Settings for systemd units
Systemd allows fine-grained customization of units by defining so-called properties. These properties or settings influence what a unit, such as a service, can or can not do. As their is a wide range of settings, this page has the goal to present them, including a quick reference to each of them.
| Setting | Description | Available since |
|---|---|---|
| DeviceAllow | Define level of access to devices in /dev | 208 |
| DevicePolicy | Define level of access to devices in /dev | 208 |
| InaccessiblePaths | Define paths that should not be accessible | 231 |
| MemoryDenyWriteExecute | Block creation or alteration of memory segments to become writable and executable as well | 231 |
| ProcSubset | Define the subset of access by unit to /proc | 247 |
| ProtectHome | Define what level of access is possible to home directories | 214 |
| ProtectKernelLogs | Define if service may read or write to the kernel log ring buffer | 244 |
| ProtectKernelModules | Define if kernel modules may be loaded | 232 |
| ProtectProc | Control the 'hidepid' mount option to define what information from /proc is available | 247 |
| ReadWritePaths | Define paths that can be opened to read from and write to new or existing files | 231 |
| RestrictAddressFamilies | Control what socket address families can be used by a unit | 211 |
| SocketBindAllow | Define which address families, transport protocols, and/or ports are allowed to bind() to a socket | 249 |
| SocketBindDeny | Restricts address families, transport protocols, and/or ports to bind() to a socket | 249 |
| SystemCallFilter | Define what syscalls are allowed or forbidden to be used by a process | 187 |