Settings for systemd units

Systemd allows fine-grained customization of units by defining so-called properties. These properties or settings influence what a unit, such as a service, can or can not do. As their is a wide range of settings, this page has the goal to present them, including a quick reference to each of them.

SettingDescriptionAvailable since
DeviceAllowDefine level of access to devices in /dev208
DevicePolicyDefine level of access to devices in /dev208
InaccessiblePathsDefine paths that should not be accessible231
MemoryDenyWriteExecuteBlock creation or alteration of memory segments to become writable and executable as well231
ProcSubsetDefine the subset of access by unit to /proc247
ProtectHomeDefine what level of access is possible to home directories214
ProtectKernelLogsDefine if service may read or write to the kernel log ring buffer244
ProtectKernelModulesDefine if kernel modules may be loaded232
ProtectProcControl the 'hidepid' mount option to define what information from /proc is available247
ReadWritePathsDefine paths that can be opened to read from and write to new or existing files231
RestrictAddressFamiliesControl what socket address families can be used by a unit211
SocketBindAllowDefine which address families, transport protocols, and/or ports are allowed to bind() to a socket249
SocketBindDenyRestricts address families, transport protocols, and/or ports to bind() to a socket249
SystemCallFilterDefine what syscalls are allowed or forbidden to be used by a process187