Settings for systemd units
Systemd allows fine-grained customization of units by defining so-called properties. These properties or settings influence what a unit, such as a service, can or can not do. As their is a wide range of settings, this page has the goal to present them, including a quick reference to each of them.
Setting | Description | Available since |
---|---|---|
CapabilityBoundingSet | Define what capabilities are allowed within the service unit | |
DeviceAllow | Define level of access to devices in /dev | 208 |
DevicePolicy | Define level of access to devices in /dev | 208 |
ExecPaths | Define the paths from which programs can be executed | 231 |
InaccessiblePaths | Define paths that should not be accessible | 231 |
LockPersonality | Prevent processes switching their personality, a kernel execution domain | 235 |
MemoryDenyWriteExecute | Block creation or alteration of memory segments to become writable and executable as well | 231 |
NoExecPaths | Exclude paths from which programs can be executed | 231 |
NoNewPrivileges | Prevent processes from gaining new privileges | 187 |
PrivateDevices | Only allow access to a subset of devices in /dev | 209 |
PrivateTmp | Define new namespace for /tmp and /var/tmp directory | |
ProcSubset | Define the subset of access by unit to /proc | 247 |
ProtectClock | Limit access to clock information | 245 |
ProtectControlGroups | Limit write access to control groups directory structure under /sys/fs/cgroup | 232 |
ProtectHome | Define what level of access is possible to home directories | 214 |
ProtectKernelLogs | Define if service may read or write to the kernel log ring buffer | 244 |
ProtectKernelModules | Define if kernel modules may be loaded | 232 |
ProtectKernelTunables | Limit access to Linux kernel tunables and make others read-only | 232 |
ProtectProc | Control the 'hidepid' mount option to define what information from /proc is available | 247 |
ProtectSystem | Mark some file system paths as read-only | 214 |
ReadWritePaths | Define paths that can be opened to read from and write to new or existing files | 231 |
RestrictAddressFamilies | Control what socket address families can be used by a unit | 211 |
RestrictNamespaces | Control allow namespaces | 233 |
RestrictRealtime | Limit the ability to use realtime scheduling | 231 |
RestrictSUIDSGID | Limit the ability to use setuid/setgid bits on files | 242 |
RuntimeDirectoryMode | Set the default file permissions for runtime directory, which is defined as RuntimeDirectory | 234 |
SocketBindAllow | Define which address families, transport protocols, and/or ports are allowed to bind() to a socket | 249 |
SocketBindDeny | Restricts address families, transport protocols, and/or ports to bind() to a socket | 249 |
SystemCallArchitectures | Restrict the subset of CPU instructions | 209 |
SystemCallFilter | Define what syscalls are allowed or forbidden to be used by a process | 187 |
UMask | Set default umask for new files |