directory names. The specified
2044				directory names must be relative, and may not include C<..>. If set, when the unit is
2045				started, one or more directories by the specified names will be created (including their parents)
2046				below the locations defined in the following table. Also, the corresponding environment variable will
2047				be defined with the full paths of the directories. If multiple directories are set, then in the
2048				environment variable the paths are concatenated with colon (C<:>).
2049
2050				In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2051				the unit is stopped. It is possible to preserve the specified directories in this case if
2052				C<RuntimeDirectoryPreserve> is configured to C<restart> or
2053				C<yes> (see below). The directories specified with C<StateDirectory>,
2054				C<CacheDirectory>, C<LogsDirectory>,
2055				C<ConfigurationDirectory> are not removed when the unit is stopped.
2056
2057				Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2058				owned by the user and group specified in C<User> and C<Group>. If the
2059				specified directories already exist and their owning user or group do not match the configured ones, all files
2060				and directories below the specified directories as well as the directories themselves will have their file
2061				ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2062				already owned by the right user and group, files and directories below of them are left as-is, even if they do
2063				not match what is requested. The innermost specified directories will have their access mode adjusted to the
2064				what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2065				C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2066				C<ConfigurationDirectoryMode>.
2067
2068				These options imply C<BindPaths> for the specified paths. When combined with
2069				C<RootDirectory> or C<RootImage> these paths always reside on the host and
2070				are mounted from there into the unit\'s file system namespace.
2071
2072				If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2073				C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2074				C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2075				respectively, which are host directories made inaccessible to
2076				unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2077				user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2078				perspective of the host and from inside the unit, the relevant directories hence always appear
2079				directly below C</var/cache>, C</var/log> and
2080				C</var/lib>.
2081
2082				Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2083				their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2084				runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2085				directory is cleaned up automatically after use. For runtime directories that require more complex or different
2086				configuration or lifetime guarantees, please consider using
2087				L<tmpfiles.d(5)>.
2088
2089				C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2090				and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2091				The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2092				The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2093				options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2094				using the same first parameter, but a different second parameter.',
2095				'type' => 'leaf',
2096				'value_type' => 'uniline'
2097				},
2098				'StateDirectory',
2099				{
2100				'description' => 'These options take a whitespace-separated list of directory names. The specified
2101				directory names must be relative, and may not include C<..>. If set, when the unit is
2102				started, one or more directories by the specified names will be created (including their parents)
2103				below the locations defined in the following table. Also, the corresponding environment variable will
2104				be defined with the full paths of the directories. If multiple directories are set, then in the
2105				environment variable the paths are concatenated with colon (C<:>).
2106
2107				In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2108				the unit is stopped. It is possible to preserve the specified directories in this case if
2109				C<RuntimeDirectoryPreserve> is configured to C<restart> or
2110				C<yes> (see below). The directories specified with C<StateDirectory>,
2111				C<CacheDirectory>, C<LogsDirectory>,
2112				C<ConfigurationDirectory> are not removed when the unit is stopped.
2113
2114				Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2115				owned by the user and group specified in C<User> and C<Group>. If the
2116				specified directories already exist and their owning user or group do not match the configured ones, all files
2117				and directories below the specified directories as well as the directories themselves will have their file
2118				ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2119				already owned by the right user and group, files and directories below of them are left as-is, even if they do
2120				not match what is requested. The innermost specified directories will have their access mode adjusted to the
2121				what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2122				C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2123				C<ConfigurationDirectoryMode>.
2124
2125				These options imply C<BindPaths> for the specified paths. When combined with
2126				C<RootDirectory> or C<RootImage> these paths always reside on the host and
2127				are mounted from there into the unit\'s file system namespace.
2128
2129				If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2130				C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2131				C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2132				respectively, which are host directories made inaccessible to
2133				unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2134				user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2135				perspective of the host and from inside the unit, the relevant directories hence always appear
2136				directly below C</var/cache>, C</var/log> and
2137				C</var/lib>.
2138
2139				Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2140				their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2141				runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2142				directory is cleaned up automatically after use. For runtime directories that require more complex or different
2143				configuration or lifetime guarantees, please consider using
2144				L<tmpfiles.d(5)>.
2145
2146				C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2147				and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2148				The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2149				The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2150				options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2151				using the same first parameter, but a different second parameter.',
2152				'type' => 'leaf',
2153				'value_type' => 'uniline'
2154				},
2155				'CacheDirectory',
2156				{
2157				'description' => 'These options take a whitespace-separated list of directory names. The specified
2158				directory names must be relative, and may not include C<..>. If set, when the unit is
2159				started, one or more directories by the specified names will be created (including their parents)
2160				below the locations defined in the following table. Also, the corresponding environment variable will
2161				be defined with the full paths of the directories. If multiple directories are set, then in the
2162				environment variable the paths are concatenated with colon (C<:>).
2163
2164				In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2165				the unit is stopped. It is possible to preserve the specified directories in this case if
2166				C<RuntimeDirectoryPreserve> is configured to C<restart> or
2167				C<yes> (see below). The directories specified with C<StateDirectory>,
2168				C<CacheDirectory>, C<LogsDirectory>,
2169				C<ConfigurationDirectory> are not removed when the unit is stopped.
2170
2171				Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2172				owned by the user and group specified in C<User> and C<Group>. If the
2173				specified directories already exist and their owning user or group do not match the configured ones, all files
2174				and directories below the specified directories as well as the directories themselves will have their file
2175				ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2176				already owned by the right user and group, files and directories below of them are left as-is, even if they do
2177				not match what is requested. The innermost specified directories will have their access mode adjusted to the
2178				what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2179				C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2180				C<ConfigurationDirectoryMode>.
2181
2182				These options imply C<BindPaths> for the specified paths. When combined with
2183				C<RootDirectory> or C<RootImage> these paths always reside on the host and
2184				are mounted from there into the unit\'s file system namespace.
2185
2186				If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2187				C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2188				C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2189				respectively, which are host directories made inaccessible to
2190				unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2191				user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2192				perspective of the host and from inside the unit, the relevant directories hence always appear
2193				directly below C</var/cache>, C</var/log> and
2194				C</var/lib>.
2195
2196				Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2197				their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2198				runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2199				directory is cleaned up automatically after use. For runtime directories that require more complex or different
2200				configuration or lifetime guarantees, please consider using
2201				L<tmpfiles.d(5)>.
2202
2203				C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2204				and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2205				The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2206				The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2207				options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2208				using the same first parameter, but a different second parameter.',
2209				'type' => 'leaf',
2210				'value_type' => 'uniline'
2211				},
2212				'LogsDirectory',
2213				{
2214				'description' => 'These options take a whitespace-separated list of directory names. The specified
2215				directory names must be relative, and may not include C<..>. If set, when the unit is
2216				started, one or more directories by the specified names will be created (including their parents)
2217				below the locations defined in the following table. Also, the corresponding environment variable will
2218				be defined with the full paths of the directories. If multiple directories are set, then in the
2219				environment variable the paths are concatenated with colon (C<:>).
2220
2221				In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2222				the unit is stopped. It is possible to preserve the specified directories in this case if
2223				C<RuntimeDirectoryPreserve> is configured to C<restart> or
2224				C<yes> (see below). The directories specified with C<StateDirectory>,
2225				C<CacheDirectory>, C<LogsDirectory>,
2226				C<ConfigurationDirectory> are not removed when the unit is stopped.
2227
2228				Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2229				owned by the user and group specified in C<User> and C<Group>. If the
2230				specified directories already exist and their owning user or group do not match the configured ones, all files
2231				and directories below the specified directories as well as the directories themselves will have their file
2232				ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2233				already owned by the right user and group, files and directories below of them are left as-is, even if they do
2234				not match what is requested. The innermost specified directories will have their access mode adjusted to the
2235				what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2236				C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2237				C<ConfigurationDirectoryMode>.
2238
2239				These options imply C<BindPaths> for the specified paths. When combined with
2240				C<RootDirectory> or C<RootImage> these paths always reside on the host and
2241				are mounted from there into the unit\'s file system namespace.
2242
2243				If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2244				C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2245				C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2246				respectively, which are host directories made inaccessible to
2247				unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2248				user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2249				perspective of the host and from inside the unit, the relevant directories hence always appear
2250				directly below C</var/cache>, C</var/log> and
2251				C</var/lib>.
2252
2253				Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2254				their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2255				runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2256				directory is cleaned up automatically after use. For runtime directories that require more complex or different
2257				configuration or lifetime guarantees, please consider using
2258				L<tmpfiles.d(5)>.
2259
2260				C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2261				and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2262				The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2263				The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2264				options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2265				using the same first parameter, but a different second parameter.',
2266				'type' => 'leaf',
2267				'value_type' => 'uniline'
2268				},
2269				'ConfigurationDirectory',
2270				{
2271				'description' => 'These options take a whitespace-separated list of directory names. The specified
2272				directory names must be relative, and may not include C<..>. If set, when the unit is
2273				started, one or more directories by the specified names will be created (including their parents)
2274				below the locations defined in the following table. Also, the corresponding environment variable will
2275				be defined with the full paths of the directories. If multiple directories are set, then in the
2276				environment variable the paths are concatenated with colon (C<:>).
2277
2278				In case of C<RuntimeDirectory> the innermost subdirectories are removed when
2279				the unit is stopped. It is possible to preserve the specified directories in this case if
2280				C<RuntimeDirectoryPreserve> is configured to C<restart> or
2281				C<yes> (see below). The directories specified with C<StateDirectory>,
2282				C<CacheDirectory>, C<LogsDirectory>,
2283				C<ConfigurationDirectory> are not removed when the unit is stopped.
2284
2285				Except in case of C<ConfigurationDirectory>, the innermost specified directories will be
2286				owned by the user and group specified in C<User> and C<Group>. If the
2287				specified directories already exist and their owning user or group do not match the configured ones, all files
2288				and directories below the specified directories as well as the directories themselves will have their file
2289				ownership recursively changed to match what is configured. As an optimization, if the specified directories are
2290				already owned by the right user and group, files and directories below of them are left as-is, even if they do
2291				not match what is requested. The innermost specified directories will have their access mode adjusted to the
2292				what is specified in C<RuntimeDirectoryMode>, C<StateDirectoryMode>,
2293				C<CacheDirectoryMode>, C<LogsDirectoryMode> and
2294				C<ConfigurationDirectoryMode>.
2295
2296				These options imply C<BindPaths> for the specified paths. When combined with
2297				C<RootDirectory> or C<RootImage> these paths always reside on the host and
2298				are mounted from there into the unit\'s file system namespace.
2299
2300				If C<DynamicUser> is used, the logic for C<CacheDirectory>,
2301				C<LogsDirectory> and C<StateDirectory> is slightly altered: the directories are created below
2302				C</var/cache/private>, C</var/log/private> and C</var/lib/private>,
2303				respectively, which are host directories made inaccessible to
2304				unprivileged users, which ensures that access to these directories cannot be gained through dynamic
2305				user ID recycling. Symbolic links are created to hide this difference in behaviour. Both from
2306				perspective of the host and from inside the unit, the relevant directories hence always appear
2307				directly below C</var/cache>, C</var/log> and
2308				C</var/lib>.
2309
2310				Use C<RuntimeDirectory> to manage one or more runtime directories for the unit and bind
2311				their lifetime to the daemon runtime. This is particularly useful for unprivileged daemons that cannot create
2312				runtime directories in C</run/> due to lack of privileges, and to make sure the runtime
2313				directory is cleaned up automatically after use. For runtime directories that require more complex or different
2314				configuration or lifetime guarantees, please consider using
2315				L<tmpfiles.d(5)>.
2316
2317				C<RuntimeDirectory>, C<StateDirectory>, C<CacheDirectory>
2318				and C<LogsDirectory> optionally support a second parameter, separated by C<:>.
2319				The second parameter will be interpreted as a destination path that will be created as a symlink to the directory.
2320				The symlinks will be created after any C<BindPaths> or C<TemporaryFileSystem>
2321				options have been set up, to make ephemeral symlinking possible. The same source can have multiple symlinks, by
2322				using the same first parameter, but a different second parameter.',
2323				'type' => 'leaf',
2324				'value_type' => 'uniline'
2325				},
2326				'RuntimeDirectoryMode',
2327				{
2328				'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2329				C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2330				C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2331				C<0755>. See "Permissions" in L<path_resolution(7)> for a
2332				discussion of the meaning of permission bits.',
2333				'type' => 'leaf',
2334				'value_type' => 'uniline'
2335				},
2336				'StateDirectoryMode',
2337				{
2338				'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2339				C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2340				C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2341				C<0755>. See "Permissions" in L<path_resolution(7)> for a
2342				discussion of the meaning of permission bits.',
2343				'type' => 'leaf',
2344				'value_type' => 'uniline'
2345				},
2346				'CacheDirectoryMode',
2347				{
2348				'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2349				C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2350				C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2351				C<0755>. See "Permissions" in L<path_resolution(7)> for a
2352				discussion of the meaning of permission bits.',
2353				'type' => 'leaf',
2354				'value_type' => 'uniline'
2355				},
2356				'LogsDirectoryMode',
2357				{
2358				'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2359				C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2360				C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2361				C<0755>. See "Permissions" in L<path_resolution(7)> for a
2362				discussion of the meaning of permission bits.',
2363				'type' => 'leaf',
2364				'value_type' => 'uniline'
2365				},
2366				'ConfigurationDirectoryMode',
2367				{
2368				'description' => 'Specifies the access mode of the directories specified in C<RuntimeDirectory>,
2369				C<StateDirectory>, C<CacheDirectory>, C<LogsDirectory>, or
2370				C<ConfigurationDirectory>, respectively, as an octal number. Defaults to
2371				C<0755>. See "Permissions" in L<path_resolution(7)> for a
2372				discussion of the meaning of permission bits.',
2373				'type' => 'leaf',
2374				'value_type' => 'uniline'
2375				},
2376				'RuntimeDirectoryPreserve',
2377				{
2378				'choice' => [
2379				'no',
2380				'yes',
2381				'restart'
2382				],
2383				'description' => 'Takes a boolean argument or C<restart>. If set to C<no> (the
2384				default), the directories specified in C<RuntimeDirectory> are always removed when the service
2385				stops. If set to C<restart> the directories are preserved when the service is both automatically
2386				and manually restarted. Here, the automatic restart means the operation specified in
2387				C<Restart>, and manual restart means the one triggered by systemctl restart
2388				foo.service. If set to C<yes>, then the directories are not removed when the service is
2389				stopped. Note that since the runtime directory C</run/> is a mount point of
2390				C<tmpfs>, then for system services the directories specified in
2391				C<RuntimeDirectory> are removed when the system is rebooted.',
2392				'replace' => {
2393				'0' => 'no',
2394				'1' => 'yes',
2395				'false' => 'no',
2396				'true' => 'yes'
2397				},
2398				'type' => 'leaf',
2399				'value_type' => 'enum'
2400				},
2401				'TimeoutCleanSec',
2402				{
2403				'description' => "Configures a timeout on the clean-up operation requested through systemctl
2404				clean \x{2026}, see
2405				L<systemctl(1)> for
2406				details. Takes the usual time values and defaults to C<infinity>, i.e. by default
2407				no timeout is applied. If a timeout is configured the clean operation will be aborted forcibly when
2408				the timeout is reached, potentially leaving resources on disk.",
2409				'type' => 'leaf',
2410				'value_type' => 'uniline'
2411				},
2412				'ReadWritePaths',
2413				{
2414				'cargo' => {
2415				'type' => 'leaf',
2416				'value_type' => 'uniline'
2417				},
2418				'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2419				to limit access a process has to the file system. Each setting takes a space-separated list of paths
2420				relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2421				paths contain symlinks, they are resolved relative to the root directory set with
2422				C<RootDirectory>/C<RootImage>.
2423
2424				Paths listed in C<ReadWritePaths> are accessible from within the namespace
2425				with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2426				are accessible for reading only, writing will be refused even if the usual file access controls would
2427				permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2428				order to provide writable subdirectories within read-only directories. Use
2429				C<ReadWritePaths> in order to allow-list specific paths for write access if
2430				C<ProtectSystem=strict> is used.
2431
2432				Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2433				the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2434				desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2435				C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2436				see C<TemporaryFileSystem>.
2437
2438				Content in paths listed in C<NoExecPaths> are not executable even if the usual
2439				file access controls would permit this. Nest C<ExecPaths> inside of
2440				C<NoExecPaths> in order to provide executable content within non-executable
2441				directories.
2442
2443				Non-directory paths may be specified as well. These options may be specified more than once,
2444				in which case all paths listed will have limited access from within the namespace. If the empty string is
2445				assigned to this option, the specific list is reset, and all prior assignments have no effect.
2446
2447				Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2448				C<InaccessiblePaths>, C<ExecPaths> and
2449				C<NoExecPaths> may be prefixed with C<->, in which case they will be
2450				ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2451				directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2452				instead of relative to the root directory of the host (see above). When combining C<-> and
2453				C<+> on the same path make sure to specify C<-> first, and C<+>
2454				second.
2455
2456				Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2457				host. This means that this setting may not be used for services which shall be able to install mount points in
2458				the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>,
2459				propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2460				unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2461				mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2462				i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2463				below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2464				not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2465				setting is not complete, and does not offer full protection.
2466
2467				Note that the effect of these settings may be undone by privileged processes. In order to set up an
2468				effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2469				C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2470				C<SystemCallFilter=~@mount>.
2471
2472				Simple allow-list example using these directives:
2473
2474				[Service]
2475				ReadOnlyPaths=/
2476				ReadWritePaths=/var /run
2477				InaccessiblePaths=-/lost+found
2478				NoExecPaths=/
2479				ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2480				',
2481				'type' => 'list'
2482				},
2483				'ReadOnlyPaths',
2484				{
2485				'cargo' => {
2486				'type' => 'leaf',
2487				'value_type' => 'uniline'
2488				},
2489				'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2490				to limit access a process has to the file system. Each setting takes a space-separated list of paths
2491				relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2492				paths contain symlinks, they are resolved relative to the root directory set with
2493				C<RootDirectory>/C<RootImage>.
2494
2495				Paths listed in C<ReadWritePaths> are accessible from within the namespace
2496				with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2497				are accessible for reading only, writing will be refused even if the usual file access controls would
2498				permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2499				order to provide writable subdirectories within read-only directories. Use
2500				C<ReadWritePaths> in order to allow-list specific paths for write access if
2501				C<ProtectSystem=strict> is used.
2502
2503				Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2504				the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2505				desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2506				C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2507				see C<TemporaryFileSystem>.
2508
2509				Content in paths listed in C<NoExecPaths> are not executable even if the usual
2510				file access controls would permit this. Nest C<ExecPaths> inside of
2511				C<NoExecPaths> in order to provide executable content within non-executable
2512				directories.
2513
2514				Non-directory paths may be specified as well. These options may be specified more than once,
2515				in which case all paths listed will have limited access from within the namespace. If the empty string is
2516				assigned to this option, the specific list is reset, and all prior assignments have no effect.
2517
2518				Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2519				C<InaccessiblePaths>, C<ExecPaths> and
2520				C<NoExecPaths> may be prefixed with C<->, in which case they will be
2521				ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2522				directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2523				instead of relative to the root directory of the host (see above). When combining C<-> and
2524				C<+> on the same path make sure to specify C<-> first, and C<+>
2525				second.
2526
2527				Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2528				host. This means that this setting may not be used for services which shall be able to install mount points in
2529				the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>,
2530				propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2531				unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2532				mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2533				i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2534				below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2535				not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2536				setting is not complete, and does not offer full protection.
2537
2538				Note that the effect of these settings may be undone by privileged processes. In order to set up an
2539				effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2540				C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2541				C<SystemCallFilter=~@mount>.
2542
2543				Simple allow-list example using these directives:
2544
2545				[Service]
2546				ReadOnlyPaths=/
2547				ReadWritePaths=/var /run
2548				InaccessiblePaths=-/lost+found
2549				NoExecPaths=/
2550				ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2551				',
2552				'type' => 'list'
2553				},
2554				'InaccessiblePaths',
2555				{
2556				'cargo' => {
2557				'type' => 'leaf',
2558				'value_type' => 'uniline'
2559				},
2560				'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2561				to limit access a process has to the file system. Each setting takes a space-separated list of paths
2562				relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2563				paths contain symlinks, they are resolved relative to the root directory set with
2564				C<RootDirectory>/C<RootImage>.
2565
2566				Paths listed in C<ReadWritePaths> are accessible from within the namespace
2567				with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2568				are accessible for reading only, writing will be refused even if the usual file access controls would
2569				permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2570				order to provide writable subdirectories within read-only directories. Use
2571				C<ReadWritePaths> in order to allow-list specific paths for write access if
2572				C<ProtectSystem=strict> is used.
2573
2574				Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2575				the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2576				desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2577				C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2578				see C<TemporaryFileSystem>.
2579
2580				Content in paths listed in C<NoExecPaths> are not executable even if the usual
2581				file access controls would permit this. Nest C<ExecPaths> inside of
2582				C<NoExecPaths> in order to provide executable content within non-executable
2583				directories.
2584
2585				Non-directory paths may be specified as well. These options may be specified more than once,
2586				in which case all paths listed will have limited access from within the namespace. If the empty string is
2587				assigned to this option, the specific list is reset, and all prior assignments have no effect.
2588
2589				Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2590				C<InaccessiblePaths>, C<ExecPaths> and
2591				C<NoExecPaths> may be prefixed with C<->, in which case they will be
2592				ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2593				directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2594				instead of relative to the root directory of the host (see above). When combining C<-> and
2595				C<+> on the same path make sure to specify C<-> first, and C<+>
2596				second.
2597
2598				Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2599				host. This means that this setting may not be used for services which shall be able to install mount points in
2600				the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>,
2601				propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2602				unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2603				mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2604				i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2605				below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2606				not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2607				setting is not complete, and does not offer full protection.
2608
2609				Note that the effect of these settings may be undone by privileged processes. In order to set up an
2610				effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2611				C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2612				C<SystemCallFilter=~@mount>.
2613
2614				Simple allow-list example using these directives:
2615
2616				[Service]
2617				ReadOnlyPaths=/
2618				ReadWritePaths=/var /run
2619				InaccessiblePaths=-/lost+found
2620				NoExecPaths=/
2621				ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2622				',
2623				'type' => 'list'
2624				},
2625				'ExecPaths',
2626				{
2627				'cargo' => {
2628				'type' => 'leaf',
2629				'value_type' => 'uniline'
2630				},
2631				'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2632				to limit access a process has to the file system. Each setting takes a space-separated list of paths
2633				relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2634				paths contain symlinks, they are resolved relative to the root directory set with
2635				C<RootDirectory>/C<RootImage>.
2636
2637				Paths listed in C<ReadWritePaths> are accessible from within the namespace
2638				with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2639				are accessible for reading only, writing will be refused even if the usual file access controls would
2640				permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2641				order to provide writable subdirectories within read-only directories. Use
2642				C<ReadWritePaths> in order to allow-list specific paths for write access if
2643				C<ProtectSystem=strict> is used.
2644
2645				Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2646				the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2647				desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2648				C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2649				see C<TemporaryFileSystem>.
2650
2651				Content in paths listed in C<NoExecPaths> are not executable even if the usual
2652				file access controls would permit this. Nest C<ExecPaths> inside of
2653				C<NoExecPaths> in order to provide executable content within non-executable
2654				directories.
2655
2656				Non-directory paths may be specified as well. These options may be specified more than once,
2657				in which case all paths listed will have limited access from within the namespace. If the empty string is
2658				assigned to this option, the specific list is reset, and all prior assignments have no effect.
2659
2660				Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2661				C<InaccessiblePaths>, C<ExecPaths> and
2662				C<NoExecPaths> may be prefixed with C<->, in which case they will be
2663				ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2664				directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2665				instead of relative to the root directory of the host (see above). When combining C<-> and
2666				C<+> on the same path make sure to specify C<-> first, and C<+>
2667				second.
2668
2669				Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2670				host. This means that this setting may not be used for services which shall be able to install mount points in
2671				the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>,
2672				propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2673				unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2674				mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2675				i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2676				below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2677				not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2678				setting is not complete, and does not offer full protection.
2679
2680				Note that the effect of these settings may be undone by privileged processes. In order to set up an
2681				effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2682				C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2683				C<SystemCallFilter=~@mount>.
2684
2685				Simple allow-list example using these directives:
2686
2687				[Service]
2688				ReadOnlyPaths=/
2689				ReadWritePaths=/var /run
2690				InaccessiblePaths=-/lost+found
2691				NoExecPaths=/
2692				ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2693				',
2694				'type' => 'list'
2695				},
2696				'NoExecPaths',
2697				{
2698				'cargo' => {
2699				'type' => 'leaf',
2700				'value_type' => 'uniline'
2701				},
2702				'description' => 'Sets up a new file system namespace for executed processes. These options may be used
2703				to limit access a process has to the file system. Each setting takes a space-separated list of paths
2704				relative to the host\'s root directory (i.e. the system running the service manager). Note that if
2705				paths contain symlinks, they are resolved relative to the root directory set with
2706				C<RootDirectory>/C<RootImage>.
2707
2708				Paths listed in C<ReadWritePaths> are accessible from within the namespace
2709				with the same access modes as from outside of it. Paths listed in C<ReadOnlyPaths>
2710				are accessible for reading only, writing will be refused even if the usual file access controls would
2711				permit this. Nest C<ReadWritePaths> inside of C<ReadOnlyPaths> in
2712				order to provide writable subdirectories within read-only directories. Use
2713				C<ReadWritePaths> in order to allow-list specific paths for write access if
2714				C<ProtectSystem=strict> is used.
2715
2716				Paths listed in C<InaccessiblePaths> will be made inaccessible for processes inside
2717				the namespace along with everything below them in the file system hierarchy. This may be more restrictive than
2718				desired, because it is not possible to nest C<ReadWritePaths>, C<ReadOnlyPaths>,
2719				C<BindPaths>, or C<BindReadOnlyPaths> inside it. For a more flexible option,
2720				see C<TemporaryFileSystem>.
2721
2722				Content in paths listed in C<NoExecPaths> are not executable even if the usual
2723				file access controls would permit this. Nest C<ExecPaths> inside of
2724				C<NoExecPaths> in order to provide executable content within non-executable
2725				directories.
2726
2727				Non-directory paths may be specified as well. These options may be specified more than once,
2728				in which case all paths listed will have limited access from within the namespace. If the empty string is
2729				assigned to this option, the specific list is reset, and all prior assignments have no effect.
2730
2731				Paths in C<ReadWritePaths>, C<ReadOnlyPaths>,
2732				C<InaccessiblePaths>, C<ExecPaths> and
2733				C<NoExecPaths> may be prefixed with C<->, in which case they will be
2734				ignored when they do not exist. If prefixed with C<+> the paths are taken relative to the root
2735				directory of the unit, as configured with C<RootDirectory>/C<RootImage>,
2736				instead of relative to the root directory of the host (see above). When combining C<-> and
2737				C<+> on the same path make sure to specify C<-> first, and C<+>
2738				second.
2739
2740				Note that these settings will disconnect propagation of mounts from the unit\'s processes to the
2741				host. This means that this setting may not be used for services which shall be able to install mount points in
2742				the main mount namespace. For C<ReadWritePaths> and C<ReadOnlyPaths>,
2743				propagation in the other direction is not affected, i.e. mounts created on the host generally appear in the
2744				unit processes\' namespace, and mounts removed on the host also disappear there too. In particular, note that
2745				mount propagation from host to unit will result in unmodified mounts to be created in the unit\'s namespace,
2746				i.e. writable mounts appearing on the host will be writable in the unit\'s namespace too, even when propagated
2747				below a path marked with C<ReadOnlyPaths>! Restricting access with these options hence does
2748				not extend to submounts of a directory that are created later on. This means the lock-down offered by that
2749				setting is not complete, and does not offer full protection.
2750
2751				Note that the effect of these settings may be undone by privileged processes. In order to set up an
2752				effective sandboxed environment for a unit it is thus recommended to combine these settings with either
2753				C<CapabilityBoundingSet=~CAP_SYS_ADMIN> or
2754				C<SystemCallFilter=~@mount>.
2755
2756				Simple allow-list example using these directives:
2757
2758				[Service]
2759				ReadOnlyPaths=/
2760				ReadWritePaths=/var /run
2761				InaccessiblePaths=-/lost+found
2762				NoExecPaths=/
2763				ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
2764				',
2765				'type' => 'list'
2766				},
2767				'TemporaryFileSystem',
2768				{
2769				'cargo' => {
2770				'type' => 'leaf',
2771				'value_type' => 'uniline'
2772				},
2773				'description' => 'Takes a space-separated list of mount points for temporary file systems (tmpfs). If set, a new file
2774				system namespace is set up for executed processes, and a temporary file system is mounted on each mount point.
2775				This option may be specified more than once, in which case temporary file systems are mounted on all listed mount
2776				points. If the empty string is assigned to this option, the list is reset, and all prior assignments have no effect.
2777				Each mount point may optionally be suffixed with a colon (C<:>) and mount options such as
2778				C<size=10%> or C<ro>. By default, each temporary file system is mounted
2779				with C<nodev,strictatime,mode=0755>. These can be disabled by explicitly specifying the corresponding
2780				mount options, e.g., C<dev> or C<nostrictatime>.
2781
2782				This is useful to hide files or directories not relevant to the processes invoked by the unit, while necessary
2783				files or directories can be still accessed by combining with C<BindPaths> or
2784				C<BindReadOnlyPaths>:
2785
2786				Example: if a unit has the following,
2787
2788				TemporaryFileSystem=/var:ro
2789				BindReadOnlyPaths=/var/lib/systemd
2790
2791				then the invoked processes by the unit cannot see any files or directories under C</var/> except for
2792				C</var/lib/systemd> or its contents.',
2793				'type' => 'list'
2794				},
2795				'PrivateTmp',
2796				{
2797				'description' => 'Takes a boolean argument. If true, sets up a new file system namespace for the
2798				executed processes and mounts private C</tmp/> and C</var/tmp/>
2799				directories inside it that are not shared by processes outside of the namespace. This is useful to
2800				secure access to temporary files of the process, but makes sharing between processes via
2801				C</tmp/> or C</var/tmp/> impossible. If true, all temporary files
2802				created by a service in these directories will be removed after the service is stopped. Defaults to
2803				false. It is possible to run two or more units within the same private C</tmp/> and
2804				C</var/tmp/> namespace by using the C<JoinsNamespaceOf> directive,
2805				see L<systemd.unit(5)>
2806				for details. This setting is implied if C<DynamicUser> is set. For this setting, the
2807				same restrictions regarding mount propagation and privileges apply as for
2808				C<ReadOnlyPaths> and related calls, see above. Enabling this setting has the side
2809				effect of adding C<Requires> and C<After> dependencies on all mount
2810				units necessary to access C</tmp/> and C</var/tmp/>. Moreover an
2811				implicitly C<After> ordering on
2812				L<systemd-tmpfiles-setup.service(8)>
2813				is added.
2814
2815				Note that the implementation of this setting might be impossible (for example if mount namespaces are not
2816				available), and the unit should be written in a way that does not solely rely on this setting for
2817				security.',
2818				'type' => 'leaf',
2819				'value_type' => 'boolean',
2820				'write_as' => [
2821				'no',
2822				'yes'
2823				]
2824				},
2825				'PrivateDevices',
2826				{
2827				'description' => 'Takes a boolean argument. If true, sets up a new C</dev/> mount for
2828				the executed processes and only adds API pseudo devices such as C</dev/null>,
2829				C</dev/zero> or C</dev/random> (as well as the pseudo TTY
2830				subsystem) to it, but no physical devices such as C</dev/sda>, system memory
2831				C</dev/mem>, system ports C</dev/port> and others. This is useful
2832				to turn off physical device access by the executed process. Defaults to false.
2833
2834				Enabling this option will install a system call filter to block low-level I/O system calls that
2835				are grouped in the C<@raw-io> set, remove C<CAP_MKNOD> and
2836				C<CAP_SYS_RAWIO> from the capability bounding set for the unit, and set
2837				C<DevicePolicy=closed> (see
2838				L<systemd.resource-control(5)>
2839				for details). Note that using this setting will disconnect propagation of mounts from the service to
2840				the host (propagation in the opposite direction continues to work). This means that this setting may
2841				not be used for services which shall be able to install mount points in the main mount namespace. The
2842				new C</dev/> will be mounted read-only and \'noexec\'. The latter may break old
2843				programs which try to set up executable memory by using
2844				L<mmap(2)> of
2845				C</dev/zero> instead of using C<MAP_ANON>. For this setting the
2846				same restrictions regarding mount propagation and privileges apply as for
2847				C<ReadOnlyPaths> and related calls, see above. If turned on and if running in user
2848				mode, or in system mode, but without the C<CAP_SYS_ADMIN> capability (e.g. setting
2849				C<User>), C<NoNewPrivileges=yes> is implied.
2850
2851				Note that the implementation of this setting might be impossible (for example if mount
2852				namespaces are not available), and the unit should be written in a way that does not solely rely on
2853				this setting for security.
2854
2855				When access to some but not all devices must be possible, the C<DeviceAllow>
2856				setting might be used instead. See
2857				L<systemd.resource-control(5)>.
2858				',
2859				'type' => 'leaf',
2860				'value_type' => 'boolean',
2861				'write_as' => [
2862				'no',
2863				'yes'
2864				]
2865				},
2866				'PrivateNetwork',
2867				{
2868				'description' => 'Takes a boolean argument. If true, sets up a new network namespace for the executed processes
2869				and configures only the loopback network device C<lo> inside it. No other network devices will
2870				be available to the executed process. This is useful to turn off network access by the executed process.
2871				Defaults to false. It is possible to run two or more units within the same private network namespace by using
2872				the C<JoinsNamespaceOf> directive, see
2873				L<systemd.unit(5)> for
2874				details. Note that this option will disconnect all socket families from the host, including
2875				C<AF_NETLINK> and C<AF_UNIX>. Effectively, for
2876				C<AF_NETLINK> this means that device configuration events received from
2877				L<systemd-udevd.service(8)> are
2878				not delivered to the unit\'s processes. And for C<AF_UNIX> this has the effect that
2879				C<AF_UNIX> sockets in the abstract socket namespace of the host will become unavailable to
2880				the unit\'s processes (however, those located in the file system will continue to be accessible).
2881
2882				Note that the implementation of this setting might be impossible (for example if network namespaces are
2883				not available), and the unit should be written in a way that does not solely rely on this setting for
2884				security.
2885
2886				When this option is used on a socket unit any sockets bound on behalf of this unit will be
2887				bound within a private network namespace. This may be combined with
2888				C<JoinsNamespaceOf> to listen on sockets inside of network namespaces of other
2889				services.',
2890				'type' => 'leaf',
2891				'value_type' => 'boolean',
2892				'write_as' => [
2893				'no',
2894				'yes'
2895				]
2896				},
2897				'NetworkNamespacePath',
2898				{
2899				'description' => 'Takes an absolute file system path refererring to a Linux network namespace
2900				pseudo-file (i.e. a file like C</proc/$PID/ns/net> or a bind mount or symlink to
2901				one). When set the invoked processes are added to the network namespace referenced by that path. The
2902				path has to point to a valid namespace file at the moment the processes are forked off. If this
2903				option is used C<PrivateNetwork> has no effect. If this option is used together with
2904				C<JoinsNamespaceOf> then it only has an effect if this unit is started before any of
2905				the listed units that have C<PrivateNetwork> or
2906				C<NetworkNamespacePath> configured, as otherwise the network namespace of those
2907				units is reused.
2908
2909				When this option is used on a socket unit any sockets bound on behalf of this unit will be
2910				bound within the specified network namespace.',
2911				'type' => 'leaf',
2912				'value_type' => 'uniline'
2913				},
2914				'PrivateIPC',
2915				{
2916				'description' => 'Takes a boolean argument. If true, sets up a new IPC namespace for the executed processes.
2917				Each IPC namespace has its own set of System V IPC identifiers and its own POSIX message queue file system.
2918				This is useful to avoid name clash of IPC identifiers. Defaults to false. It is possible to run two or
2919				more units within the same private IPC namespace by using the C<JoinsNamespaceOf> directive,
2920				see L<systemd.unit(5)> for
2921				details.
2922
2923				Note that IPC namespacing does not have an effect on
2924				C<AF_UNIX> sockets, which are the most common
2925				form of IPC used on Linux. Instead, C<AF_UNIX>
2926				sockets in the file system are subject to mount namespacing, and
2927				those in the abstract namespace are subject to network namespacing.
2928				IPC namespacing only has an effect on SysV IPC (which is mostly
2929				legacy) as well as POSIX message queues (for which
2930				C<AF_UNIX>/C<SOCK_SEQPACKET>
2931				sockets are typically a better replacement). IPC namespacing also
2932				has no effect on POSIX shared memory (which is subject to mount
2933				namespacing) either. See
2934				L<ipc_namespaces(7)> for
2935				the details.
2936
2937				Note that the implementation of this setting might be impossible (for example if IPC namespaces are
2938				not available), and the unit should be written in a way that does not solely rely on this setting for
2939				security.',
2940				'type' => 'leaf',
2941				'value_type' => 'boolean',
2942				'write_as' => [
2943				'no',
2944				'yes'
2945				]
2946				},
2947				'IPCNamespacePath',
2948				{
2949				'description' => 'Takes an absolute file system path refererring to a Linux IPC namespace
2950				pseudo-file (i.e. a file like C</proc/$PID/ns/ipc> or a bind mount or symlink to
2951				one). When set the invoked processes are added to the network namespace referenced by that path. The
2952				path has to point to a valid namespace file at the moment the processes are forked off. If this
2953				option is used C<PrivateIPC> has no effect. If this option is used together with
2954				C<JoinsNamespaceOf> then it only has an effect if this unit is started before any of
2955				the listed units that have C<PrivateIPC> or
2956				C<IPCNamespacePath> configured, as otherwise the network namespace of those
2957				units is reused.',
2958				'type' => 'leaf',
2959				'value_type' => 'uniline'
2960				},
2961				'PrivateUsers',
2962				{
2963				'description' => 'Takes a boolean argument. If true, sets up a new user namespace for the executed processes and
2964				configures a minimal user and group mapping, that maps the C<root> user and group as well as
2965				the unit\'s own user and group to themselves and everything else to the C<nobody> user and
2966				group. This is useful to securely detach the user and group databases used by the unit from the rest of the
2967				system, and thus to create an effective sandbox environment. All files, directories, processes, IPC objects and
2968				other resources owned by users/groups not equaling C<root> or the unit\'s own will stay visible
2969				from within the unit but appear owned by the C<nobody> user and group. If this mode is enabled,
2970				all unit processes are run without privileges in the host user namespace (regardless if the unit\'s own
2971				user/group is C<root> or not). Specifically this means that the process will have zero process
2972				capabilities on the host\'s user namespace, but full capabilities within the service\'s user namespace. Settings
2973				such as C<CapabilityBoundingSet> will affect only the latter, and there\'s no way to acquire
2974				additional capabilities in the host\'s user namespace. Defaults to off.
2975
2976				When this setting is set up by a per-user instance of the service manager, the mapping of the
2977				C<root> user and group to itself is omitted (unless the user manager is root).
2978				Additionally, in the per-user instance manager case, the
2979				user namespace will be set up before most other namespaces. This means that combining
2980				C<PrivateUsers>C<true> with other namespaces will enable use of features not
2981				normally supported by the per-user instances of the service manager.
2982
2983				This setting is particularly useful in conjunction with
2984				C<RootDirectory>/C<RootImage>, as the need to synchronize the user and group
2985				databases in the root directory and on the host is reduced, as the only users and groups who need to be matched
2986				are C<root>, C<nobody> and the unit\'s own user and group.
2987
2988				Note that the implementation of this setting might be impossible (for example if user namespaces are not
2989				available), and the unit should be written in a way that does not solely rely on this setting for
2990				security.',
2991				'type' => 'leaf',
2992				'value_type' => 'boolean',
2993				'write_as' => [
2994				'no',
2995				'yes'
2996				]
2997				},
2998				'ProtectHostname',
2999				{
3000				'description' => 'Takes a boolean argument. When set, sets up a new UTS namespace for the executed
3001				processes. In addition, changing hostname or domainname is prevented. Defaults to off.
3002
3003				Note that the implementation of this setting might be impossible (for example if UTS namespaces
3004				are not available), and the unit should be written in a way that does not solely rely on this setting
3005				for security.
3006
3007				Note that when this option is enabled for a service hostname changes no longer propagate from
3008				the system into the service, it is hence not suitable for services that need to take notice of system
3009				hostname changes dynamically.
3010
3011				If this setting is on, but the unit doesn\'t have the C<CAP_SYS_ADMIN>
3012				capability (e.g. services for which C<User> is set),
3013				C<NoNewPrivileges=yes> is implied.',
3014				'type' => 'leaf',
3015				'value_type' => 'boolean',
3016				'write_as' => [
3017				'no',
3018				'yes'
3019				]
3020				},
3021				'ProtectClock',
3022				{
3023				'description' => 'Takes a boolean argument. If set, writes to the hardware clock or system clock will be denied.
3024				It is recommended to turn this on for most services that do not need modify the clock. Defaults to off. Enabling
3025				this option removes C<CAP_SYS_TIME> and C<CAP_WAKE_ALARM> from the
3026				capability bounding set for this unit, installs a system call filter to block calls that can set the
3027				clock, and C<DeviceAllow=char-rtc r> is implied. This ensures C</dev/rtc0>,
3028				C</dev/rtc1>, etc. are made read-only to the service. See
3029				L<systemd.resource-control(5)>
3030				for the details about C<DeviceAllow>. If this setting is on, but the unit
3031				doesn\'t have the C<CAP_SYS_ADMIN> capability (e.g. services for which
3032				C<User> is set), C<NoNewPrivileges=yes> is implied.',
3033				'type' => 'leaf',
3034				'value_type' => 'boolean',
3035				'write_as' => [
3036				'no',
3037				'yes'
3038				]
3039				},
3040				'ProtectKernelTunables',
3041				{
3042				'description' => 'Takes a boolean argument. If true, kernel variables accessible through
3043				C</proc/sys/>, C</sys/>, C</proc/sysrq-trigger>,
3044				C</proc/latency_stats>, C</proc/acpi>,
3045				C</proc/timer_stats>, C</proc/fs> and C</proc/irq> will
3046				be made read-only to all processes of the unit. Usually, tunable kernel variables should be initialized only at
3047				boot-time, for example with the
3048				L<sysctl.d(5)> mechanism. Few
3049				services need to write to these at runtime; it is hence recommended to turn this on for most services. For this
3050				setting the same restrictions regarding mount propagation and privileges apply as for
3051				C<ReadOnlyPaths> and related calls, see above. Defaults to off. If this
3052				setting is on, but the unit doesn\'t have the C<CAP_SYS_ADMIN> capability
3053				(e.g. services for which C<User> is set),
3054				C<NoNewPrivileges=yes> is implied. Note that this option does not prevent
3055				indirect changes to kernel tunables effected by IPC calls to other processes. However,
3056				C<InaccessiblePaths> may be used to make relevant IPC file system objects
3057				inaccessible. If C<ProtectKernelTunables> is set,
3058				C<MountAPIVFS=yes> is implied.',
3059				'type' => 'leaf',
3060				'value_type' => 'boolean',
3061				'write_as' => [
3062				'no',
3063				'yes'
3064				]
3065				},
3066				'ProtectKernelModules',
3067				{
3068				'description' => 'Takes a boolean argument. If true, explicit module loading will be denied. This allows
3069				module load and unload operations to be turned off on modular kernels. It is recommended to turn this on for most
3070				services
3071				that do not need special file systems or extra kernel modules to work. Defaults to off. Enabling this option
3072				removes C<CAP_SYS_MODULE> from the capability bounding set for the unit, and installs a
3073				system call filter to block module system calls, also C</usr/lib/modules> is made
3074				inaccessible. For this setting the same restrictions regarding mount propagation and privileges apply as for
3075				C<ReadOnlyPaths> and related calls, see above. Note that limited automatic module loading due
3076				to user configuration or kernel mapping tables might still happen as side effect of requested user operations,
3077				both privileged and unprivileged. To disable module auto-load feature please see
3078				L<sysctl.d(5)>C<kernel.modules_disabled> mechanism and
3079				C</proc/sys/kernel/modules_disabled> documentation. If this setting is on,
3080				but the unit doesn\'t have the C<CAP_SYS_ADMIN> capability (e.g. services for
3081				which C<User> is set), C<NoNewPrivileges=yes> is implied.',
3082				'type' => 'leaf',
3083				'value_type' => 'boolean',
3084				'write_as' => [
3085				'no',
3086				'yes'
3087				]
3088				},
3089				'ProtectKernelLogs',
3090				{
3091				'description' => 'Takes a boolean argument. If true, access to the kernel log ring buffer will be denied. It is
3092				recommended to turn this on for most services that do not need to read from or write to the kernel log ring
3093				buffer. Enabling this option removes C<CAP_SYSLOG> from the capability bounding set for this
3094				unit, and installs a system call filter to block the
3095				L<syslog(2)>
3096				system call (not to be confused with the libc API
3097				L<syslog(3)>
3098				for userspace logging). The kernel exposes its log buffer to userspace via C</dev/kmsg> and
3099				C</proc/kmsg>. If enabled, these are made inaccessible to all the processes in the unit.
3100				If this setting is on, but the unit doesn\'t have the C<CAP_SYS_ADMIN>
3101				capability (e.g. services for which C<User> is set),
3102				C<NoNewPrivileges=yes> is implied.',
3103				'type' => 'leaf',
3104				'value_type' => 'boolean',
3105				'write_as' => [
3106				'no',
3107				'yes'
3108				]
3109				},
3110				'ProtectControlGroups',
3111				{
3112				'description' => 'Takes a boolean argument. If true, the Linux Control Groups (L<cgroups(7)>) hierarchies
3113				accessible through C</sys/fs/cgroup/> will be made read-only to all processes of the
3114				unit. Except for container managers no services should require write access to the control groups hierarchies;
3115				it is hence recommended to turn this on for most services. For this setting the same restrictions regarding
3116				mount propagation and privileges apply as for C<ReadOnlyPaths> and related calls, see
3117				above. Defaults to off. If C<ProtectControlGroups> is set, C<MountAPIVFS=yes>
3118				is implied.',
3119				'type' => 'leaf',
3120				'value_type' => 'boolean',
3121				'write_as' => [
3122				'no',
3123				'yes'
3124				]
3125				},
3126				'RestrictAddressFamilies',
3127				{
3128				'description' => 'Restricts the set of socket address families accessible to the processes of this
3129				unit. Takes C<none>, or a space-separated list of address family names to
3130				allow-list, such as C<AF_UNIX>, C<AF_INET> or
3131				C<AF_INET6>. When C<none> is specified, then all address
3132				families will be denied. When prefixed with C<~> the listed address
3133				families will be applied as deny list, otherwise as allow list. Note that this restricts access
3134				to the
3135				L<socket(2)>
3136				system call only. Sockets passed into the process by other means (for example, by using socket
3137				activation with socket units, see
3138				L<systemd.socket(5)>)
3139				are unaffected. Also, sockets created with socketpair() (which creates connected
3140				AF_UNIX sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x,
3141				mips, mips-le, ppc, ppc-le, ppc64, ppc64-le and is ignored (but works correctly on other ABIs,
3142				including x86-64). Note that on systems supporting multiple ABIs (such as x86/x86-64) it is
3143				recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the
3144				restrictions of this option. Specifically, it is recommended to combine this option with
3145				C<SystemCallArchitectures=native> or similar. If running in user mode, or in system
3146				mode, but without the C<CAP_SYS_ADMIN> capability (e.g. setting
3147				C<User>), C<NoNewPrivileges=yes> is implied. By default, no
3148				restrictions apply, all address families are accessible to processes. If assigned the empty string,
3149				any previous address family restriction changes are undone. This setting does not affect commands
3150				prefixed with C<+>.
3151
3152				Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive
3153				network protocols, such as C<AF_PACKET>. Note that in most cases, the local
3154				C<AF_UNIX> address family should be included in the configured allow list as it is frequently
3155				used for local communication, including for
3156				L<syslog(2)>
3157				logging.',
3158				'type' => 'leaf',
3159				'value_type' => 'uniline'
3160				},
3161				'RestrictFileSystems',
3162				{
3163				'description' => 'Restricts the set of filesystems processes of this unit can open files on. Takes a space-separated
3164				list of filesystem names. Any filesystem listed is made accessible to the unit\'s processes, access to filesystem
3165				types not listed is prohibited (allow-listing). If the first character of the list is C<~>, the
3166				effect is inverted: access to the filesystems listed is prohibited (deny-listing). If the empty string is assigned,
3167				access to filesystems is not restricted.
3168
3169				If you specify both types of this option (i.e. allow-listing and deny-listing), the first encountered will take
3170				precedence and will dictate the default action (allow access to the filesystem or deny it). Then the next occurrences
3171				of this option will add or delete the listed filesystems from the set of the restricted filesystems, depending on its
3172				type and the default action.
3173
3174				Example: if a unit has the following,
3175
3176				RestrictFileSystems=ext4 tmpfs
3177				RestrictFileSystems=ext2 ext4
3178
3179				then access to C<ext4>, C<tmpfs>, and C<ext2> is allowed
3180				and access to other filesystems is denied.
3181
3182				Example: if a unit has the following,
3183
3184				RestrictFileSystems=ext4 tmpfs
3185				RestrictFileSystems=~ext4
3186
3187				then only access C<tmpfs> is allowed.
3188
3189				Example: if a unit has the following,
3190
3191				RestrictFileSystems=~ext4 tmpfs
3192				RestrictFileSystems=ext4
3193
3194				then only access to C<tmpfs> is denied.
3195
3196				As the number of possible filesystems is large, predefined sets of filesystems are provided. A set
3197				starts with C<@> character, followed by name of the set.
3198
3199				Use
3200				L<systemd-analyze(1)>\'s
3201				filesystems command to retrieve a list of filesystems defined on the local
3202				system.
3203
3204				Note that this setting might not be supported on some systems (for example if the LSM eBPF hook is
3205				not enabled in the underlying kernel or if not using the unified control group hierarchy). In that case this setting
3206				has no effect.',
3207				'type' => 'leaf',
3208				'value_type' => 'uniline'
3209				},
3210				'RestrictNamespaces',
3211				{
3212				'description' => "Restricts access to Linux namespace functionality for the processes of this unit. For details
3213				about Linux namespaces, see L<namespaces(7)>. Either
3214				takes a boolean argument, or a space-separated list of namespace type identifiers. If false (the default), no
3215				restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is
3216				prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of
3217				any combination of: C<cgroup>, C<ipc>, C<net>,
3218				C<mnt>, C<pid>, C<user> and C<uts>. Any
3219				namespace type listed is made accessible to the unit's processes, access to namespace types not listed is
3220				prohibited (allow-listing). By prepending the list with a single tilde character (C<~>) the
3221				effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are
3222				permitted (deny-listing). If the empty string is assigned, the default namespace restrictions are applied,
3223				which is equivalent to false. This option may appear more than once, in which case the namespace types are
3224				merged by C<OR>, or by C<AND> if the lines are prefixed with
3225				C<~> (see examples below). Internally, this setting limits access to the
3226				L<unshare(2)>,
3227				L<clone(2)> and
3228				L<setns(2)> system calls, taking
3229				the specified flags parameters into account. Note that \x{2014} if this option is used \x{2014} in addition to restricting
3230				creation and switching of the specified types of namespaces (or all of them, if true) access to the
3231				setns() system call with a zero flags parameter is prohibited. This setting is only
3232				supported on x86, x86-64, mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32, ppc64, ppc64-le, s390
3233				and s390x, and enforces no restrictions on other architectures. If running in user mode, or in system mode, but
3234				without the C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3235				C<NoNewPrivileges=yes> is implied.
3236
3237				Example: if a unit has the following,
3238
3239				RestrictNamespaces=cgroup ipc
3240				RestrictNamespaces=cgroup net
3241
3242				then C<cgroup>, C<ipc>, and C<net> are set.
3243				If the second line is prefixed with C<~>, e.g.,
3244
3245				RestrictNamespaces=cgroup ipc
3246				RestrictNamespaces=~cgroup net
3247
3248				then, only C<ipc> is set.",
3249				'type' => 'leaf',
3250				'value_type' => 'uniline'
3251				},
3252				'LockPersonality',
3253				{
3254				'description' => 'Takes a boolean argument. If set, locks down the L<personality(2)> system
3255				call so that the kernel execution domain may not be changed from the default or the personality selected with
3256				C<Personality> directive. This may be useful to improve security, because odd personality
3257				emulations may be poorly tested and source of vulnerabilities. If running in user mode, or in system mode, but
3258				without the C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3259				C<NoNewPrivileges=yes> is implied.',
3260				'type' => 'leaf',
3261				'value_type' => 'boolean',
3262				'write_as' => [
3263				'no',
3264				'yes'
3265				]
3266				},
3267				'MemoryDenyWriteExecute',
3268				{
3269				'description' => 'Takes a boolean argument. If set, attempts to create memory mappings that are writable and
3270				executable at the same time, or to change existing memory mappings to become executable, or mapping shared
3271				memory segments as executable, are prohibited. Specifically, a system call filter is added that rejects
3272				L<mmap(2)> system calls with both
3273				C<PROT_EXEC> and C<PROT_WRITE> set,
3274				L<mprotect(2)> or
3275				L<pkey_mprotect(2)> system calls
3276				with C<PROT_EXEC> set and
3277				L<shmat(2)> system calls with
3278				C<SHM_EXEC> set. Note that this option is incompatible with programs and libraries that
3279				generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code
3280				"trampoline" feature of various C compilers. This option improves service security, as it makes harder for
3281				software exploits to change running code dynamically. However, the protection can be circumvented, if
3282				the service can write to a filesystem, which is not mounted with C<noexec> (such as
3283				C</dev/shm>), or it can use memfd_create(). This can be
3284				prevented by making such file systems inaccessible to the service
3285				(e.g. C<InaccessiblePaths=/dev/shm>) and installing further system call filters
3286				(C<SystemCallFilter=~memfd_create>). Note that this feature is fully available on
3287				x86-64, and partially on x86. Specifically, the shmat() protection is not
3288				available on x86. Note that on systems supporting multiple ABIs (such as x86/x86-64) it is
3289				recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the
3290				restrictions of this option. Specifically, it is recommended to combine this option with
3291				C<SystemCallArchitectures=native> or similar. If running in user mode, or in system
3292				mode, but without the C<CAP_SYS_ADMIN> capability (e.g. setting
3293				C<User>), C<NoNewPrivileges=yes> is implied.',
3294				'type' => 'leaf',
3295				'value_type' => 'boolean',
3296				'write_as' => [
3297				'no',
3298				'yes'
3299				]
3300				},
3301				'RestrictRealtime',
3302				{
3303				'description' => 'Takes a boolean argument. If set, any attempts to enable realtime scheduling in a process of
3304				the unit are refused. This restricts access to realtime task scheduling policies such as
3305				C<SCHED_FIFO>, C<SCHED_RR> or C<SCHED_DEADLINE>. See
3306				L<sched(7)>
3307				for details about these scheduling policies. If running in user mode, or in system mode, but without the
3308				C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3309				C<NoNewPrivileges=yes> is implied. Realtime scheduling policies may be used to monopolize CPU
3310				time for longer periods of time, and may hence be used to lock up or otherwise trigger Denial-of-Service
3311				situations on the system. It is hence recommended to restrict access to realtime scheduling to the few programs
3312				that actually require them. Defaults to off.',
3313				'type' => 'leaf',
3314				'value_type' => 'boolean',
3315				'write_as' => [
3316				'no',
3317				'yes'
3318				]
3319				},
3320				'RestrictSUIDSGID',
3321				{
3322				'description' => 'Takes a boolean argument. If set, any attempts to set the set-user-ID (SUID) or
3323				set-group-ID (SGID) bits on files or directories will be denied (for details on these bits see
3324				L<inode(7)>). If
3325				running in user mode, or in system mode, but without the C<CAP_SYS_ADMIN>
3326				capability (e.g. setting C<User>), C<NoNewPrivileges=yes> is
3327				implied. As the SUID/SGID bits are mechanisms to elevate privileges, and allow users to acquire the
3328				identity of other users, it is recommended to restrict creation of SUID/SGID files to the few
3329				programs that actually require them. Note that this restricts marking of any type of file system
3330				object with these bits, including both regular files and directories (where the SGID is a different
3331				meaning than for files, see documentation). This option is implied if C<DynamicUser>
3332				is enabled. Defaults to off.',
3333				'type' => 'leaf',
3334				'value_type' => 'boolean',
3335				'write_as' => [
3336				'no',
3337				'yes'
3338				]
3339				},
3340				'RemoveIPC',
3341				{
3342				'description' => 'Takes a boolean parameter. If set, all System V and POSIX IPC objects owned by the user and
3343				group the processes of this unit are run as are removed when the unit is stopped. This setting only has an
3344				effect if at least one of C<User>, C<Group> and
3345				C<DynamicUser> are used. It has no effect on IPC objects owned by the root user. Specifically,
3346				this removes System V semaphores, as well as System V and POSIX shared memory segments and message queues. If
3347				multiple units use the same user or group the IPC objects are removed when the last of these units is
3348				stopped. This setting is implied if C<DynamicUser> is set.',
3349				'type' => 'leaf',
3350				'value_type' => 'boolean',
3351				'write_as' => [
3352				'no',
3353				'yes'
3354				]
3355				},
3356				'PrivateMounts',
3357				{
3358				'description' => "Takes a boolean parameter. If set, the processes of this unit will be run in their own private
3359				file system (mount) namespace with all mount propagation from the processes towards the host's main file system
3360				namespace turned off. This means any file system mount points established or removed by the unit's processes
3361				will be private to them and not be visible to the host. However, file system mount points established or
3362				removed on the host will be propagated to the unit's processes. See L<mount_namespaces(7)> for
3363				details on file system namespaces. Defaults to off.
3364
3365				When turned on, this executes three operations for each invoked process: a new
3366				C<CLONE_NEWNS> namespace is created, after which all existing mounts are remounted to
3367				C<MS_SLAVE> to disable propagation from the unit's processes to the host (but leaving
3368				propagation in the opposite direction in effect). Finally, the mounts are remounted again to the propagation
3369				mode configured with C<MountFlags>, see below.
3370
3371				File system namespaces are set up individually for each process forked off by the service manager. Mounts
3372				established in the namespace of the process created by C<ExecStartPre> will hence be cleaned
3373				up automatically as soon as that process exits and will not be available to subsequent processes forked off for
3374				C<ExecStart> (and similar applies to the various other commands configured for
3375				units). Similarly, C<JoinsNamespaceOf> does not permit sharing kernel mount namespaces between
3376				units, it only enables sharing of the C</tmp/> and C</var/tmp/>
3377				directories.
3378
3379				Other file system namespace unit settings \x{2014} C<PrivateMounts>,
3380				C<PrivateTmp>, C<PrivateDevices>, C<ProtectSystem>,
3381				C<ProtectHome>, C<ReadOnlyPaths>, C<InaccessiblePaths>,
3382				C<ReadWritePaths>, \x{2026} \x{2014} also enable file system namespacing in a fashion equivalent to this
3383				option. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are
3384				used.",
3385				'type' => 'leaf',
3386				'value_type' => 'boolean',
3387				'write_as' => [
3388				'no',
3389				'yes'
3390				]
3391				},
3392				'MountFlags',
3393				{
3394				'description' => "Takes a mount propagation setting: C<shared>, C<slave> or
3395				C<private>, which controls whether file system mount points in the file system namespaces set up
3396				for this unit's processes will receive or propagate mounts and unmounts from other file system namespaces. See
3397				L<mount(2)>
3398				for details on mount propagation, and the three propagation flags in particular.
3399
3400				This setting only controls the final propagation setting in effect on all mount
3401				points of the file system namespace created for each process of this unit. Other file system namespacing unit
3402				settings (see the discussion in C<PrivateMounts> above) will implicitly disable mount and
3403				unmount propagation from the unit's processes towards the host by changing the propagation setting of all mount
3404				points in the unit's file system namespace to C<slave> first. Setting this option to
3405				C<shared> does not reestablish propagation in that case.
3406
3407				If not set \x{2013} but file system namespaces are enabled through another file system namespace unit setting \x{2013}
3408				C<shared> mount propagation is used, but \x{2014} as mentioned \x{2014} as C<slave> is applied
3409				first, propagation from the unit's processes to the host is still turned off.
3410
3411				It is not recommended to use C<private> mount propagation for units, as this means
3412				temporary mounts (such as removable media) of the host will stay mounted and thus indefinitely busy in forked
3413				off processes, as unmount propagation events won't be received by the file system namespace of the unit.
3414
3415				Usually, it is best to leave this setting unmodified, and use higher level file system namespacing
3416				options instead, in particular C<PrivateMounts>, see above.",
3417				'type' => 'leaf',
3418				'value_type' => 'uniline'
3419				},
3420				'SystemCallFilter',
3421				{
3422				'cargo' => {
3423				'type' => 'leaf',
3424				'value_type' => 'uniline'
3425				},
3426				'description' => "Takes a space-separated list of system call names. If this setting is used, all
3427				system calls executed by the unit processes except for the listed ones will result in immediate
3428				process termination with the C<SIGSYS> signal (allow-listing). (See
3429				C<SystemCallErrorNumber> below for changing the default action). If the first
3430				character of the list is C<~>, the effect is inverted: only the listed system calls
3431				will result in immediate process termination (deny-listing). Deny-listed system calls and system call
3432				groups may optionally be suffixed with a colon (C<:>) and C<errno>
3433				error number (between 0 and 4095) or errno name such as C<EPERM>,
3434				C<EACCES> or C<EUCLEAN> (see L<errno(3)> for a
3435				full list). This value will be returned when a deny-listed system call is triggered, instead of
3436				terminating the processes immediately. Special setting C<kill> can be used to
3437				explicitly specify killing. This value takes precedence over the one given in
3438				C<SystemCallErrorNumber>, see below. If running in user mode, or in system mode,
3439				but without the C<CAP_SYS_ADMIN> capability (e.g. setting
3440				C<User>), C<NoNewPrivileges=yes> is implied. This feature
3441				makes use of the Secure Computing Mode 2 interfaces of the kernel ('seccomp filtering') and is useful
3442				for enforcing a minimal sandboxing environment. Note that the execve(),
3443				exit(), exit_group(), getrlimit(),
3444				rt_sigreturn(), sigreturn() system calls and the system calls
3445				for querying time and sleeping are implicitly allow-listed and do not need to be listed
3446				explicitly. This option may be specified more than once, in which case the filter masks are
3447				merged. If the empty string is assigned, the filter is reset, all prior assignments will have no
3448				effect. This does not affect commands prefixed with C<+>.
3449
3450				Note that on systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off
3451				alternative ABIs for services, so that they cannot be used to circumvent the restrictions of this
3452				option. Specifically, it is recommended to combine this option with
3453				C<SystemCallArchitectures=native> or similar.
3454
3455				Note that strict system call filters may impact execution and error handling code paths of the service
3456				invocation. Specifically, access to the execve() system call is required for the execution
3457				of the service binary \x{2014} if it is blocked service invocation will necessarily fail. Also, if execution of the
3458				service binary fails for some reason (for example: missing service executable), the error handling logic might
3459				require access to an additional set of system calls in order to process and log this failure correctly. It
3460				might be necessary to temporarily disable system call filters in order to simplify debugging of such
3461				failures.
3462
3463				If you specify both types of this option (i.e. allow-listing and deny-listing), the first
3464				encountered will take precedence and will dictate the default action (termination or approval of a
3465				system call). Then the next occurrences of this option will add or delete the listed system calls
3466				from the set of the filtered system calls, depending of its type and the default action. (For
3467				example, if you have started with an allow list rule for read() and
3468				write(), and right after it add a deny list rule for write(),
3469				then write() will be removed from the set.)
3470
3471				As the number of possible system calls is large, predefined sets of system calls are provided. A set
3472				starts with C<\@> character, followed by name of the set.
3473				Currently predefined system call setsSetDescription\@aioAsynchronous I/O (L<io_setup(2)>, L<io_submit(2)>, and related
3474				calls)\@basic-ioSystem calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing
3475				(L<read(2)>, L<write(2)>, and related calls)\@chownChanging file ownership (L<chown(2)>, L<fchownat(2)>, and related
3476				calls)\@clockSystem calls for changing the system clock (L<adjtimex(2)>, L<settimeofday(2)>, and related
3477				calls)\@cpu-emulationSystem calls for CPU emulation functionality (L<vm86(2)> and related calls)\@debugDebugging,
3478				performance monitoring and tracing functionality (L<ptrace(2)>, L<perf_event_open(2)> and related
3479				calls)\@file-systemFile system operations: opening, creating files and directories for read and write, renaming and
3480				removing them, reading file properties, or creating hard and symbolic links\@io-eventEvent loop system calls
3481				(L<poll(2)>, L<select(2)>, L<epoll(7)>, L<eventfd(2)> and related calls)\@ipcPipes, SysV IPC, POSIX Message Queues and
3482				other IPC (L<mq_overview(7)>, L<svipc(7)>)\@keyringKernel keyring access (L<keyctl(2)> and related calls)\@memlockLocking
3483				of memory in RAM (L<mlock(2)>, L<mlockall(2)> and related calls)\@moduleLoading and unloading of kernel modules
3484				(L<init_module(2)>, L<delete_module(2)> and related calls)\@mountMounting and unmounting of file systems (L<mount(2)>,
3485				L<chroot(2)>, and related calls)\@network-ioSocket I/O (including local AF_UNIX): L<socket(7)>,
3486				L<unix(7)>\@obsoleteUnusual, obsolete or unimplemented (L<create_module(2)>, L<gtty(2)>, \x{2026})\@privilegedAll system calls
3487				which need super-user capabilities (L<capabilities(7)>)\@processProcess control, execution, namespacing operations
3488				(L<clone(2)>, L<kill(2)>, L<namespaces(7)>, \x{2026})\@raw-ioRaw I/O port access (L<ioperm(2)>, L<iopl(2)>, pciconfig_read(),
3489				\x{2026})\@rebootSystem calls for rebooting and reboot preparation (L<reboot(2)>, kexec(), \x{2026})\@resourcesSystem calls for
3490				changing resource limits, memory and scheduling parameters (L<setrlimit(2)>, L<setpriority(2)>, \x{2026})\@setuidSystem calls
3491				for changing user ID and group ID credentials, (L<setuid(2)>, L<setgid(2)>, L<setresuid(2)>, \x{2026})\@signalSystem calls for
3492				manipulating and handling process signals (L<signal(2)>, L<sigprocmask(2)>, \x{2026})\@swapSystem calls for enabling/disabling
3493				swap devices (L<swapon(2)>, L<swapoff(2)>)\@syncSynchronizing files and memory to disk (L<fsync(2)>, L<msync(2)>, and
3494				related calls)\@system-serviceA reasonable set of system calls used by common system services, excluding any special
3495				purpose calls. This is the recommended starting point for allow-listing system calls for system services, as it
3496				contains what is typically needed by system services, but excludes overly specific interfaces. For example, the
3497				following APIs are excluded: C<\@clock>, C<\@mount>, C<\@swap>, C<\@reboot>.\@timerSystem calls for scheduling operations by
3498				time (L<alarm(2)>, L<timer_create(2)>, \x{2026})\@knownAll system calls defined by the kernel. This list is defined statically
3499				in systemd based on a kernel version that was available when this systemd version was released. It will become
3500				progressively more out-of-date as the kernel is updated.
3501				Note, that as new system calls are added to the kernel, additional system calls might be added to the groups
3502				above. Contents of the sets may also change between systemd versions. In addition, the list of system calls
3503				depends on the kernel version and architecture for which systemd was compiled. Use
3504				systemd-analyze\x{a0}syscall-filter to list the actual list of system calls in each
3505				filter.
3506
3507				Generally, allow-listing system calls (rather than deny-listing) is the safer mode of
3508				operation. It is recommended to enforce system call allow lists for all long-running system
3509				services. Specifically, the following lines are a relatively safe basic choice for the majority of
3510				system services:
3511
3512				Note that various kernel system calls are defined redundantly: there are multiple system calls
3513				for executing the same operation. For example, the pidfd_send_signal() system
3514				call may be used to execute operations similar to what can be done with the older
3515				kill() system call, hence blocking the latter without the former only provides
3516				weak protection. Since new system calls are added regularly to the kernel as development progresses,
3517				keeping system call deny lists comprehensive requires constant work. It is thus recommended to use
3518				allow-listing instead, which offers the benefit that new system calls are by default implicitly
3519				blocked until the allow list is updated.
3520
3521				Also note that a number of system calls are required to be accessible for the dynamic linker to
3522				work. The dynamic linker is required for running most regular programs (specifically: all dynamic ELF
3523				binaries, which is how most distributions build packaged programs). This means that blocking these
3524				system calls (which include open(), openat() or
3525				mmap()) will make most programs typically shipped with generic distributions
3526				unusable.
3527
3528				It is recommended to combine the file system namespacing related options with
3529				C<SystemCallFilter=~\@mount>, in order to prohibit the unit's processes to undo the
3530				mappings. Specifically these are the options C<PrivateTmp>,
3531				C<PrivateDevices>, C<ProtectSystem>, C<ProtectHome>,
3532				C<ProtectKernelTunables>, C<ProtectControlGroups>,
3533				C<ProtectKernelLogs>, C<ProtectClock>, C<ReadOnlyPaths>,
3534				C<InaccessiblePaths> and C<ReadWritePaths>.",
3535				'type' => 'list'
3536				},
3537				'SystemCallErrorNumber',
3538				{
3539				'description' => 'Takes an C<errno> error number (between 1 and 4095) or errno name
3540				such as C<EPERM>, C<EACCES> or C<EUCLEAN>, to
3541				return when the system call filter configured with C<SystemCallFilter> is triggered,
3542				instead of terminating the process immediately. See L<errno(3)> for a
3543				full list of error codes. When this setting is not used, or when the empty string or the special
3544				setting C<kill> is assigned, the process will be terminated immediately when the
3545				filter is triggered.',
3546				'type' => 'leaf',
3547				'value_type' => 'uniline'
3548				},
3549				'SystemCallArchitectures',
3550				{
3551				'description' => "Takes a space-separated list of architecture identifiers to include in the system call
3552				filter. The known architecture identifiers are the same as for C<ConditionArchitecture>
3553				described in L<systemd.unit(5)>,
3554				as well as C<x32>, C<mips64-n32>, C<mips64-le-n32>, and
3555				the special identifier C<native>. The special identifier C<native>
3556				implicitly maps to the native architecture of the system (or more precisely: to the architecture the system
3557				manager is compiled for). If running in user mode, or in system mode, but without the
3558				C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3559				C<NoNewPrivileges=yes> is implied. By default, this option is set to the empty list, i.e. no
3560				filtering is applied.
3561
3562				If this setting is used, processes of this unit will only be permitted to call native system calls, and
3563				system calls of the specified architectures. For the purposes of this option, the x32 architecture is treated
3564				as including x86-64 system calls. However, this setting still fulfills its purpose, as explained below, on
3565				x32.
3566
3567				System call filtering is not equally effective on all architectures. For example, on x86
3568				filtering of network socket-related calls is not possible, due to ABI limitations \x{2014} a limitation that x86-64
3569				does not have, however. On systems supporting multiple ABIs at the same time \x{2014} such as x86/x86-64 \x{2014} it is hence
3570				recommended to limit the set of permitted system call architectures so that secondary ABIs may not be used to
3571				circumvent the restrictions applied to the native ABI of the system. In particular, setting
3572				C<SystemCallArchitectures=native> is a good choice for disabling non-native ABIs.
3573
3574				System call architectures may also be restricted system-wide via the
3575				C<SystemCallArchitectures> option in the global configuration. See
3576				L<systemd-system.conf(5)> for
3577				details.",
3578				'type' => 'leaf',
3579				'value_type' => 'uniline'
3580				},
3581				'SystemCallLog',
3582				{
3583				'cargo' => {
3584				'type' => 'leaf',
3585				'value_type' => 'uniline'
3586				},
3587				'description' => 'Takes a space-separated list of system call names. If this setting is used, all
3588				system calls executed by the unit processes for the listed ones will be logged. If the first
3589				character of the list is C<~>, the effect is inverted: all system calls except the
3590				listed system calls will be logged. If running in user mode, or in system mode, but without the
3591				C<CAP_SYS_ADMIN> capability (e.g. setting C<User>),
3592				C<NoNewPrivileges=yes> is implied. This feature makes use of the Secure Computing
3593				Mode 2 interfaces of the kernel (\'seccomp filtering\') and is useful for auditing or setting up a
3594				minimal sandboxing environment. This option may be specified more than once, in which case the filter
3595				masks are merged. If the empty string is assigned, the filter is reset, all prior assignments will
3596				have no effect. This does not affect commands prefixed with C<+>.',
3597				'type' => 'list'
3598				},
3599				'Environment',
3600				{
3601				'cargo' => {
3602				'type' => 'leaf',
3603				'value_type' => 'uniline'
3604				},
3605				'description' => "Sets environment variables for executed processes. Each line is unquoted using the
3606				rules described in \"Quoting\" section in
3607				L<systemd.syntax(7)>
3608				and becomes a list of variable assignments. If you need to assign a value containing spaces or the
3609				equals sign to a variable, put quotes around the whole assignment. Variable expansion is not
3610				performed inside the strings and the C<\$> character has no special meaning. Specifier
3611				expansion is performed, see the \"Specifiers\" section in
3612				L<systemd.unit(5)>.
3613
3614				This option may be specified more than once, in which case all listed variables will be set. If
3615				the same variable is listed twice, the later setting will override the earlier setting. If the empty
3616				string is assigned to this option, the list of environment variables is reset, all prior assignments
3617				have no effect.
3618
3619				The names of the variables can contain ASCII letters, digits, and the underscore character.
3620				Variable names cannot be empty or start with a digit. In variable values, most characters are
3621				allowed, but non-printable characters are currently rejected.
3622
3623				Example:
3624
3625				Environment=\"VAR1=word1 word2\" VAR2=word3 \"VAR3=\$word 5 6\"
3626
3627				gives three variables C<VAR1>,
3628				C<VAR2>, C<VAR3>
3629				with the values C<word1 word2>,
3630				C<word3>, C<\$word 5 6>.
3631
3632				See L<environ(7)> for
3633				details about environment variables.
3634
3635				Note that environment variables are not suitable for passing secrets (such as passwords, key
3636				material, \x{2026}) to service processes. Environment variables set for a unit are exposed to unprivileged
3637				clients via D-Bus IPC, and generally not understood as being data that requires protection. Moreover,
3638				environment variables are propagated down the process tree, including across security boundaries
3639				(such as setuid/setgid executables), and hence might leak to processes that should not have access to
3640				the secret data. Use C<LoadCredential>, C<LoadCredentialEncrypted>
3641				or C<SetCredentialEncrypted> (see below) to pass data to unit processes
3642				securely.",
3643				'type' => 'list'
3644				},
3645				'EnvironmentFile',
3646				{
3647				'cargo' => {
3648				'type' => 'leaf',
3649				'value_type' => 'uniline'
3650				},
3651				'description' => 'Similar to C<Environment>, but reads the environment variables from
3652				a text file. The text file should contain newline-separated variable assignments. Empty lines, lines
3653				without an C<=> separator, or lines starting with C<;> or
3654				C<#> will be ignored, which may be used for commenting. The file must be UTF-8
3655				encoded. Valid characters are L<unicode scalar values\|https://www.unicode.org/glossary/#unicode_scalar_value> other
3656				than
3657				L<noncharacters\|https://www.unicode.org/glossary/#noncharacter>, U+0000 NUL, and
3658				U+FEFF L<byte order mark\|https://www.unicode.org/glossary/#byte_order_mark>.
3659				Control codes other than NUL are allowed.
3660
3661				In the file, an unquoted value after the C<=> is parsed with the same backslash-escape
3662				rules as L<unquoted
3663				text\|https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_01> in a POSIX shell, but
3664				unlike in a shell, interior whitespace is preserved and quotes after the
3665				first non-whitespace character are preserved. Leading and trailing whitespace (space, tab, carriage return) is
3666				discarded, but interior whitespace within the line is preserved verbatim. A line ending with a backslash will be
3667				continued to the following one, with the newline itself discarded. A backslash
3668				C<\\> followed by any character other than newline will preserve the following character, so that
3669				C<\\\\> will become the value C<\\>.
3670
3671				In the file, a C<\'>-quoted value after the C<=> can span multiple lines
3672				and contain any character verbatim other than single quote, like L<single-quoted
3673				text\|https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_02> in a POSIX shell. No
3674				backslash-escape sequences are recognized. Leading and trailing whitespace
3675				outside of the single quotes is discarded.
3676
3677				In the file, a C<">-quoted value after the C<=> can span multiple lines,
3678				and the same escape sequences are recognized as in L<double-quoted
3679				text\|https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_03> of a POSIX shell.
3680				Backslash (C<\\>) followed by any of C<"\\`$> will
3681				preserve that character. A backslash followed by newline is a line continuation, and the newline itself is
3682				discarded. A backslash followed by any other character is ignored; both the backslash and the following
3683				character are preserved verbatim. Leading and trailing whitespace outside of the double quotes is
3684				discarded.
3685
3686				The argument passed should be an absolute filename or wildcard expression, optionally prefixed with
3687				C<->, which indicates that if the file does not exist, it will not be read and no error or
3688				warning message is logged. This option may be specified more than once in which case all specified files are
3689				read. If the empty string is assigned to this option, the list of file to read is reset, all prior assignments
3690				have no effect.
3691
3692				The files listed with this directive will be read shortly before the process is executed (more
3693				specifically, after all processes from a previous unit state terminated. This means you can generate these
3694				files in one unit state, and read it with this option in the next. The files are read from the file
3695				system of the service manager, before any file system changes like bind mounts take place).
3696
3697				Settings from these files override settings made with C<Environment>. If the same
3698				variable is set twice from these files, the files will be read in the order they are specified and the later
3699				setting will override the earlier setting.',
3700				'type' => 'list'
3701				},
3702				'PassEnvironment',
3703				{
3704				'cargo' => {
3705				'type' => 'leaf',
3706				'value_type' => 'uniline'
3707				},
3708				'description' => 'Pass environment variables set for the system service manager to executed processes. Takes a
3709				space-separated list of variable names. This option may be specified more than once, in which case all listed
3710				variables will be passed. If the empty string is assigned to this option, the list of environment variables to
3711				pass is reset, all prior assignments have no effect. Variables specified that are not set for the system
3712				manager will not be passed and will be silently ignored. Note that this option is only relevant for the system
3713				service manager, as system services by default do not automatically inherit any environment variables set for
3714				the service manager itself. However, in case of the user service manager all environment variables are passed
3715				to the executed processes anyway, hence this option is without effect for the user service manager.
3716
3717				Variables set for invoked processes due to this setting are subject to being overridden by those
3718				configured with C<Environment> or C<EnvironmentFile>.
3719
3720				Example:
3721
3722				PassEnvironment=VAR1 VAR2 VAR3
3723
3724				passes three variables C<VAR1>,
3725				C<VAR2>, C<VAR3>
3726				with the values set for those variables in PID1.
3727
3728				See L<environ(7)> for details
3729				about environment variables.',
3730				'type' => 'list'
3731				},
3732				'UnsetEnvironment',
3733				{
3734				'cargo' => {
3735				'type' => 'leaf',
3736				'value_type' => 'uniline'
3737				},
3738				'description' => 'Explicitly unset environment variable assignments that would normally be passed from the
3739				service manager to invoked processes of this unit. Takes a space-separated list of variable names or variable
3740				assignments. This option may be specified more than once, in which case all listed variables/assignments will
3741				be unset. If the empty string is assigned to this option, the list of environment variables/assignments to
3742				unset is reset. If a variable assignment is specified (that is: a variable name, followed by
3743				C<=>, followed by its value), then any environment variable matching this precise assignment is
3744				removed. If a variable name is specified (that is a variable name without any following C<=> or
3745				value), then any assignment matching the variable name, regardless of its value is removed. Note that the
3746				effect of C<UnsetEnvironment> is applied as final step when the environment list passed to
3747				executed processes is compiled. That means it may undo assignments from any configuration source, including
3748				assignments made through C<Environment> or C<EnvironmentFile>, inherited from
3749				the system manager\'s global set of environment variables, inherited via C<PassEnvironment>,
3750				set by the service manager itself (such as C<$NOTIFY_SOCKET> and such), or set by a PAM module
3751				(in case C<PAMName> is used).
3752
3753				See "Environment Variables in Spawned Processes" below for a description of how those
3754				settings combine to form the inherited environment. See L<environ(7)> for general
3755				information about environment variables.',
3756				'type' => 'list'
3757				},
3758				'StandardInput',
3759				{
3760				'choice' => [
3761				'null',
3762				'tty',
3763				'tty-force',
3764				'tty-fail',
3765				'data',
3766				'socket'
3767				],
3768				'description' => "Controls where file descriptor 0 (STDIN) of the executed processes is connected to. Takes one
3769				of C<null>, C<tty>, C<tty-force>, C<tty-fail>,
3770				C<data>, C<file:path>, C<socket> or
3771				C<fd:name>.
3772
3773				If C<null> is selected, standard input will be connected to C</dev/null>,
3774				i.e. all read attempts by the process will result in immediate EOF.
3775
3776				If C<tty> is selected, standard input is connected to a TTY (as configured by
3777				C<TTYPath>, see below) and the executed process becomes the controlling process of the
3778				terminal. If the terminal is already being controlled by another process, the executed process waits until the
3779				current controlling process releases the terminal.
3780
3781				C<tty-force> is similar to C<tty>, but the executed process is forcefully and
3782				immediately made the controlling process of the terminal, potentially removing previous controlling processes
3783				from the terminal.
3784
3785				C<tty-fail> is similar to C<tty>, but if the terminal already has a
3786				controlling process start-up of the executed process fails.
3787
3788				The C<data> option may be used to configure arbitrary textual or binary data to pass via
3789				standard input to the executed process. The data to pass is configured via
3790				C<StandardInputText>/C<StandardInputData> (see below). Note that the actual
3791				file descriptor type passed (memory file, regular file, UNIX pipe, \x{2026}) might depend on the kernel and available
3792				privileges. In any case, the file descriptor is read-only, and when read returns the specified data followed by
3793				EOF.
3794
3795				The C<file:path> option may be used to connect a specific file
3796				system object to standard input. An absolute path following the C<:> character is expected,
3797				which may refer to a regular file, a FIFO or special file. If an C<AF_UNIX> socket in the
3798				file system is specified, a stream socket is connected to it. The latter is useful for connecting standard
3799				input of processes to arbitrary system services.
3800
3801				The C<socket> option is valid in socket-activated services only, and requires the relevant
3802				socket unit file (see
3803				L<systemd.socket(5)> for details)
3804				to have C<Accept=yes> set, or to specify a single socket only. If this option is set, standard
3805				input will be connected to the socket the service was activated from, which is primarily useful for
3806				compatibility with daemons designed for use with the traditional L<inetd(8)> socket activation
3807				daemon.
3808
3809				The C<fd:name> option connects standard input to a specific,
3810				named file descriptor provided by a socket unit. The name may be specified as part of this option, following a
3811				C<:> character (e.g. C<fd:foobar>). If no name is specified, the name
3812				C<stdin> is implied (i.e. C<fd> is equivalent to C<fd:stdin>).
3813				At least one socket unit defining the specified name must be provided via the C<Sockets>
3814				option, and the file descriptor name may differ from the name of its containing socket unit. If multiple
3815				matches are found, the first one will be used. See C<FileDescriptorName> in
3816				L<systemd.socket(5)> for more
3817				details about named file descriptors and their ordering.
3818
3819				This setting defaults to C<null>, unless
3820				C<StandardInputText>/C<StandardInputData> are set, in which case it
3821				defaults to C<data>.",
3822				'type' => 'leaf',
3823				'value_type' => 'enum'
3824				},
3825				'StandardOutput',
3826				{
3827				'choice' => [
3828				'inherit',
3829				'null',
3830				'tty',
3831				'journal',
3832				'kmsg',
3833				'journal+console',
3834				'kmsg+console',
3835				'socket'
3836				],
3837				'description' => "Controls where file descriptor 1 (stdout) of the executed processes is connected
3838				to. Takes one of C<inherit>, C<null>, C<tty>,
3839				C<journal>, C<kmsg>, C<journal+console>,
3840				C<kmsg+console>, C<file:path>,
3841				C<append:path>, C<truncate:path>,
3842				C<socket> or C<fd:name>.
3843
3844				C<inherit> duplicates the file descriptor of standard input for standard output.
3845
3846				C<null> connects standard output to C</dev/null>, i.e. everything written
3847				to it will be lost.
3848
3849				C<tty> connects standard output to a tty (as configured via C<TTYPath>,
3850				see below). If the TTY is used for output only, the executed process will not become the controlling process of
3851				the terminal, and will not fail or wait for other processes to release the terminal.
3852
3853				C<journal> connects standard output with the journal, which is accessible via
3854				L<journalctl(1)>. Note
3855				that everything that is written to kmsg (see below) is implicitly stored in the journal as well, the
3856				specific option listed below is hence a superset of this one. (Also note that any external,
3857				additional syslog daemons receive their log data from the journal, too, hence this is the option to
3858				use when logging shall be processed with such a daemon.)
3859
3860				C<kmsg> connects standard output with the kernel log buffer which is accessible via
3861				L<dmesg(1)>,
3862				in addition to the journal. The journal daemon might be configured to send all logs to kmsg anyway, in which
3863				case this option is no different from C<journal>.
3864
3865				C<journal+console> and C<kmsg+console> work in a similar way as the
3866				two options above but copy the output to the system console as well.
3867
3868				The C<file:path> option may be used to connect a specific file
3869				system object to standard output. The semantics are similar to the same option of
3870				C<StandardInput>, see above. If path refers to a regular file
3871				on the filesystem, it is opened (created if it doesn't exist yet) for writing at the beginning of the file,
3872				but without truncating it.
3873				If standard input and output are directed to the same file path, it is opened only once \x{2014} for reading as well
3874				as writing \x{2014} and duplicated. This is particularly useful when the specified path refers to an
3875				C<AF_UNIX> socket in the file system, as in that case only a
3876				single stream connection is created for both input and output.
3877
3878				C<append:path> is similar to
3879				C<file:path> above, but it opens the file in append mode.
3880
3881				C<truncate:path> is similar to
3882				C<file:path> above, but it truncates the file when opening
3883				it. For units with multiple command lines, e.g. C<Type=oneshot> services with
3884				multiple C<ExecStart>, or services with C<ExecCondition>,
3885				C<ExecStartPre> or C<ExecStartPost>, the output file is reopened
3886				and therefore re-truncated for each command line. If the output file is truncated while another
3887				process still has the file open, e.g. by an C<ExecReload> running concurrently with
3888				an C<ExecStart>, and the other process continues writing to the file without
3889				adjusting its offset, then the space between the file pointers of the two processes may be filled
3890				with C<NUL> bytes, producing a sparse file. Thus,
3891				C<truncate:path> is typically only useful for units where
3892				only one process runs at a time, such as services with a single C<ExecStart> and no
3893				C<ExecStartPost>, C<ExecReload>, C<ExecStop> or
3894				similar.
3895
3896				C<socket> connects standard output to a socket acquired via socket activation. The
3897				semantics are similar to the same option of C<StandardInput>, see above.
3898
3899				The C<fd:name> option connects standard output to a
3900				specific, named file descriptor provided by a socket unit. A name may be specified as part of this
3901				option, following a C<:> character
3902				(e.g. C<fd:foobar>). If no name is specified, the name
3903				C<stdout> is implied (i.e. C<fd> is equivalent to
3904				C<fd:stdout>). At least one socket unit defining the specified name must be provided
3905				via the C<Sockets> option, and the file descriptor name may differ from the name of
3906				its containing socket unit. If multiple matches are found, the first one will be used. See
3907				C<FileDescriptorName> in
3908				L<systemd.socket(5)>
3909				for more details about named descriptors and their ordering.
3910
3911				If the standard output (or error output, see below) of a unit is connected to the journal or
3912				the kernel log buffer, the unit will implicitly gain a dependency of type C<After>
3913				on C<systemd-journald.socket> (also see the \"Implicit Dependencies\" section
3914				above). Also note that in this case stdout (or stderr, see below) will be an
3915				C<AF_UNIX> stream socket, and not a pipe or FIFO that can be re-opened. This means
3916				when executing shell scripts the construct echo \"hello\" > /dev/stderr for
3917				writing text to stderr will not work. To mitigate this use the construct echo \"hello\"
3918				>&2 instead, which is mostly equivalent and avoids this pitfall.
3919
3920				If C<StandardInput> is set to one of C<tty>, C<tty-force>,
3921				C<tty-fail>, C<socket>, or C<fd:name>, this
3922				setting defaults to C<inherit>.
3923
3924				In other cases, this setting defaults to the value set with C<DefaultStandardOutput> in
3925				L<systemd-system.conf(5)>, which
3926				defaults to C<journal>. Note that setting this parameter might result in additional dependencies
3927				to be added to the unit (see above).",
3928				'type' => 'leaf',
3929				'value_type' => 'enum'
3930				},
3931				'StandardError',
3932				{
3933				'description' => 'Controls where file descriptor 2 (stderr) of the executed processes is connected to. The
3934				available options are identical to those of C<StandardOutput>, with some exceptions: if set to
3935				C<inherit> the file descriptor used for standard output is duplicated for standard error, while
3936				C<fd:name> will use a default file descriptor name of
3937				C<stderr>.
3938
3939				This setting defaults to the value set with C<DefaultStandardError> in
3940				L<systemd-system.conf(5)>, which
3941				defaults to C<inherit>. Note that setting this parameter might result in additional dependencies
3942				to be added to the unit (see above).',
3943				'type' => 'leaf',
3944				'value_type' => 'uniline'
3945				},
3946				'StandardInputText',
3947				{
3948				'description' => 'Configures arbitrary textual or binary data to pass via file descriptor 0 (STDIN) to
3949				the executed processes. These settings have no effect unless C<StandardInput> is set
3950				to C<data> (which is the default if C<StandardInput> is not set
3951				otherwise, but C<StandardInputText>/C<StandardInputData> is). Use
3952				this option to embed process input data directly in the unit file.
3953
3954				C<StandardInputText> accepts arbitrary textual data. C-style escapes for special
3955				characters as well as the usual C<%>-specifiers are resolved. Each time this setting is used
3956				the specified text is appended to the per-unit data buffer, followed by a newline character (thus every use
3957				appends a new line to the end of the buffer). Note that leading and trailing whitespace of lines configured
3958				with this option is removed. If an empty line is specified the buffer is cleared (hence, in order to insert an
3959				empty line, add an additional C<\\n> to the end or beginning of a line).
3960
3961				C<StandardInputData> accepts arbitrary binary data, encoded in
3962				L<Base64\|https://tools.ietf.org/html/rfc2045#section-6.8>. No escape sequences or specifiers are
3963				resolved. Any whitespace in the encoded version is ignored during decoding.
3964
3965				Note that C<StandardInputText> and C<StandardInputData> operate on the
3966				same data buffer, and may be mixed in order to configure both binary and textual data for the same input
3967				stream. The textual or binary data is joined strictly in the order the settings appear in the unit
3968				file. Assigning an empty string to either will reset the data buffer.
3969
3970				Please keep in mind that in order to maintain readability long unit file settings may be split into
3971				multiple lines, by suffixing each line (except for the last) with a C<\\> character (see
3972				L<systemd.unit(5)> for
3973				details). This is particularly useful for large data configured with these two options. Example:',
3974				'type' => 'leaf',
3975				'value_type' => 'uniline'
3976				},
3977				'StandardInputData',
3978				{
3979				'description' => 'Configures arbitrary textual or binary data to pass via file descriptor 0 (STDIN) to
3980				the executed processes. These settings have no effect unless C<StandardInput> is set
3981				to C<data> (which is the default if C<StandardInput> is not set
3982				otherwise, but C<StandardInputText>/C<StandardInputData> is). Use
3983				this option to embed process input data directly in the unit file.
3984
3985				C<StandardInputText> accepts arbitrary textual data. C-style escapes for special
3986				characters as well as the usual C<%>-specifiers are resolved. Each time this setting is used
3987				the specified text is appended to the per-unit data buffer, followed by a newline character (thus every use
3988				appends a new line to the end of the buffer). Note that leading and trailing whitespace of lines configured
3989				with this option is removed. If an empty line is specified the buffer is cleared (hence, in order to insert an
3990				empty line, add an additional C<\\n> to the end or beginning of a line).
3991
3992				C<StandardInputData> accepts arbitrary binary data, encoded in
3993				L<Base64\|https://tools.ietf.org/html/rfc2045#section-6.8>. No escape sequences or specifiers are
3994				resolved. Any whitespace in the encoded version is ignored during decoding.
3995
3996				Note that C<StandardInputText> and C<StandardInputData> operate on the
3997				same data buffer, and may be mixed in order to configure both binary and textual data for the same input
3998				stream. The textual or binary data is joined strictly in the order the settings appear in the unit
3999				file. Assigning an empty string to either will reset the data buffer.
4000
4001				Please keep in mind that in order to maintain readability long unit file settings may be split into
4002				multiple lines, by suffixing each line (except for the last) with a C<\\> character (see
4003				L<systemd.unit(5)> for
4004				details). This is particularly useful for large data configured with these two options. Example:',
4005				'type' => 'leaf',
4006				'value_type' => 'uniline'
4007				},
4008				'LogLevelMax',
4009				{
4010				'description' => 'Configures filtering by log level of log messages generated by this unit. Takes a
4011				syslog log level, one of C<emerg> (lowest log level, only highest priority
4012				messages), C<alert>, C<crit>, C<err>, C<warning>,
4013				C<notice>, C<info>, C<debug> (highest log level, also lowest priority
4014				messages). See L<syslog(3)> for
4015				details. By default no filtering is applied (i.e. the default maximum log level is C<debug>). Use
4016				this option to configure the logging system to drop log messages of a specific service above the specified
4017				level. For example, set C<LogLevelMax>C<info> in order to turn off debug logging
4018				of a particularly chatty unit. Note that the configured level is applied to any log messages written by any
4019				of the processes belonging to this unit, as well as any log messages written by the system manager process
4020				(PID 1) in reference to this unit, sent via any supported logging protocol. The filtering is applied
4021				early in the logging pipeline, before any kind of further processing is done. Moreover, messages which pass
4022				through this filter successfully might still be dropped by filters applied at a later stage in the logging
4023				subsystem. For example, C<MaxLevelStore> configured in
4024				L<journald.conf(5)> might
4025				prohibit messages of higher log levels to be stored on disk, even though the per-unit
4026				C<LogLevelMax> permitted it to be processed.',
4027				'type' => 'leaf',
4028				'value_type' => 'uniline'
4029				},
4030				'LogExtraFields',
4031				{
4032				'description' => 'Configures additional log metadata fields to include in all log records generated by
4033				processes associated with this unit. This setting takes one or more journal field assignments in the
4034				format C<FIELD=VALUE> separated by whitespace. See
4035				L<systemd.journal-fields(7)>
4036				for details on the journal field concept. Even though the underlying journal implementation permits
4037				binary field values, this setting accepts only valid UTF-8 values. To include space characters in a
4038				journal field value, enclose the assignment in double quotes (").
4039				The usual specifiers are expanded in all assignments (see below). Note that this setting is not only
4040				useful for attaching additional metadata to log records of a unit, but given that all fields and
4041				values are indexed may also be used to implement cross-unit log record matching. Assign an empty
4042				string to reset the list.',
4043				'type' => 'leaf',
4044				'value_type' => 'uniline'
4045				},
4046				'LogRateLimitIntervalSec',
4047				{
4048				'description' => 'Configures the rate limiting that is applied to messages generated by this unit. If, in the
4049				time interval defined by C<LogRateLimitIntervalSec>, more messages than specified in
4050				C<LogRateLimitBurst> are logged by a service, all further messages within the interval are
4051				dropped until the interval is over. A message about the number of dropped messages is generated. The time
4052				specification for C<LogRateLimitIntervalSec> may be specified in the following units: "s",
4053				"min", "h", "ms", "us" (see
4054				L<systemd.time(7)> for details).
4055				The default settings are set by C<RateLimitIntervalSec> and C<RateLimitBurst>
4056				configured in L<journald.conf(5)>.
4057				',
4058				'type' => 'leaf',
4059				'value_type' => 'uniline'
4060				},
4061				'LogRateLimitBurst',
4062				{
4063				'description' => 'Configures the rate limiting that is applied to messages generated by this unit. If, in the
4064				time interval defined by C<LogRateLimitIntervalSec>, more messages than specified in
4065				C<LogRateLimitBurst> are logged by a service, all further messages within the interval are
4066				dropped until the interval is over. A message about the number of dropped messages is generated. The time
4067				specification for C<LogRateLimitIntervalSec> may be specified in the following units: "s",
4068				"min", "h", "ms", "us" (see
4069				L<systemd.time(7)> for details).
4070				The default settings are set by C<RateLimitIntervalSec> and C<RateLimitBurst>
4071				configured in L<journald.conf(5)>.
4072				',
4073				'type' => 'leaf',
4074				'value_type' => 'uniline'
4075				},
4076				'LogNamespace',
4077				{
4078				'description' => 'Run the unit\'s processes in the specified journal namespace. Expects a short
4079				user-defined string identifying the namespace. If not used the processes of the service are run in
4080				the default journal namespace, i.e. their log stream is collected and processed by
4081				C<systemd-journald.service>. If this option is used any log data generated by
4082				processes of this unit (regardless if via the syslog(), journal native logging
4083				or stdout/stderr logging) is collected and processed by an instance of the
4084				C<systemd-journald@.service> template unit, which manages the specified
4085				namespace. The log data is stored in a data store independent from the default log namespace\'s data
4086				store. See
4087				L<systemd-journald.service(8)>
4088				for details about journal namespaces.
4089
4090				Internally, journal namespaces are implemented through Linux mount namespacing and
4091				over-mounting the directory that contains the relevant C<AF_UNIX> sockets used for
4092				logging in the unit\'s mount namespace. Since mount namespaces are used this setting disconnects
4093				propagation of mounts from the unit\'s processes to the host, similarly to how
4094				C<ReadOnlyPaths> and similar settings describe above work. Journal namespaces may hence
4095				not be used for services that need to establish mount points on the host.
4096
4097				When this option is used the unit will automatically gain ordering and requirement dependencies
4098				on the two socket units associated with the C<systemd-journald@.service> instance
4099				so that they are automatically established prior to the unit starting up. Note that when this option
4100				is used log output of this service does not appear in the regular
4101				L<journalctl(1)>
4102				output, unless the C<--namespace=> option is used.',
4103				'type' => 'leaf',
4104				'value_type' => 'uniline'
4105				},
4106				'SyslogIdentifier',
4107				{
4108				'description' => 'Sets the process name ("syslog tag") to prefix log lines sent to
4109				the logging system or the kernel log buffer with. If not set, defaults to the process name of the
4110				executed process. This option is only useful when C<StandardOutput> or
4111				C<StandardError> are set to C<journal> or C<kmsg> (or to
4112				the same settings in combination with C<+console>) and only applies to log messages
4113				written to stdout or stderr.',
4114				'type' => 'leaf',
4115				'value_type' => 'uniline'
4116				},
4117				'SyslogFacility',
4118				{
4119				'description' => 'Sets the syslog facility identifier to use when logging. One of
4120				C<kern>, C<user>, C<mail>, C<daemon>,
4121				C<auth>, C<syslog>, C<lpr>, C<news>,
4122				C<uucp>, C<cron>, C<authpriv>, C<ftp>,
4123				C<local0>, C<local1>, C<local2>, C<local3>,
4124				C<local4>, C<local5>, C<local6> or
4125				C<local7>. See L<syslog(3)> for
4126				details. This option is only useful when C<StandardOutput> or
4127				C<StandardError> are set to C<journal> or C<kmsg> (or to
4128				the same settings in combination with C<+console>), and only applies to log messages
4129				written to stdout or stderr. Defaults to C<daemon>.',
4130				'type' => 'leaf',
4131				'value_type' => 'uniline'
4132				},
4133				'SyslogLevel',
4134				{
4135				'description' => 'The default syslog log level to use when logging to the logging system or
4136				the kernel log buffer. One of C<emerg>, C<alert>, C<crit>,
4137				C<err>, C<warning>, C<notice>, C<info>,
4138				C<debug>. See L<syslog(3)> for
4139				details. This option is only useful when C<StandardOutput> or
4140				C<StandardError> are set to C<journal> or
4141				C<kmsg> (or to the same settings in combination with C<+console>), and only applies
4142				to log messages written to stdout or stderr. Note that individual lines output by executed processes may be
4143				prefixed with a different log level which can be used to override the default log level specified here. The
4144				interpretation of these prefixes may be disabled with C<SyslogLevelPrefix>, see below. For
4145				details, see L<sd-daemon(3)>.
4146				Defaults to C<info>.',
4147				'type' => 'leaf',
4148				'value_type' => 'uniline'
4149				},
4150				'SyslogLevelPrefix',
4151				{
4152				'description' => 'Takes a boolean argument. If true and C<StandardOutput> or
4153				C<StandardError> are set to C<journal> or C<kmsg> (or to
4154				the same settings in combination with C<+console>), log lines written by the executed
4155				process that are prefixed with a log level will be processed with this log level set but the prefix
4156				removed. If set to false, the interpretation of these prefixes is disabled and the logged lines are
4157				passed on as-is. This only applies to log messages written to stdout or stderr. For details about
4158				this prefixing see
4159				L<sd-daemon(3)>.
4160				Defaults to true.',
4161				'type' => 'leaf',
4162				'value_type' => 'boolean',
4163				'write_as' => [
4164				'no',
4165				'yes'
4166				]
4167				},
4168				'TTYPath',
4169				{
4170				'description' => 'Sets the terminal device node to use if standard input, output, or error are connected to a TTY
4171				(see above). Defaults to C</dev/console>.',
4172				'type' => 'leaf',
4173				'value_type' => 'uniline'
4174				},
4175				'TTYReset',
4176				{
4177				'description' => 'Reset the terminal device specified with C<TTYPath> before and after
4178				execution. Defaults to C<no>.',
4179				'type' => 'leaf',
4180				'value_type' => 'uniline'
4181				},
4182				'TTYVHangup',
4183				{
4184				'description' => 'Disconnect all clients which have opened the terminal device specified with
4185				C<TTYPath> before and after execution. Defaults to C<no>.',
4186				'type' => 'leaf',
4187				'value_type' => 'uniline'
4188				},
4189				'TTYRows',
4190				{
4191				'description' => 'Configure the size of the TTY specified with C<TTYPath>. If unset or
4192				set to the empty string, the kernel default is used.',
4193				'type' => 'leaf',
4194				'value_type' => 'uniline'
4195				},
4196				'TTYColumns',
4197				{
4198				'description' => 'Configure the size of the TTY specified with C<TTYPath>. If unset or
4199				set to the empty string, the kernel default is used.',
4200				'type' => 'leaf',
4201				'value_type' => 'uniline'
4202				},
4203				'TTYVTDisallocate',
4204				{
4205				'description' => 'If the terminal device specified with C<TTYPath> is a virtual console
4206				terminal, try to deallocate the TTY before and after execution. This ensures that the screen and scrollback
4207				buffer is cleared. Defaults to C<no>.',
4208				'type' => 'leaf',
4209				'value_type' => 'uniline'
4210				},
4211				'LoadCredential',
4212				{
4213				'description' => "Pass a credential to the unit. Credentials are limited-size binary or textual objects
4214				that may be passed to unit processes. They are primarily used for passing cryptographic keys (both
4215				public and private) or certificates, user account information or identity information from host to
4216				services. The data is accessible from the unit's processes via the file system, at a read-only
4217				location that (if possible and permitted) is backed by non-swappable memory. The data is only
4218				accessible to the user associated with the unit, via the
4219				C<User>/C<DynamicUser> settings (as well as the superuser). When
4220				available, the location of credentials is exported as the C<\$CREDENTIALS_DIRECTORY>
4221				environment variable to the unit's processes.
4222
4223				The C<LoadCredential> setting takes a textual ID to use as name for a
4224				credential plus a file system path, separated by a colon. The ID must be a short ASCII string
4225				suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path
4226				is absolute it is opened as regular file and the credential data is read from it. If the absolute
4227				path refers to an C<AF_UNIX> stream socket in the file system a connection is made
4228				to it (only once at unit start-up) and the credential data read from the connection, providing an
4229				easy IPC integration point for dynamically transferring credentials from other services.
4230
4231				If the specified path is not absolute and itself qualifies as valid credential identifier it is
4232				attempted to find a credential that the service manager itself received under the specified name \x{2014}
4233				which may be used to propagate credentials from an invoking environment (e.g. a container manager
4234				that invoked the service manager) into a service. If no matching system credential is found, the
4235				directories C</etc/credstore/>, C</run/credstore/> and
4236				C</usr/lib/credstore/> are searched for files under the credential's name \x{2014} which
4237				hence are recommended locations for credential data on disk. If
4238				C<LoadCredentialEncrypted> is used C</run/credstore.encrypted/>,
4239				C</etc/credstore.encrypted/>, and
4240				C</usr/lib/credstore.encrypted/> are searched as well.
4241
4242				If the file system path is omitted it is chosen identical to the credential name, i.e. this is
4243				a terse way to declare credentials to inherit from the service manager into a service. This option
4244				may be used multiple times, each time defining an additional credential to pass to the unit.
4245
4246				If an absolute path referring to a directory is specified, every file in that directory
4247				(recursively) will be loaded as a separate credential. The ID for each credential will be the
4248				provided ID suffixed with C<_\$FILENAME> (e.g., C<Key_file1>). When
4249				loading from a directory, symlinks will be ignored.
4250
4251				The contents of the file/socket may be arbitrary binary or textual data, including newline
4252				characters and C<NUL> bytes.
4253
4254				The C<LoadCredentialEncrypted> setting is identical to
4255				C<LoadCredential>, except that the credential data is decrypted and authenticated
4256				before being passed on to the executed processes. Specifically, the referenced path should refer to a
4257				file or socket with an encrypted credential, as implemented by
4258				L<systemd-creds(1)>. This
4259				credential is loaded, decrypted, authenticated and then passed to the application in plaintext form,
4260				in the same way a regular credential specified via C<LoadCredential> would be. A
4261				credential configured this way may be symmetrically encrypted/authenticated with a secret key derived
4262				from the system's TPM2 security chip, or with a secret key stored in
4263				C</var/lib/systemd/credentials.secret>, or with both. Using encrypted and
4264				authenticated credentials improves security as credentials are not stored in plaintext and only
4265				authenticated and decrypted into plaintext the moment a service requiring them is started. Moreover,
4266				credentials may be bound to the local hardware and installations, so that they cannot easily be
4267				analyzed offline, or be generated externally.
4268
4269				The credential files/IPC sockets must be accessible to the service manager, but don't have to
4270				be directly accessible to the unit's processes: the credential data is read and copied into separate,
4271				read-only copies for the unit that are accessible to appropriately privileged processes. This is
4272				particularly useful in combination with C<DynamicUser> as this way privileged data
4273				can be made available to processes running under a dynamic UID (i.e. not a previously known one)
4274				without having to open up access to all users.
4275
4276				In order to reference the path a credential may be read from within a
4277				C<ExecStart> command line use C<\${CREDENTIALS_DIRECTORY}/mycred>,
4278				e.g. C<ExecStart=cat \${CREDENTIALS_DIRECTORY}/mycred>. In order to reference the path
4279				a credential may be read from within a C<Environment> line use
4280				C<%d/mycred>, e.g. C<Environment=MYCREDPATH=%d/mycred>.
4281
4282				Currently, an accumulated credential size limit of 1 MB per unit is enforced.
4283
4284				The service manager itself may receive system credentials that can be propagated to services
4285				from a hosting container manager or VM hypervisor. See the L<Container
4286				Interface\|https://systemd.io/CONTAINER_INTERFACE> documentation for details
4287				about the former. For the latter, pass L<DMI/SMBIOS\|https://www.dmtf.org/standards/smbios> OEM string table entries
4288				(field type
4289				11) with a prefix of C<io.systemd.credential:> or
4290				C<io.systemd.credential.binary:>. In both cases a key/value pair separated by
4291				C<=> is expected, in the latter case the right-hand side is Base64 decoded when
4292				parsed (thus permitting binary data to be passed in). Example qemu switch: C<-smbios
4293				type=11,value=io.systemd.credential:xx=yy>, or C<-smbios
4294				type=11,value=io.systemd.credential.binary:rick=TmV2ZXIgR29ubmEgR2l2ZSBZb3UgVXA=>. Alternatively,
4295				use the qemu C<fw_cfg> node
4296				C<opt/io.systemd.credentials/>. Example qemu switch: C<-fw_cfg
4297				name=opt/io.systemd.credentials/mycred,string=supersecret>. They may also be specified on
4298				the kernel command line using the C<systemd.set_credential=> switch (see
4299				L<systemd(1)>) and from
4300				the UEFI firmware environment via
4301				L<systemd-stub(7)>.
4302
4303				If referencing an C<AF_UNIX> stream socket to connect to, the connection will
4304				originate from an abstract namespace socket, that includes information about the unit and the
4305				credential ID in its socket name. Use L<getpeername(2)>
4306				to query this information. The returned socket name is formatted as C<NUL>RANDOM C</unit/> UNITC</> ID, i.e. a C<NUL>
4307				byte (as required
4308				for abstract namespace socket names), followed by a random string (consisting of alphadecimal
4309				characters), followed by the literal string C</unit/>, followed by the requesting
4310				unit name, followed by the literal character C</>, followed by the textual credential
4311				ID requested. Example: C<\\0adf9d86b6eda275e/unit/foobar.service/credx> in case the
4312				credential C<credx> is requested for a unit C<foobar.service>. This
4313				functionality is useful for using a single listening socket to serve credentials to multiple
4314				consumers.
4315
4316				For further information see L<System and Service
4317				Credentials\|https://systemd.io/CREDENTIALS> documentation.",
4318				'type' => 'leaf',
4319				'value_type' => 'uniline'
4320				},
4321				'LoadCredentialEncrypted',
4322				{
4323				'description' => "Pass a credential to the unit. Credentials are limited-size binary or textual objects
4324				that may be passed to unit processes. They are primarily used for passing cryptographic keys (both
4325				public and private) or certificates, user account information or identity information from host to
4326				services. The data is accessible from the unit's processes via the file system, at a read-only
4327				location that (if possible and permitted) is backed by non-swappable memory. The data is only
4328				accessible to the user associated with the unit, via the
4329				C<User>/C<DynamicUser> settings (as well as the superuser). When
4330				available, the location of credentials is exported as the C<\$CREDENTIALS_DIRECTORY>
4331				environment variable to the unit's processes.
4332
4333				The C<LoadCredential> setting takes a textual ID to use as name for a
4334				credential plus a file system path, separated by a colon. The ID must be a short ASCII string
4335				suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path
4336				is absolute it is opened as regular file and the credential data is read from it. If the absolute
4337				path refers to an C<AF_UNIX> stream socket in the file system a connection is made
4338				to it (only once at unit start-up) and the credential data read from the connection, providing an
4339				easy IPC integration point for dynamically transferring credentials from other services.
4340
4341				If the specified path is not absolute and itself qualifies as valid credential identifier it is
4342				attempted to find a credential that the service manager itself received under the specified name \x{2014}
4343				which may be used to propagate credentials from an invoking environment (e.g. a container manager
4344				that invoked the service manager) into a service. If no matching system credential is found, the
4345				directories C</etc/credstore/>, C</run/credstore/> and
4346				C</usr/lib/credstore/> are searched for files under the credential's name \x{2014} which
4347				hence are recommended locations for credential data on disk. If
4348				C<LoadCredentialEncrypted> is used C</run/credstore.encrypted/>,
4349				C</etc/credstore.encrypted/>, and
4350				C</usr/lib/credstore.encrypted/> are searched as well.
4351
4352				If the file system path is omitted it is chosen identical to the credential name, i.e. this is
4353				a terse way to declare credentials to inherit from the service manager into a service. This option
4354				may be used multiple times, each time defining an additional credential to pass to the unit.
4355
4356				If an absolute path referring to a directory is specified, every file in that directory
4357				(recursively) will be loaded as a separate credential. The ID for each credential will be the
4358				provided ID suffixed with C<_\$FILENAME> (e.g., C<Key_file1>). When
4359				loading from a directory, symlinks will be ignored.
4360
4361				The contents of the file/socket may be arbitrary binary or textual data, including newline
4362				characters and C<NUL> bytes.
4363
4364				The C<LoadCredentialEncrypted> setting is identical to
4365				C<LoadCredential>, except that the credential data is decrypted and authenticated
4366				before being passed on to the executed processes. Specifically, the referenced path should refer to a
4367				file or socket with an encrypted credential, as implemented by
4368				L<systemd-creds(1)>. This
4369				credential is loaded, decrypted, authenticated and then passed to the application in plaintext form,
4370				in the same way a regular credential specified via C<LoadCredential> would be. A
4371				credential configured this way may be symmetrically encrypted/authenticated with a secret key derived
4372				from the system's TPM2 security chip, or with a secret key stored in
4373				C</var/lib/systemd/credentials.secret>, or with both. Using encrypted and
4374				authenticated credentials improves security as credentials are not stored in plaintext and only
4375				authenticated and decrypted into plaintext the moment a service requiring them is started. Moreover,
4376				credentials may be bound to the local hardware and installations, so that they cannot easily be
4377				analyzed offline, or be generated externally.
4378
4379				The credential files/IPC sockets must be accessible to the service manager, but don't have to
4380				be directly accessible to the unit's processes: the credential data is read and copied into separate,
4381				read-only copies for the unit that are accessible to appropriately privileged processes. This is
4382				particularly useful in combination with C<DynamicUser> as this way privileged data
4383				can be made available to processes running under a dynamic UID (i.e. not a previously known one)
4384				without having to open up access to all users.
4385
4386				In order to reference the path a credential may be read from within a
4387				C<ExecStart> command line use C<\${CREDENTIALS_DIRECTORY}/mycred>,
4388				e.g. C<ExecStart=cat \${CREDENTIALS_DIRECTORY}/mycred>. In order to reference the path
4389				a credential may be read from within a C<Environment> line use
4390				C<%d/mycred>, e.g. C<Environment=MYCREDPATH=%d/mycred>.
4391
4392				Currently, an accumulated credential size limit of 1 MB per unit is enforced.
4393
4394				The service manager itself may receive system credentials that can be propagated to services
4395				from a hosting container manager or VM hypervisor. See the L<Container
4396				Interface\|https://systemd.io/CONTAINER_INTERFACE> documentation for details
4397				about the former. For the latter, pass L<DMI/SMBIOS\|https://www.dmtf.org/standards/smbios> OEM string table entries
4398				(field type
4399				11) with a prefix of C<io.systemd.credential:> or
4400				C<io.systemd.credential.binary:>. In both cases a key/value pair separated by
4401				C<=> is expected, in the latter case the right-hand side is Base64 decoded when
4402				parsed (thus permitting binary data to be passed in). Example qemu switch: C<-smbios
4403				type=11,value=io.systemd.credential:xx=yy>, or C<-smbios
4404				type=11,value=io.systemd.credential.binary:rick=TmV2ZXIgR29ubmEgR2l2ZSBZb3UgVXA=>. Alternatively,
4405				use the qemu C<fw_cfg> node
4406				C<opt/io.systemd.credentials/>. Example qemu switch: C<-fw_cfg
4407				name=opt/io.systemd.credentials/mycred,string=supersecret>. They may also be specified on
4408				the kernel command line using the C<systemd.set_credential=> switch (see
4409				L<systemd(1)>) and from
4410				the UEFI firmware environment via
4411				L<systemd-stub(7)>.
4412
4413				If referencing an C<AF_UNIX> stream socket to connect to, the connection will
4414				originate from an abstract namespace socket, that includes information about the unit and the
4415				credential ID in its socket name. Use L<getpeername(2)>
4416				to query this information. The returned socket name is formatted as C<NUL>RANDOM C</unit/> UNITC</> ID, i.e. a C<NUL>
4417				byte (as required
4418				for abstract namespace socket names), followed by a random string (consisting of alphadecimal
4419				characters), followed by the literal string C</unit/>, followed by the requesting
4420				unit name, followed by the literal character C</>, followed by the textual credential
4421				ID requested. Example: C<\\0adf9d86b6eda275e/unit/foobar.service/credx> in case the
4422				credential C<credx> is requested for a unit C<foobar.service>. This
4423				functionality is useful for using a single listening socket to serve credentials to multiple
4424				consumers.
4425
4426				For further information see L<System and Service
4427				Credentials\|https://systemd.io/CREDENTIALS> documentation.",
4428				'type' => 'leaf',
4429				'value_type' => 'uniline'
4430				},
4431				'SetCredential',
4432				{
4433				'description' => 'The C<SetCredential> setting is similar to
4434				C<LoadCredential> but accepts a literal value to use as data for the credential,
4435				instead of a file system path to read the data from. Do not use this option for data that is supposed
4436				to be secret, as it is accessible to unprivileged processes via IPC. It\'s only safe to use this for
4437				user IDs, public key material and similar non-sensitive data. For everything else use
4438				C<LoadCredential>. In order to embed binary data into the credential data use
4439				C-style escaping (i.e. C<\\n> to embed a newline, or C<\\x00> to embed
4440				a C<NUL> byte).
4441
4442				The C<SetCredentialEncrypted> setting is identical to
4443				C<SetCredential> but expects an encrypted credential in literal form as value. This
4444				allows embedding confidential credentials securely directly in unit files. Use
4445				L<systemd-creds(1)>\'
4446				C<-p> switch to generate suitable C<SetCredentialEncrypted> lines
4447				directly from plaintext credentials. For further details see
4448				C<LoadCredentialEncrypted> above.
4449
4450				If a credential of the same ID is listed in both C<LoadCredential> and
4451				C<SetCredential>, the latter will act as default if the former cannot be
4452				retrieved. In this case not being able to retrieve the credential from the path specified in
4453				C<LoadCredential> is not considered fatal.',
4454				'type' => 'leaf',
4455				'value_type' => 'uniline'
4456				},
4457				'SetCredentialEncrypted',
4458				{
4459				'description' => 'The C<SetCredential> setting is similar to
4460				C<LoadCredential> but accepts a literal value to use as data for the credential,
4461				instead of a file system path to read the data from. Do not use this option for data that is supposed
4462				to be secret, as it is accessible to unprivileged processes via IPC. It\'s only safe to use this for
4463				user IDs, public key material and similar non-sensitive data. For everything else use
4464				C<LoadCredential>. In order to embed binary data into the credential data use
4465				C-style escaping (i.e. C<\\n> to embed a newline, or C<\\x00> to embed
4466				a C<NUL> byte).
4467
4468				The C<SetCredentialEncrypted> setting is identical to
4469				C<SetCredential> but expects an encrypted credential in literal form as value. This
4470				allows embedding confidential credentials securely directly in unit files. Use
4471				L<systemd-creds(1)>\'
4472				C<-p> switch to generate suitable C<SetCredentialEncrypted> lines
4473				directly from plaintext credentials. For further details see
4474				C<LoadCredentialEncrypted> above.
4475
4476				If a credential of the same ID is listed in both C<LoadCredential> and
4477				C<SetCredential>, the latter will act as default if the former cannot be
4478				retrieved. In this case not being able to retrieve the credential from the path specified in
4479				C<LoadCredential> is not considered fatal.',
4480				'type' => 'leaf',
4481				'value_type' => 'uniline'
4482				},
4483				'UtmpIdentifier',
4484				{
4485				'description' => 'Takes a four character identifier string for an L<utmp(5)> and wtmp entry
4486				for this service. This should only be set for services such as getty implementations (such
4487				as L<agetty(8)>) where utmp/wtmp
4488				entries must be created and cleared before and after execution, or for services that shall be executed as if
4489				they were run by a getty process (see below). If the configured string is longer than four
4490				characters, it is truncated and the terminal four characters are used. This setting interprets %I style string
4491				replacements. This setting is unset by default, i.e. no utmp/wtmp entries are created or cleaned up for this
4492				service.',
4493				'type' => 'leaf',
4494				'value_type' => 'uniline'
4495				},
4496				'UtmpMode',
4497				{
4498				'choice' => [
4499				'init',
4500				'login',
4501				'user'
4502				],
4503				'description' => 'Takes one of C<init>, C<login> or C<user>. If
4504				C<UtmpIdentifier> is set, controls which type of L<utmp(5)>/wtmp entries
4505				for this service are generated. This setting has no effect unless C<UtmpIdentifier> is set
4506				too. If C<init> is set, only an C<INIT_PROCESS> entry is generated and the
4507				invoked process must implement a getty-compatible utmp/wtmp logic. If
4508				C<login> is set, first an C<INIT_PROCESS> entry, followed by a
4509				C<LOGIN_PROCESS> entry is generated. In this case, the invoked process must implement a
4510				L<login(1)>-compatible
4511				utmp/wtmp logic. If C<user> is set, first an C<INIT_PROCESS> entry, then a
4512				C<LOGIN_PROCESS> entry and finally a C<USER_PROCESS> entry is
4513				generated. In this case, the invoked process may be any process that is suitable to be run as session
4514				leader. Defaults to C<init>.',
4515				'type' => 'leaf',
4516				'value_type' => 'enum'
4517				}
4518				],
4519				'generated_by' => 'parse-man.pl from systemd 252 doc',
4520				'license' => 'LGPLv2.1+',
4521				'name' => 'Systemd::Common::Exec'
4522				}
4523				]
4524				;
4525