# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Free Software Foundation, Inc. # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2024-06-01 06:27+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: TH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "SYSTEMD\\&.EXEC" msgstr "" #. type: TH #: archlinux fedora-40 mageia-cauldron opensuse-tumbleweed #, no-wrap msgid "systemd 255" msgstr "" #. type: TH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "systemd.exec" msgstr "" #. ----------------------------------------------------------------- #. * MAIN CONTENT STARTS HERE * #. ----------------------------------------------------------------- #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "NAME" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "systemd.exec - Execution environment configuration" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "SYNOPSIS" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I\\&.service, I\\&.socket, I\\&.mount, I\\&." "swap" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "DESCRIPTION" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Unit configuration files for services, sockets, mount points, and swap " "devices share a subset of configuration options which define the execution " "environment of spawned processes\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This man page lists the configuration options shared by these four unit " "types\\&. See B(5) for the common options of all unit " "configuration files, and B(5), B(5), " "B(5), and B(5) for more information on the " "specific unit configuration files\\&. The execution specific configuration " "options are configured in the [Service], [Socket], [Mount], or [Swap] " "sections, depending on the unit type\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "In addition, options which control resources through Linux Control Groups " "(cgroups) are listed in B(5)\\&. Those options " "complement options listed here\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "IMPLICIT DEPENDENCIES" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A few execution parameters result in additional, automatic dependencies to " "be added:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Units with I, I, I, " "I, I, I, " "I or I set automatically gain " "dependencies of type I and I on all mount units required " "to access the specified paths\\&. This is equivalent to having them listed " "explicitly in I\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Similarly, units with I enabled automatically get mount unit " "dependencies for all mounts required to access /tmp/ and /var/tmp/\\&. They " "will also gain an automatic I dependency on B(8)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Units whose standard output or error output is connected to B or " "B (or their combinations with console output, see below) automatically " "acquire dependencies of type I on systemd-journald\\&.socket\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Units using I will automatically gain ordering and " "requirement dependencies on the two socket units associated with systemd-" "journald@\\&.service instances\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "PATHS" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The following settings may be used to change a service\\*(Aqs view of the " "filesystem\\&. Please note that the paths must be absolute and must not " "contain a \"\\&.\\&.\" path component\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a colon separated list of absolute paths relative to which the " "executable used by the I (e\\&.g\\&. I, I, " "etc\\&.) properties can be found\\&. I overrides I<$PATH> " "if I<$PATH> is not supplied by the user through I, " "I or I\\&. Assigning an empty string " "removes previous assignments and setting I to a value " "multiple times will append to the previous setting\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 250\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a directory path relative to the service\\*(Aqs root directory " "specified by I, or the special value \"~\"\\&. Sets the " "working directory for executed processes\\&. If set to \"~\", the home " "directory of the user specified in I is used\\&. If not set, defaults " "to the root directory when systemd is running as a system instance and the " "respective user\\*(Aqs home directory if run as user\\&. If the setting is " "prefixed with the \"-\" character, a missing working directory is not " "considered fatal\\&. If I/I is not set, then " "I is relative to the root of the system running the " "service manager\\&. Note that setting this parameter might result in " "additional dependencies to be added to the unit (see above)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm fedora-40 mageia-cauldron opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Takes a directory path relative to the host\\*(Aqs root directory (i\\&." "e\\&. the root of the system running the service manager)\\&. Sets the root " "directory for executed processes, with the B(2) system call\\&. If " "this is used, it must be ensured that the process binary and all its " "auxiliary files are available in the B jail\\&. Note that setting " "this parameter might result in additional dependencies to be added to the " "unit (see above)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The I and I settings are particularly useful in " "conjunction with I\\&. For details, see below\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If I/I are used together with I " "the notification socket is automatically mounted from the host into the root " "environment, to ensure the notification interface can work correctly\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that services using I/I will not be able to " "log via the syslog or journal protocols to the host logging infrastructure, " "unless the relevant sockets are mounted from the host, specifically:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The host\\*(Aqs B(5) file will be made available for the " "service (read-only) as /run/host/os-release\\&. It will be updated " "automatically on soft reboot (see: B(8)), in " "case the service is configured to survive it\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This option is only available for system services, or for services running " "in per-user instances of the service manager in which case I " "is implicitly enabled (requires unprivileged user namespaces support to be " "enabled in the kernel via the \"kernel\\&.unprivileged_userns_clone=\" " "sysctl)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a path to a block device node or regular file as argument\\&. This " "call is similar to I however mounts a file system hierarchy " "from a block device node or loopback file instead of a directory\\&. The " "device node or file system image file needs to contain a file system without " "a partition table, or a file system within an MBR/MS-DOS or GPT partition " "table with only a single Linux-compatible partition, or a set of file " "systems within a GPT partition table that follows the " "\\m[blue]B\\m[]\\&\\s-2\\u[1]\\d\\s+2\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When I is set to \"closed\" or \"strict\", or set to \"auto\" " "and I is set, then this setting adds /dev/loop-control with " "B mode, \"block-loop\" and \"block-blkext\" with B mode to " "I\\&. See B(5) for the details " "about I or I\\&. Also, see I " "below, as it may change the setting of I\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Units making use of I automatically gain an I dependency " "on systemd-udevd\\&.service\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This option is only available for system services and is not supported for " "services running in per-user instances of the service manager\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 233\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a comma-separated list of mount options that will be used on disk " "images specified by I\\&. Optionally a partition name can be " "prefixed, followed by colon, in case the image has multiple partitions, " "otherwise partition name \"root\" is implied\\&. Options for multiple " "partitions can be specified in a single line with space separators\\&. " "Assigning an empty string removes previous assignments\\&. Duplicated " "options are ignored\\&. For a list of valid mount options, please refer to " "B(8)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Valid partition names follow the \\m[blue]B\\m[]\\&\\s-2\\u[1]\\d\\s+2: B, B, B, B, " "B, B, B, B\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 247\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If enabled, executed processes will run in an " "ephemeral copy of the root directory or root image\\&. The ephemeral copy is " "placed in /var/lib/systemd/ephemeral-trees/ while the service is active and " "is cleaned up when the service is stopped or restarted\\&. If " "I is used and the root directory is a subvolume, the " "ephemeral copy will be created by making a snapshot of the subvolume\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "To make sure making ephemeral copies can be made efficiently, the root " "directory or root image should be located on the same filesystem as /var/lib/" "systemd/ephemeral-trees/\\&. When using I with root " "directories, B(5) should be used as the filesystem and the root " "directory should ideally be a subvolume which B can snapshot to " "make the ephemeral copy\\&. For root images, a filesystem with support for " "reflinks should be used to ensure an efficient ephemeral copy\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 254\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a data integrity (dm-verity) root hash specified in hexadecimal, or " "the path to a file containing a root hash in ASCII hexadecimal format\\&. " "This option enables data integrity checks using dm-verity, if the used image " "contains the appropriate integrity data (see above) or if I is " "used\\&. The specified hash must match the root hash of integrity data, and " "is usually at least 256 bits (and hence 64 formatted hexadecimal characters) " "long (in case of SHA256 for example)\\&. If this option is not specified, " "but the image file carries the \"user\\&.verity\\&.roothash\" extended file " "attribute (see B(7)), then the root hash is read from it, also as " "formatted hexadecimal characters\\&. If the extended file attribute is not " "found (or is not supported by the underlying file system), but a file with " "the \\&.roothash suffix is found next to the image file, bearing otherwise " "the same name (except if the image has the \\&.raw suffix, in which case the " "root hash file must not have it in its name), the root hash is read from it " "and automatically used, also as formatted hexadecimal characters\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If the disk image contains a separate /usr/ partition it may also be Verity " "protected, in which case the root hash may configured via an extended " "attribute \"user\\&.verity\\&.usrhash\" or a \\&.usrhash file adjacent to " "the disk image\\&. There\\*(Aqs currently no option to configure the root " "hash for the /usr/ file system via the unit file directly\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 246\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a PKCS7 signature of the I option as a path to a DER-" "encoded signature file, or as an ASCII base64 string encoding of a DER-" "encoded signature prefixed by \"base64:\"\\&. The dm-verity volume will only " "be opened if the signature of the root hash is valid and signed by a public " "key present in the kernel keyring\\&. If this option is not specified, but a " "file with the \\&.roothash\\&.p7s suffix is found next to the image file, " "bearing otherwise the same name (except if the image has the \\&.raw suffix, " "in which case the signature file must not have it in its name), the " "signature is read from it and automatically used\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If the disk image contains a separate /usr/ partition it may also be Verity " "protected, in which case the signature for the root hash may configured via " "a \\&.usrhash\\&.p7s file adjacent to the disk image\\&. There\\*(Aqs " "currently no option to configure the root hash signature for the /usr/ via " "the unit file directly\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes the path to a data integrity (dm-verity) file\\&. This option enables " "data integrity checks using dm-verity, if I is used and a root-" "hash is passed and if the used image itself does not contain the integrity " "data\\&. The integrity data must be matched by the root hash\\&. If this " "option is not specified, but a file with the \\&.verity suffix is found next " "to the image file, bearing otherwise the same name (except if the image has " "the \\&.raw suffix, in which case the verity data file must not have it in " "its name), the verity data is read from it and automatically used\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This option is supported only for disk images that contain a single file " "system, without an enveloping partition table\\&. Images that contain a GPT " "partition table should instead include both root file system and matching " "Verity data in the same image, implementing the \\m[blue]B\\m[]\\&\\s-2\\u[1]\\d\\s+2\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I, I, I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes an image policy string as per B(7) to use when " "mounting the disk images (DDI) specified in I, I, " "I, respectively\\&. If not specified the following policy " "string is the default for I and I:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "root=verity+signed+encrypted+unprotected+absent: \\e\n" " usr=verity+signed+encrypted+unprotected+absent: \\e\n" " home=encrypted+unprotected+absent: \\e\n" " srv=encrypted+unprotected+absent: \\e\n" " tmp=encrypted+unprotected+absent: \\e\n" " var=encrypted+unprotected+absent\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "The default policy for I is:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "root=verity+signed+encrypted+unprotected+absent: \\e\n" " usr=verity+signed+encrypted+unprotected+absent\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If on, a private mount namespace for the " "unit\\*(Aqs processes is created and the API file systems /proc/, /sys/, /" "dev/ and /run/ (as an empty \"tmpfs\") are mounted inside of it, unless they " "are already mounted\\&. Note that this option has no effect unless used in " "conjunction with I/I as these four mounts are " "generally mounted in the host anyway, and unless the root directory is " "changed, the private mount namespace will be a 1:1 copy of the host\\*(Aqs, " "and include these four mounts\\&. Note that the /dev/ file system of the " "host is bind mounted if this option is used without I\\&. " "To run the service with a private, minimal version of /dev/, combine this " "option with I\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "In order to allow propagating mounts at runtime in a safe manner, /run/" "systemd/propagate/ on the host will be used to set up new mounts, and /run/" "host/incoming/ in the private namespace will be used as an intermediate step " "to store them before being moved to the final mount point\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes one of \"noaccess\", \"invisible\", \"ptraceable\" or \"default\" " "(which it defaults to)\\&. When set, this controls the \"hidepid=\" mount " "option of the \"procfs\" instance for the unit that controls which " "directories with process metainformation (/proc/I) are visible and " "accessible: when set to \"noaccess\" the ability to access most of other " "users\\*(Aq process metadata in /proc/ is taken away for processes of the " "service\\&. When set to \"invisible\" processes owned by other users are " "hidden from /proc/\\&. If \"ptraceable\" all processes that cannot be " "B\\*(Aqed by a process are hidden to it\\&. If \"default\" no " "restrictions on /proc/ access or visibility are made\\&. For further details " "see \\m[blue]B\\m[]\\&\\s-2\\u[2]\\d\\s+2\\&. It is " "generally recommended to run most system services with this option set to " "\"invisible\"\\&. This option is implemented via file system namespacing, " "and thus cannot be used with services that shall be able to install mount " "points in the host file system hierarchy\\&. Note that the root user is " "unaffected by this option, so to be effective it has to be used together " "with I or I, and also without the \"CAP_SYS_PTRACE\" " "capability, which also allows a process to bypass this feature\\&. It cannot " "be used for services that need to access metainformation about other " "users\\*(Aq processes\\&. This option implies I\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If the kernel doesn\\*(Aqt support per-mount point B mount options " "this setting remains without effect, and the unit\\*(Aqs processes will be " "able to access and see other process as if the option was not used\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes one of \"all\" (the default) and \"pid\"\\&. If \"pid\", all files and " "directories not directly associated with process management and " "introspection are made invisible in the /proc/ file system configured for " "the unit\\*(Aqs processes\\&. This controls the \"subset=\" mount option of " "the \"procfs\" instance for the unit\\&. For further details see " "\\m[blue]B\\m[]\\&\\s-2\\u[2]\\d\\s+2\\&. Note that " "Linux exposes various kernel APIs via /proc/, which are made unavailable " "with this setting\\&. Since these APIs are used frequently this option is " "useful only in a few, specific cases, and is not suitable for most non-" "trivial programs\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Much like I above, this is implemented via file system mount " "namespacing, and hence the same restrictions apply: it is only available to " "system services, it disables mount propagation to the host mount table, and " "it implies I\\&. Also, like I this setting is " "gracefully disabled if the used kernel does not support the \"subset=\" " "mount option of \"procfs\"\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I, I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Configures unit-specific bind mounts\\&. A bind mount makes a particular " "file or directory available at an additional place in the unit\\*(Aqs view " "of the file system\\&. Any bind mounts created with this option are specific " "to the unit, and are not visible in the host\\*(Aqs mount table\\&. This " "option expects a whitespace separated list of bind mount definitions\\&. " "Each definition consists of a colon-separated triple of source path, " "destination path and option string, where the latter two are optional\\&. If " "only a source path is specified the source and destination is taken to be " "the same\\&. The option string may be either \"rbind\" or \"norbind\" for " "configuring a recursive or non-recursive bind mount\\&. If the destination " "path is omitted, the option string must be omitted too\\&. Each bind mount " "definition may be prefixed with \"-\", in which case it will be ignored when " "its source path does not exist\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I creates regular writable bind mounts (unless the source file " "system mount is already marked read-only), while I " "creates read-only bind mounts\\&. These settings may be used more than once, " "each usage appends to the unit\\*(Aqs list of bind mounts\\&. If the empty " "string is assigned to either of these two options the entire list of bind " "mounts defined prior to this is reset\\&. Note that in this case both read-" "only and regular bind mounts are reset, regardless which of the two settings " "is used\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This option is particularly useful when I/I is " "used\\&. In this case the source path refers to a path on the host file " "system, while the destination path refers to a path below the root directory " "of the unit\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that the destination directory must exist or systemd must be able to " "create it\\&. Thus, it is not possible to use those options for mount points " "nested underneath paths specified in I, or under /home/ " "and other protected directories if I is specified\\&. " "I with \":ro\" or I should be used " "instead\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This setting is similar to I in that it mounts a file system " "hierarchy from a block device node or loopback file, but the destination " "directory can be specified as well as mount options\\&. This option expects " "a whitespace separated list of mount definitions\\&. Each definition " "consists of a colon-separated tuple of source path and destination " "definitions, optionally followed by another colon and a list of mount " "options\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Mount options may be defined as a single comma-separated list of options, in " "which case they will be implicitly applied to the root partition on the " "image, or a series of colon-separated tuples of partition name and mount " "options\\&. Valid partition names and mount options are the same as for " "I setting described above\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Each mount definition may be prefixed with \"-\", in which case it will be " "ignored when its source path does not exist\\&. The source argument is a " "path to a block device node or regular file\\&. If source or destination " "contain a \":\", it needs to be escaped as \"\\e:\"\\&. The device node or " "file system image file needs to follow the same rules as specified for " "I\\&. Any mounts created with this option are specific to the " "unit, and are not visible in the host\\*(Aqs mount table\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "These settings may be used more than once, each usage appends to the " "unit\\*(Aqs list of mount paths\\&. If the empty string is assigned, the " "entire list of mount paths defined prior to this is reset\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that the destination directory must exist or systemd must be able to " "create it\\&. Thus, it is not possible to use those options for mount points " "nested underneath paths specified in I, or under /home/ " "and other protected directories if I is specified\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This setting is similar to I in that it mounts a file system " "hierarchy from a block device node or loopback file, but instead of " "providing a destination path, an overlay will be set up\\&. This option " "expects a whitespace separated list of mount definitions\\&. Each definition " "consists of a source path, optionally followed by a colon and a list of " "mount options\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "A read-only OverlayFS will be set up on top of /usr/ and /opt/ hierarchies " "for sysext images and /etc/ hierarchy for confext images\\&. The order in " "which the images are listed will determine the order in which the overlay is " "laid down: images specified first to last will result in overlayfs layers " "bottom to top\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Each mount definition may be prefixed with \"-\", in which case it will be " "ignored when its source path does not exist\\&. The source argument is a " "path to a block device node or regular file\\&. If the source path contains " "a \":\", it needs to be escaped as \"\\e:\"\\&. The device node or file " "system image file needs to follow the same rules as specified for " "I\\&. Any mounts created with this option are specific to the " "unit, and are not visible in the host\\*(Aqs mount table\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "These settings may be used more than once, each usage appends to the " "unit\\*(Aqs list of image paths\\&. If the empty string is assigned, the " "entire list of mount paths defined prior to this is reset\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Each sysext image must carry a /usr/lib/extension-release\\&.d/extension-" "release\\&.IMAGE file while each confext image must carry a /etc/extension-" "release\\&.d/extension-release\\&.IMAGE file, with the appropriate metadata " "which matches I/I or the host\\&. See: B(5)\\&. To disable the safety check that the extension-release file " "name matches the image file name, the I mount option may be appended\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 248\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This setting is similar to I in that it mounts a file " "system hierarchy from a directory, but instead of providing a destination " "path, an overlay will be set up\\&. This option expects a whitespace " "separated list of source directories\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "A read-only OverlayFS will be set up on top of /usr/ and /opt/ hierarchies " "for sysext images and /etc/ hierarchy for confext images\\&. The order in " "which the directories are listed will determine the order in which the " "overlay is laid down: directories specified first to last will result in " "overlayfs layers bottom to top\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Each directory listed in I may be prefixed with \"-" "\", in which case it will be ignored when its source path does not exist\\&. " "Any mounts created with this option are specific to the unit, and are not " "visible in the host\\*(Aqs mount table\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "These settings may be used more than once, each usage appends to the " "unit\\*(Aqs list of directories paths\\&. If the empty string is assigned, " "the entire list of mount paths defined prior to this is reset\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Each sysext directory must contain a /usr/lib/extension-release\\&.d/" "extension-release\\&.IMAGE file while each confext directory must carry a /" "etc/extension-release\\&.d/extension-release\\&.IMAGE file, with the " "appropriate metadata which matches I/I or the " "host\\&. See: B(5)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that usage from user units requires overlayfs support in unprivileged " "user namespaces, which was first introduced in kernel v5\\&.11\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 251\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "USER/GROUP IDENTITY" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "These options are only available for system services and are not supported " "for services running in per-user instances of the service manager\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I, I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Set the UNIX user or group that the processes are executed as, " "respectively\\&. Takes a single user or group name, or a numeric ID as " "argument\\&. For system services (services run by the system service " "manager, i\\&.e\\&. managed by PID 1) and for user services of the root user " "(services managed by root\\*(Aqs instance of B), the default " "is \"root\", but I may be used to specify a different user\\&. For " "user services of any other user, switching user identity is not permitted, " "hence the only valid setting is the same user the user\\*(Aqs service " "manager is running as\\&. If no group is set, the default group of the user " "is used\\&. This setting does not affect commands whose command line is " "prefixed with \"+\"\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that this enforces only weak restrictions on the user/group name " "syntax, but will generate warnings in many cases where user/group names do " "not adhere to the following rules: the specified name should consist only of " "the characters a-z, A-Z, 0-9, \"_\" and \"-\", except for the first " "character which must be one of a-z, A-Z and \"_\" (i\\&.e\\&. digits and \"-" "\" are not permitted as first character)\\&. The user/group name must have " "at least one character, and at most 31\\&. These restrictions are made in " "order to avoid ambiguities and to ensure user/group names and unit files " "remain portable among Linux systems\\&. For further details on the names " "accepted and the names warned about see \\m[blue]B\\m[]\\&\\s-2\\u[3]\\d\\s+2\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When used in conjunction with I the user/group name specified " "is dynamically allocated at the time the service is started, and released at " "the time the service is stopped \\(em unless it is already allocated " "statically (see below)\\&. If I is not used the specified user " "and group must have been created statically in the user database no later " "than the moment the service is started, for example using the B(5) facility, which is applied at boot or package install time\\&. If the " "user does not exist by then program invocation will fail\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If the I setting is used the supplementary group list is initialized " "from the specified user\\*(Aqs default group list, as defined in the " "system\\*(Aqs user and group database\\&. Additional groups may be " "configured through the I setting (see below)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean parameter\\&. If set, a UNIX user and group pair is " "allocated dynamically when the unit is started, and released as soon as it " "is stopped\\&. The user and group will not be added to /etc/passwd or /etc/" "group, but are managed transiently during runtime\\&. The B(8) " "glibc NSS module provides integration of these dynamic users/groups into the " "system\\*(Aqs user and group databases\\&. The user and group name to use " "may be configured via I and I (see above)\\&. If these " "options are not used and dynamic user/group allocation is enabled for a " "unit, the name of the dynamic user/group is implicitly derived from the unit " "name\\&. If the unit name without the type suffix qualifies as valid user " "name it is used directly, otherwise a name incorporating a hash of it is " "used\\&. If a statically allocated user or group of the configured name " "already exists, it is used and no dynamic user/group is allocated\\&. Note " "that if I is specified and the static group with the name exists, " "then it is required that the static user with the name already exists\\&. " "Similarly, if I is specified and the static user with the name " "exists, then it is required that the static group with the name already " "exists\\&. Dynamic users/groups are allocated from the UID/GID range " "61184\\&...65519\\&. It is recommended to avoid this range for regular " "system or login users\\&. At any point in time each UID/GID from this range " "is only assigned to zero or one dynamically allocated users/groups in " "use\\&. However, UID/GIDs are recycled after a unit is terminated\\&. Care " "should be taken that any processes running as part of a unit for which " "dynamic users/groups are enabled do not leave files or directories owned by " "these users/groups around, as a different unit might get the same UID/GID " "assigned later on, and thus gain access to these files or directories\\&. If " "I is enabled, I and I are implied " "(and cannot be turned off)\\&. This ensures that the lifetime of IPC objects " "and temporary files created by the executed processes is bound to the " "runtime of the service, and hence the lifetime of the dynamic user/group\\&. " "Since /tmp/ and /var/tmp/ are usually the only world-writable directories on " "a system this ensures that a unit making use of dynamic user/group " "allocation cannot leave files around after unit termination\\&. Furthermore " "I and I are implicitly enabled (and " "cannot be disabled), to ensure that processes invoked cannot take benefit or " "create SUID/SGID files or directories\\&. Moreover I " "and I are implied, thus prohibiting the service to " "write to arbitrary file system locations\\&. In order to allow the service " "to write to certain directories, they have to be allow-listed using " "I, but care must be taken so that UID/GID recycling " "doesn\\*(Aqt create security issues involving files created by the " "service\\&. Use I (see below) in order to assign a " "writable runtime directory to a service, owned by the dynamic user/group and " "removed automatically when the unit is terminated\\&. Use " "I, I and I in order to " "assign a set of writable directories for specific purposes to the service in " "a way that they are protected from vulnerabilities due to UID reuse (see " "below)\\&. If this option is enabled, care should be taken that the " "unit\\*(Aqs processes do not get access to directories outside of these " "explicitly configured and managed ones\\&. Specifically, do not use " "I and be careful with B file descriptor passing for " "directory file descriptors, as this would permit processes to create files " "or directories owned by the dynamic user/group that are not subject to the " "lifecycle and access guarantees of the service\\&. Note that this option is " "currently incompatible with D-Bus policies, thus a service using this option " "may currently not allocate a D-Bus service name (note that this does not " "affect calling into other D-Bus services)\\&. Defaults to off\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 232\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Sets the supplementary Unix groups the processes are executed as\\&. This " "takes a space-separated list of group names or IDs\\&. This option may be " "specified more than once, in which case all listed groups are set as " "supplementary groups\\&. When the empty string is assigned, the list of " "supplementary groups is reset, and all assignments prior to this one will " "have no effect\\&. In any way, this option does not override, but extends " "the list of supplementary groups configured in the system group database for " "the user\\&. This does not affect commands prefixed with \"+\"\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux fedora-40 mageia-cauldron opensuse-tumbleweed msgid "" "Takes a boolean parameter that controls whether to set I<$HOME>, " "I<$LOGNAME>, and I<$SHELL> environment variables\\&. If unset, this is " "controlled by whether I is set\\&. If true, they will always be set " "for system services, i\\&.e\\&. even when the default user \"root\" is " "used\\&. If false, the mentioned variables are not set by systemd, no matter " "whether I is used or not\\&. This option normally has no effect on " "user services, since these variables are typically inherited from user " "manager\\*(Aqs own environment anyway\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 255\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Sets the PAM service name to set up a session as\\&. If set, the executed " "process will be registered as a PAM session under the specified service " "name\\&. This is only useful in conjunction with the I setting, and " "is otherwise ignored\\&. If not set, no PAM session will be opened for the " "executed processes\\&. See B(8) for details\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that for each unit making use of this option a PAM session handler " "process will be maintained as part of the unit and stays around as long as " "the unit is active, to ensure that appropriate actions can be taken when the " "unit and hence the PAM session terminates\\&. This process is named \"(sd-" "pam)\" and is an immediate child process of the unit\\*(Aqs main process\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that when this option is used for a unit it is very likely (depending " "on PAM configuration) that the main unit process will be migrated to its own " "session scope unit when it is activated\\&. This process will hence be " "associated with two units: the unit it was originally started from (and for " "which I was configured), and the session scope unit\\&. Any child " "processes of that process will however be associated with the session scope " "unit only\\&. This has implications when used in combination with " "IB, as these child processes will not be able to affect " "changes in the original unit through notification messages\\&. These " "messages will be considered belonging to the session scope unit and not the " "original unit\\&. It is hence not recommended to use I in " "combination with IB\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "CAPABILITIES" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "These options are only available for system services, or for services " "running in per-user instances of the service manager in which case " "I is implicitly enabled (requires unprivileged user " "namespaces support to be enabled in the kernel via the \"kernel\\&." "unprivileged_userns_clone=\" sysctl)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Controls which capabilities to include in the capability bounding set for " "the executed process\\&. See B(7) for details\\&. Takes a " "whitespace-separated list of capability names, e\\&.g\\&. B, " "B, B\\&. Capabilities listed will be " "included in the bounding set, all others are removed\\&. If the list of " "capabilities is prefixed with \"~\", all but the listed capabilities will be " "included, the effect of the assignment inverted\\&. Note that this option " "also affects the respective capabilities in the effective, permitted and " "inheritable capability sets\\&. If this option is not used, the capability " "bounding set is not modified on process execution, hence no limits on the " "capabilities of the process are enforced\\&. This option may appear more " "than once, in which case the bounding sets are merged by B, or by B " "if the lines are prefixed with \"~\" (see below)\\&. If the empty string is " "assigned to this option, the bounding set is reset to the empty capability " "set, and all prior settings have no effect\\&. If set to \"~\" (without any " "further argument), the bounding set is reset to the full set of available " "capabilities, also undoing any previous settings\\&. This does not affect " "commands prefixed with \"+\"\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Use B(1)\\*(Aqs B command to retrieve a list of " "capabilities defined on the local system\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Example: if a unit has the following," msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "CapabilityBoundingSet=CAP_A CAP_B\n" "CapabilityBoundingSet=CAP_B CAP_C\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "then B, B, and B are set\\&. If the second line is " "prefixed with \"~\", e\\&.g\\&.," msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "CapabilityBoundingSet=CAP_A CAP_B\n" "CapabilityBoundingSet=~CAP_B CAP_C\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "then, only B is set\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Controls which capabilities to include in the ambient capability set for the " "executed process\\&. Takes a whitespace-separated list of capability names, " "e\\&.g\\&. B, B, B\\&. " "This option may appear more than once, in which case the ambient capability " "sets are merged (see the above examples in I)\\&. If " "the list of capabilities is prefixed with \"~\", all but the listed " "capabilities will be included, the effect of the assignment inverted\\&. If " "the empty string is assigned to this option, the ambient capability set is " "reset to the empty capability set, and all prior settings have no effect\\&. " "If set to \"~\" (without any further argument), the ambient capability set " "is reset to the full set of available capabilities, also undoing any " "previous settings\\&. Note that adding capabilities to the ambient " "capability set adds them to the process\\*(Aqs inherited capability set\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Ambient capability sets are useful if you want to execute a process as a non-" "privileged user but still want to give it some capabilities\\&. Note that in " "this case option B is automatically added to I to " "retain the capabilities over the user change\\&. I " "does not affect commands prefixed with \"+\"\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 229\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "SECURITY" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If true, ensures that the service process and " "all its children can never gain new privileges through B (e\\&." "g\\&. via setuid or setgid bits, or filesystem capabilities)\\&. This is the " "simplest and most effective way to ensure that a process and its children " "can never elevate privileges again\\&. Defaults to false\\&. In case the " "service will be run in a new mount namespace anyway and SELinux is disabled, " "all file systems are mounted with B flag\\&. Also see " "\\m[blue]B\\m[]\\&\\s-2\\u[4]\\d\\s+2\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that this setting only has an effect on the unit\\*(Aqs processes " "themselves (or any processes directly or indirectly forked off them)\\&. It " "has no effect on processes potentially invoked on request of them through " "tools such as B(1), B(1), B(1), or arbitrary IPC " "services\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 187\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Controls the secure bits set for the executed process\\&. Takes a space-" "separated combination of options from the following list: B, " "B, B, B, " "B, and B\\&. This option may appear more than once, " "in which case the secure bits are ORed\\&. If the empty string is assigned " "to this option, the bits are reset to 0\\&. This does not affect commands " "prefixed with \"+\"\\&. See B(7) for details\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "MANDATORY ACCESS CONTROL" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Set the SELinux security context of the executed process\\&. If set, this " "will override the automated domain transition\\&. However, the policy still " "needs to authorize the transition\\&. This directive is ignored if SELinux " "is disabled\\&. If prefixed by \"-\", failing to set the SELinux security " "context will be ignored, but it\\*(Aqs still possible that the subsequent " "B may fail if the policy doesn\\*(Aqt allow the transition for the " "non-overridden context\\&. This does not affect commands prefixed with \"+" "\"\\&. See B(3) for details\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 209\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a profile name as argument\\&. The process executed by the unit will " "switch to this profile when started\\&. Profiles must already be loaded in " "the kernel, or the unit will fail\\&. If prefixed by \"-\", all errors will " "be ignored\\&. This setting has no effect if AppArmor is not enabled\\&. " "This setting does not affect commands prefixed with \"+\"\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 210\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a B security label as argument\\&. The process executed by " "the unit will be started under this label and SMACK will decide whether the " "process is allowed to run or not, based on it\\&. The process will continue " "to run under the label specified here unless the executable has its own " "B label, in which case the process will transition to run under " "that label\\&. When not specified, the label that systemd is running under " "is used\\&. This directive is ignored if SMACK is disabled\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The value may be prefixed by \"-\", in which case all errors will be " "ignored\\&. An empty value may be specified to unset previous " "assignments\\&. This does not affect commands prefixed with \"+\"\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 218\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "PROCESS PROPERTIES" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I, I, I, I, I, " "I, I, I, I, " "I, I, I, I, " "I, I, I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Set soft and hard limits on various resources for executed processes\\&. See " "B(2) for details on the process resource limit concept\\&. " "Process resource limits may be specified in two formats: either as single " "value to set a specific soft and hard limit to the same value, or as colon-" "separated pair B to set both limits individually (e\\&.g\\&. " "\"LimitAS=4G:16G\")\\&. Use the string B to configure no limit on " "a specific resource\\&. The multiplicative suffixes K, M, G, T, P and E (to " "the base 1024) may be used for resource limits measured in bytes (e\\&." "g\\&. \"LimitAS=16G\")\\&. For the limits referring to time values, the " "usual time units ms, s, min, h and so on may be used (see B(7) for details)\\&. Note that if no time unit is specified for " "I the default unit of seconds is implied, while for " "I the default unit of microseconds is implied\\&. Also, note " "that the effective granularity of the limits might influence their " "enforcement\\&. For example, time limits specified for I will be " "rounded up implicitly to multiples of 1s\\&. For I the value may " "be specified in two syntaxes: if prefixed with \"+\" or \"-\", the value is " "understood as regular Linux nice value in the range -20\\&...19\\&. If not " "prefixed like this the value is understood as raw resource limit parameter " "in the range 0\\&...40 (with 0 being equivalent to 1)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that most process resource limits configured with these options are per-" "process, and processes may fork in order to acquire a new set of resources " "that are accounted independently of the original process, and may thus " "escape limits set\\&. Also note that I is not implemented on " "Linux, and setting it has no effect\\&. Often it is advisable to prefer the " "resource controls listed in B(5) over these per-" "process limits, as they apply to services as a whole, may be altered " "dynamically at runtime, and are generally more expressive\\&. For example, " "I is a more powerful (and working) replacement for " "I\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that I will limit the number of processes from one (real) " "UID and not the number of processes started (forked) by the service\\&. " "Therefore the limit is cumulative for all processes running under the same " "UID\\&. Please also note that the I will not be enforced if the " "service is running as root (and not dropping privileges)\\&. Due to these " "limitations, I (see B(5)) is typically " "a better choice than I\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Resource limits not configured explicitly for a unit default to the value " "configured in the various I, I, \\&... " "options available in B(5), and \\(en if not configured " "there \\(en the kernel or per-user defaults, as defined by the OS (the " "latter only for user services, see below)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "For system units these resource limits may be chosen freely\\&. When these " "settings are configured in a user service (i\\&.e\\&. a service run by the " "per-user instance of the service manager) they cannot be used to raise the " "limits above those set for the user manager itself when it was first " "invoked, as the user\\*(Aqs service manager generally lacks the privileges " "to do so\\&. In user context these configuration options are hence only " "useful to lower the limits passed in or to raise the soft limit to the " "maximum of the hard limit as configured for the user\\&. To raise the " "user\\*(Aqs limits further, the available configuration mechanisms differ " "between operating systems, but typically require privileges\\&. In most " "cases it is possible to configure higher per-user resource limits via PAM or " "by setting limits on the system service encapsulating the user\\*(Aqs " "service manager, i\\&.e\\&. the user\\*(Aqs instance of user@\\&.service\\&. " "After making such changes, make sure to restart the user\\*(Aqs service " "manager\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "B" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Directive" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B equivalent" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Unit" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Notes" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid ".T&" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "l l l l" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "l l l l." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitCPU=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -t" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Seconds" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "-" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitFSIZE=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -f" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Bytes" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitDATA=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -d" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Don\\*(Aqt use\\&. This limits the allowed address range, not memory use! Defaults to unlimited and should not be lowered\\&. To limit memory use, see I in B(5)\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitSTACK=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -s" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitCORE=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -c" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitRSS=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -m" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Don\\*(Aqt use\\&. No effect on Linux\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitNOFILE=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -n" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Number of File Descriptors" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Don\\*(Aqt use\\&. Be careful when raising the soft limit above 1024, since B(2)\\&. Note that file descriptors are nowadays accounted like any other form of memory, thus there should not be any need to lower the hard limit\\&. Use I to control overall service memory use, including file descriptor memory\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitAS=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -v" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitNPROC=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -u" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Number of Processes" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "This limit is enforced based on the number of processes belonging to the user\\&. Typically it\\*(Aqs better to track processes per service, i\\&.e\\&. use I, see B(5)\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitMEMLOCK=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -l" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitLOCKS=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -x" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Number of Locks" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitSIGPENDING=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -i" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Number of Queued Signals" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitMSGQUEUE=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -q" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitNICE=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -e" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Nice Level" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitRTPRIO=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -r" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Realtime Priority" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LimitRTTIME=" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ulimit -R" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Microseconds" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Controls the file mode creation mask\\&. Takes an access mode in octal " "notation\\&. See B(2) for details\\&. Defaults to 0022 for system " "units\\&. For user units the default value is inherited from the per-user " "service manager (whose default is in turn inherited from the system service " "manager, and thus typically also is 0022 \\(em unless overridden by a PAM " "module)\\&. In order to change the per-user mask for all user services, " "consider setting the I setting of the user\\*(Aqs user@\\&.service " "system service instance\\&. The per-user umask may also be set via the " "I field of a user\\*(Aqs \\m[blue]B\\m[]\\&\\s-2\\u[5]\\d\\s+2 (for users managed by B(8) this field may be controlled via B)\\&. It " "may also be set via a PAM module, such as B(8)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Controls which types of memory mappings will be saved if the process dumps " "core (using the /proc/I/coredump_filter file)\\&. Takes a whitespace-" "separated combination of mapping type names or numbers (with the default " "base 16)\\&. Mapping type names are B, B, B, B, B, " "B, B, B, B, and the " "special values B (all types) and B (the kernel default of " "\"B B B B\")\\&. See B(5) for the meaning of the mapping types\\&. When " "specified multiple times, all specified masks are ORed\\&. When not set, or " "if the empty value is assigned, the inherited value is not changed\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "CoredumpFilter=default private-dax shared-dax\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Controls how the kernel session keyring is set up for the service (see " "B(7) for details on the session keyring)\\&. Takes one of " "B, B, B\\&. If set to B no special " "keyring setup is done, and the kernel\\*(Aqs default behaviour is " "applied\\&. If B is used a new session keyring is allocated when a " "service process is invoked, and it is not linked up with any user " "keyring\\&. This is the recommended setting for system services, as this " "ensures that multiple services running under the same system user ID (in " "particular the root user) do not share their key material among each " "other\\&. If B is used a new session keyring is allocated as for " "B, but the user keyring of the user configured with I is " "linked into it, so that keys assigned to the user may be requested by the " "unit\\*(Aqs processes\\&. In this mode multiple units running processes " "under the same user ID may share key material\\&. Unless B is " "selected the unique invocation ID for the unit (see below) is added as a " "protected key by the name \"invocation_id\" to the newly created session " "keyring\\&. Defaults to B for services of the system service " "manager and to B for non-service units and for services of the user " "service manager\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 235\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Sets the adjustment value for the Linux kernel\\*(Aqs Out-Of-Memory (OOM) " "killer score for executed processes\\&. Takes an integer between -1000 (to " "disable OOM killing of processes of this unit) and 1000 (to make killing of " "processes of this unit under memory pressure very likely)\\&. See " "\\m[blue]B\\m[]\\&\\s-2\\u[6]\\d\\s+2 for details\\&. " "If not specified defaults to the OOM score adjustment level of the service " "manager itself, which is normally at 0\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Use the I setting of service units to configure how the service " "manager shall react to the kernel OOM killer or B terminating " "a process of the service\\&. See B(5) for details\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Sets the timer slack in nanoseconds for the executed processes\\&. The timer " "slack controls the accuracy of wake-ups triggered by timers\\&. See " "B(2) for more information\\&. Note that in contrast to most other " "time span definitions this parameter takes an integer value in nano-seconds " "if no unit is specified\\&. The usual time units are understood too\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Controls which kernel architecture B(2) shall report, when invoked " "by unit processes\\&. Takes one of the architecture identifiers B, " "B, B, B, B, B, B, B, " "B, B, B or B\\&. Which personality " "architectures are supported depends on the kernel\\*(Aqs native " "architecture\\&. Usually the 64-bit versions of the various system " "architectures support their immediate 32-bit personality architecture " "counterpart, but no others\\&. For example, B systems support the " "B and B personalities but no others\\&. The personality feature " "is useful when running 32-bit services on a 64-bit host system\\&. If not " "specified, the personality is left unmodified and thus reflects the " "personality of the host system\\*(Aqs kernel\\&. This option is not useful " "on architectures for which only one native word width was ever available, " "such as B (32-bit only) or B (64-bit only)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If true, B is ignored in the executed " "process\\&. Defaults to true since B is generally only useful in " "shell pipelines\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "SCHEDULING" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Sets the default nice level (scheduling priority) for executed processes\\&. " "Takes an integer between -20 (highest priority) and 19 (lowest priority)\\&. " "In case of resource contention, smaller values mean more resources will be " "made available to the unit\\*(Aqs processes, larger values mean less " "resources will be made available\\&. See B(2) for details\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Sets the CPU scheduling policy for executed processes\\&. Takes one of " "B, B, B, B or B\\&. See " "B(2) for details\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Sets the CPU scheduling priority for executed processes\\&. The available " "priority range depends on the selected CPU scheduling policy (see above)\\&. " "For real-time scheduling policies an integer between 1 (lowest priority) and " "99 (highest priority) can be used\\&. In case of CPU resource contention, " "smaller values mean less CPU time is made available to the service, larger " "values mean more\\&. See B(2) for details\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If true, elevated CPU scheduling priorities and " "policies will be reset when the executed processes call B(2), and can " "hence not leak into child processes\\&. See B(2) for " "details\\&. Defaults to false\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Controls the CPU affinity of the executed processes\\&. Takes a list of CPU " "indices or ranges separated by either whitespace or commas\\&. " "Alternatively, takes a special \"numa\" value in which case systemd " "automatically derives allowed CPU range based on the value of I " "option\\&. CPU ranges are specified by the lower and upper CPU indices " "separated by a dash\\&. This option may be specified more than once, in " "which case the specified CPU affinity masks are merged\\&. If the empty " "string is assigned, the mask is reset, all assignments prior to this will " "have no effect\\&. See B(2) for details\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Controls the NUMA memory policy of the executed processes\\&. Takes a policy " "type, one of: B, B, B, B and " "B\\&. A list of NUMA nodes that should be associated with the policy " "must be specified in I\\&. For more details on each policy please " "see, B(2)\\&. For overall overview of NUMA support in Linux " "see, B(7)\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 243\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Controls the NUMA node list which will be applied alongside with selected " "NUMA policy\\&. Takes a list of NUMA nodes and has the same syntax as a list " "of CPUs for I option or special \"all\" value which will " "include all available NUMA nodes in the mask\\&. Note that the list of NUMA " "nodes is not required for B and B policies and for " "B policy we expect a single NUMA node\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Sets the I/O scheduling class for executed processes\\&. Takes one of the " "strings B, B or B\\&. The kernel\\*(Aqs default " "scheduling class is B at a priority of 4\\&. If the empty " "string is assigned to this option, all prior assignments to both " "I and I have no effect\\&. See " "B(2) for details\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Sets the I/O scheduling priority for executed processes\\&. Takes an integer " "between 0 (highest priority) and 7 (lowest priority)\\&. In case of I/O " "contention, smaller values mean more I/O bandwidth is made available to the " "unit\\*(Aqs processes, larger values mean less bandwidth\\&. The available " "priorities depend on the selected I/O scheduling class (see above)\\&. If " "the empty string is assigned to this option, all prior assignments to both " "I and I have no effect\\&. For " "the kernel\\*(Aqs default scheduling class (B) this defaults to " "4\\&. See B(2) for details\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "SANDBOXING" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The following sandboxing options are an effective way to limit the exposure " "of the system towards the unit\\*(Aqs processes\\&. It is recommended to " "turn on as many of these options for each unit as is possible without " "negatively affecting the process\\*(Aq ability to operate\\&. Note that many " "of these sandboxing features are gracefully turned off on systems where the " "underlying security mechanism is not available\\&. For example, " "I has no effect if the kernel is built without file system " "namespacing or if the service manager runs in a container manager that makes " "file system namespacing unavailable to its payload\\&. Similarly, " "I has no effect on systems that lack support for SECCOMP " "system call filtering, or in containers where support for this is turned " "off\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Also note that some sandboxing functionality is generally not available in " "user services (i\\&.e\\&. services run by the per-user service manager)\\&. " "Specifically, the various settings requiring file system namespacing support " "(such as I) are not available, as the underlying kernel " "functionality is only accessible to privileged processes\\&. However, most " "namespacing settings, that will not work on their own in user services, will " "work when used in conjunction with IB\\&." msgstr "" #. type: Plain text #: archlinux mageia-cauldron opensuse-tumbleweed msgid "" "Note that the various options that turn directories read-only (such as " "I, I, \\&...) do not affect the ability for " "programs to connect to and communicate with B sockets in these " "directores\\&. These options cannot be used to lock down access to IPC " "services hence\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-rawhide mageia-cauldron opensuse-tumbleweed msgid "" "Takes a boolean argument or the special values \"full\" or \"strict\"\\&. If " "true, mounts the /usr/ and the boot loader directories (/boot and /efi) read-" "only for processes invoked by this unit\\&. If set to \"full\", the /etc/ " "directory is mounted read-only, too\\&. If set to \"strict\" the entire file " "system hierarchy is mounted read-only, except for the API file system " "subtrees /dev/, /proc/ and /sys/ (protect these directories using " "I, I, I)\\&. " "This setting ensures that any modification of the vendor-supplied operating " "system (and optionally its configuration, and local mounts) is prohibited " "for the service\\&. It is recommended to enable this setting for all long-" "running services, unless they are involved with system updates or need to " "modify the operating system in other ways\\&. If this option is used, " "I may be used to exclude specific directories from being " "made read-only\\&. Similar, I, I, \\&... " "and related directory settings (see below) also exclude the specific " "directories from the effect of I\\&. This setting is implied " "if I is set\\&. This setting cannot ensure protection in all " "cases\\&. In general it has the same limitations as I, see " "below\\&. Defaults to off\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 214\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean argument or the special values \"read-only\" or " "\"tmpfs\"\\&. If true, the directories /home/, /root, and /run/user are made " "inaccessible and empty for processes invoked by this unit\\&. If set to " "\"read-only\", the three directories are made read-only instead\\&. If set " "to \"tmpfs\", temporary file systems are mounted on the three directories in " "read-only mode\\&. The value \"tmpfs\" is useful to hide home directories " "not relevant to the processes invoked by the unit, while still allowing " "necessary directories to be made visible when listed in I or " "I\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Setting this to \"yes\" is mostly equivalent to setting the three " "directories in I\\&. Similarly, \"read-only\" is mostly " "equivalent to I, and \"tmpfs\" is mostly equivalent to " "I with \":ro\"\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "It is recommended to enable this setting for all long-running services (in " "particular network-facing ones), to ensure they cannot get access to private " "user data, unless the services actually require access to the user\\*(Aqs " "private data\\&. This setting is implied if I is set\\&. This " "setting cannot ensure protection in all cases\\&. In general it has the same " "limitations as I, see below\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I, I, I, " "I, I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "These options take a whitespace-separated list of directory names\\&. The " "specified directory names must be relative, and may not include \"\\&.\\&." "\"\\&. If set, when the unit is started, one or more directories by the " "specified names will be created (including their parents) below the " "locations defined in the following table\\&. Also, the corresponding " "environment variable will be defined with the full paths of the " "directories\\&. If multiple directories are set, then in the environment " "variable the paths are concatenated with colon (\":\")\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "B" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Directory" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Below path for system units" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Below path for user units" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Environment variable set" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "/run/" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I<$XDG_RUNTIME_DIR>" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I<$RUNTIME_DIRECTORY>" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "/var/lib/" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I<$XDG_STATE_HOME>" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I<$STATE_DIRECTORY>" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "/var/cache/" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I<$XDG_CACHE_HOME>" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I<$CACHE_DIRECTORY>" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "/var/log/" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I<$XDG_STATE_HOME>/log/" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I<$LOGS_DIRECTORY>" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "/etc/" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I<$XDG_CONFIG_HOME>" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I<$CONFIGURATION_DIRECTORY>" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "In case of I the innermost subdirectories are removed " "when the unit is stopped\\&. It is possible to preserve the specified " "directories in this case if I is configured to " "B or B (see below)\\&. The directories specified with " "I, I, I, " "I are not removed when the unit is stopped\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Except in case of I, the innermost specified " "directories will be owned by the user and group specified in I and " "I\\&. If the specified directories already exist and their owning " "user or group do not match the configured ones, all files and directories " "below the specified directories as well as the directories themselves will " "have their file ownership recursively changed to match what is " "configured\\&. As an optimization, if the specified directories are already " "owned by the right user and group, files and directories below of them are " "left as-is, even if they do not match what is requested\\&. The innermost " "specified directories will have their access mode adjusted to the what is " "specified in I, I, " "I, I and " "I\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "These options imply I for the specified paths\\&. When combined " "with I or I these paths always reside on the " "host and are mounted from there into the unit\\*(Aqs file system " "namespace\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If I is used, the logic for I, " "I and I is slightly altered: the " "directories are created below /var/cache/private, /var/log/private and /var/" "lib/private, respectively, which are host directories made inaccessible to " "unprivileged users, which ensures that access to these directories cannot be " "gained through dynamic user ID recycling\\&. Symbolic links are created to " "hide this difference in behaviour\\&. Both from perspective of the host and " "from inside the unit, the relevant directories hence always appear directly " "below /var/cache, /var/log and /var/lib\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Use I to manage one or more runtime directories for the " "unit and bind their lifetime to the daemon runtime\\&. This is particularly " "useful for unprivileged daemons that cannot create runtime directories in /" "run/ due to lack of privileges, and to make sure the runtime directory is " "cleaned up automatically after use\\&. For runtime directories that require " "more complex or different configuration or lifetime guarantees, please " "consider using B(5)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I, I, I and " "I optionally support a second parameter, separated by \":" "\"\\&. The second parameter will be interpreted as a destination path that " "will be created as a symlink to the directory\\&. The symlinks will be " "created after any I or I options have been " "set up, to make ephemeral symlinking possible\\&. The same source can have " "multiple symlinks, by using the same first parameter, but a different second " "parameter\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The directories defined by these options are always created under the " "standard paths used by systemd (/var/, /run/, /etc/, \\&...)\\&. If the " "service needs directories in a different location, a different mechanism has " "to be used to create them\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "B(5) provides functionality that overlaps with these " "options\\&. Using these options is recommended, because the lifetime of the " "directories is tied directly to the lifetime of the unit, and it is not " "necessary to ensure that the tmpfiles\\&.d configuration is executed before " "the unit is started\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "To remove any of the directories created by these settings, use the " "B command on the relevant units, see " "B(1) for details\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Example: if a system service unit has the following," msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "RuntimeDirectory=foo/bar baz\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "the service manager creates /run/foo (if it does not exist), /run/foo/bar, " "and /run/baz\\&. The directories /run/foo/bar and /run/baz except /run/foo " "are owned by the user and group specified in I and I, and " "removed when the service is stopped\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "RuntimeDirectory=foo/bar\n" "StateDirectory=aaa/bbb ccc\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "then the environment variable \"RUNTIME_DIRECTORY\" is set with \"/run/foo/" "bar\", and \"STATE_DIRECTORY\" is set with \"/var/lib/aaa/bbb:/var/lib/" "ccc\"\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "RuntimeDirectory=foo:bar foo:baz\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "the service manager creates /run/foo (if it does not exist), and /run/bar " "plus /run/baz as symlinks to /run/foo\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 211\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I, I, I, " "I, I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Specifies the access mode of the directories specified in " "I, I, I, " "I, or I, respectively, as an octal " "number\\&. Defaults to B<0755>\\&. See \"Permissions\" in " "B(7) for a discussion of the meaning of permission bits\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 234\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean argument or B\\&. If set to B (the default), " "the directories specified in I are always removed when " "the service stops\\&. If set to B the directories are preserved " "when the service is both automatically and manually restarted\\&. Here, the " "automatic restart means the operation specified in I, and manual " "restart means the one triggered by B\\&. " "If set to B, then the directories are not removed when the service is " "stopped\\&. Note that since the runtime directory /run/ is a mount point of " "\"tmpfs\", then for system services the directories specified in " "I are removed when the system is rebooted\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Configures a timeout on the clean-up operation requested through B, see B(1) for details\\&. Takes the usual time " "values and defaults to B, i\\&.e\\&. by default no timeout is " "applied\\&. If a timeout is configured the clean operation will be aborted " "forcibly when the timeout is reached, potentially leaving resources on " "disk\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 244\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I, I, I, I, " "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Sets up a new file system namespace for executed processes\\&. These options " "may be used to limit access a process has to the file system\\&. Each " "setting takes a space-separated list of paths relative to the host\\*(Aqs " "root directory (i\\&.e\\&. the system running the service manager)\\&. Note " "that if paths contain symlinks, they are resolved relative to the root " "directory set with I/I\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Paths listed in I are accessible from within the namespace " "with the same access modes as from outside of it\\&. Paths listed in " "I are accessible for reading only, writing will be refused " "even if the usual file access controls would permit this\\&. Nest " "I inside of I in order to provide writable " "subdirectories within read-only directories\\&. Use I in " "order to allow-list specific paths for write access if " "I is used\\&. Note that I cannot be " "used to gain write access to a file system whose superblock is mounted read-" "only\\&. On Linux, for each mount point write access is granted only if the " "mount point itself I the file system superblock backing it are not " "marked read-only\\&. I only controls the former, not the " "latter, hence a read-only file system superblock remains protected\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Paths listed in I will be made inaccessible for " "processes inside the namespace along with everything below them in the file " "system hierarchy\\&. This may be more restrictive than desired, because it " "is not possible to nest I, I, " "I, or I inside it\\&. For a more flexible " "option, see I\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Content in paths listed in I are not executable even if the " "usual file access controls would permit this\\&. Nest I inside " "of I in order to provide executable content within non-" "executable directories\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Non-directory paths may be specified as well\\&. These options may be " "specified more than once, in which case all paths listed will have limited " "access from within the namespace\\&. If the empty string is assigned to this " "option, the specific list is reset, and all prior assignments have no " "effect\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Paths in I, I, I, " "I and I may be prefixed with \"-\", in which case " "they will be ignored when they do not exist\\&. If prefixed with \"+\" the " "paths are taken relative to the root directory of the unit, as configured " "with I/I, instead of relative to the root " "directory of the host (see above)\\&. When combining \"-\" and \"+\" on the " "same path make sure to specify \"-\" first, and \"+\" second\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that these settings will disconnect propagation of mounts from the " "unit\\*(Aqs processes to the host\\&. This means that this setting may not " "be used for services which shall be able to install mount points in the main " "mount namespace\\&. For I and I, " "propagation in the other direction is not affected, i\\&.e\\&. mounts " "created on the host generally appear in the unit processes\\*(Aq namespace, " "and mounts removed on the host also disappear there too\\&. In particular, " "note that mount propagation from host to unit will result in unmodified " "mounts to be created in the unit\\*(Aqs namespace, i\\&.e\\&. writable " "mounts appearing on the host will be writable in the unit\\*(Aqs namespace " "too, even when propagated below a path marked with I! " "Restricting access with these options hence does not extend to submounts of " "a directory that are created later on\\&. This means the lock-down offered " "by that setting is not complete, and does not offer full protection\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that the effect of these settings may be undone by privileged " "processes\\&. In order to set up an effective sandboxed environment for a " "unit it is thus recommended to combine these settings with either " "I or I\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Please be extra careful when applying these options to API file systems (a " "list of them could be found in I), since they may be required " "for basic system functionalities\\&. Moreover, /run/ needs to be writable " "for setting up mount namespace and propagation\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Simple allow-list example using these directives:" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "[Service]\n" "ReadOnlyPaths=/\n" "ReadWritePaths=/var /run\n" "InaccessiblePaths=-/lost+found\n" "NoExecPaths=/\n" "ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64\n" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 231\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a space-separated list of mount points for temporary file systems " "(tmpfs)\\&. If set, a new file system namespace is set up for executed " "processes, and a temporary file system is mounted on each mount point\\&. " "This option may be specified more than once, in which case temporary file " "systems are mounted on all listed mount points\\&. If the empty string is " "assigned to this option, the list is reset, and all prior assignments have " "no effect\\&. Each mount point may optionally be suffixed with a colon (\":" "\") and mount options such as \"size=10%\" or \"ro\"\\&. By default, each " "temporary file system is mounted with \"nodev,strictatime,mode=0755\"\\&. " "These can be disabled by explicitly specifying the corresponding mount " "options, e\\&.g\\&., \"dev\" or \"nostrictatime\"\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This is useful to hide files or directories not relevant to the processes " "invoked by the unit, while necessary files or directories can be still " "accessed by combining with I or I:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "TemporaryFileSystem=/var:ro\n" "BindReadOnlyPaths=/var/lib/systemd\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "then the invoked processes by the unit cannot see any files or directories " "under /var/ except for /var/lib/systemd or its contents\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 238\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If true, sets up a new file system namespace " "for the executed processes and mounts private /tmp/ and /var/tmp/ " "directories inside it that are not shared by processes outside of the " "namespace\\&. This is useful to secure access to temporary files of the " "process, but makes sharing between processes via /tmp/ or /var/tmp/ " "impossible\\&. If true, all temporary files created by a service in these " "directories will be removed after the service is stopped\\&. Defaults to " "false\\&. It is possible to run two or more units within the same private /" "tmp/ and /var/tmp/ namespace by using the I directive, " "see B(5) for details\\&. This setting is implied if " "I is set\\&. For this setting, the same restrictions regarding " "mount propagation and privileges apply as for I and related " "calls, see above\\&. Enabling this setting has the side effect of adding " "I and I dependencies on all mount units necessary to " "access /tmp/ and /var/tmp/\\&. Moreover an implicitly I ordering on " "B(8) is added\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that the implementation of this setting might be impossible (for " "example if mount namespaces are not available), and the unit should be " "written in a way that does not solely rely on this setting for security\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If true, sets up a new /dev/ mount for the " "executed processes and only adds API pseudo devices such as /dev/null, /dev/" "zero or /dev/random (as well as the pseudo TTY subsystem) to it, but no " "physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/" "port and others\\&. This is useful to turn off physical device access by the " "executed process\\&. Defaults to false\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Enabling this option will install a system call filter to block low-level I/" "O system calls that are grouped in the I<@raw-io> set, remove B " "and B from the capability bounding set for the unit, and set " "I (see B(5) for details)\\&. " "Note that using this setting will disconnect propagation of mounts from the " "service to the host (propagation in the opposite direction continues to " "work)\\&. This means that this setting may not be used for services which " "shall be able to install mount points in the main mount namespace\\&. The " "new /dev/ will be mounted read-only and \\*(Aqnoexec\\*(Aq\\&. The latter " "may break old programs which try to set up executable memory by using " "B(2) of /dev/zero instead of using B\\&. For this setting " "the same restrictions regarding mount propagation and privileges apply as " "for I and related calls, see above\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When access to some but not all devices must be possible, the " "I setting might be used instead\\&. See B(5)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If true, sets up a new network namespace for " "the executed processes and configures only the loopback network device " "\"lo\" inside it\\&. No other network devices will be available to the " "executed process\\&. This is useful to turn off network access by the " "executed process\\&. Defaults to false\\&. It is possible to run two or more " "units within the same private network namespace by using the " "I directive, see B(5) for details\\&. Note " "that this option will disconnect all socket families from the host, " "including B and B\\&. Effectively, for B " "this means that device configuration events received from B(8) are not delivered to the unit\\*(Aqs processes\\&. And for " "B this has the effect that B sockets in the abstract " "socket namespace of the host will become unavailable to the unit\\*(Aqs " "processes (however, those located in the file system will continue to be " "accessible)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that the implementation of this setting might be impossible (for " "example if network namespaces are not available), and the unit should be " "written in a way that does not solely rely on this setting for security\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When this option is enabled, I is implied unless it is " "explicitly disabled, and /sys will be remounted to associate it with the new " "network namespace\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When this option is used on a socket unit any sockets bound on behalf of " "this unit will be bound within a private network namespace\\&. This may be " "combined with I to listen on sockets inside of network " "namespaces of other services\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes an absolute file system path referring to a Linux network namespace " "pseudo-file (i\\&.e\\&. a file like /proc/$PID/ns/net or a bind mount or " "symlink to one)\\&. When set the invoked processes are added to the network " "namespace referenced by that path\\&. The path has to point to a valid " "namespace file at the moment the processes are forked off\\&. If this option " "is used I has no effect\\&. If this option is used together " "with I then it only has an effect if this unit is started " "before any of the listed units that have I or " "I configured, as otherwise the network namespace of " "those units is reused\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When this option is used on a socket unit any sockets bound on behalf of " "this unit will be bound within the specified network namespace\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 242\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If true, sets up a new IPC namespace for the " "executed processes\\&. Each IPC namespace has its own set of System V IPC " "identifiers and its own POSIX message queue file system\\&. This is useful " "to avoid name clash of IPC identifiers\\&. Defaults to false\\&. It is " "possible to run two or more units within the same private IPC namespace by " "using the I directive, see B(5) for " "details\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that IPC namespacing does not have an effect on B sockets, " "which are the most common form of IPC used on Linux\\&. Instead, B " "sockets in the file system are subject to mount namespacing, and those in " "the abstract namespace are subject to network namespacing\\&. IPC " "namespacing only has an effect on SysV IPC (which is mostly legacy) as well " "as POSIX message queues (for which B/B sockets are " "typically a better replacement)\\&. IPC namespacing also has no effect on " "POSIX shared memory (which is subject to mount namespacing) either\\&. See " "B(7) for the details\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that the implementation of this setting might be impossible (for " "example if IPC namespaces are not available), and the unit should be written " "in a way that does not solely rely on this setting for security\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes an absolute file system path referring to a Linux IPC namespace pseudo-" "file (i\\&.e\\&. a file like /proc/$PID/ns/ipc or a bind mount or symlink to " "one)\\&. When set the invoked processes are added to the network namespace " "referenced by that path\\&. The path has to point to a valid namespace file " "at the moment the processes are forked off\\&. If this option is used " "I has no effect\\&. If this option is used together with " "I then it only has an effect if this unit is started " "before any of the listed units that have I or " "I configured, as otherwise the network namespace of those " "units is reused\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. When set, it enables KSM (kernel samepage " "merging) for the processes\\&. KSM is a memory-saving de-duplication " "feature\\&. Anonymous memory pages with identical content can be replaced by " "a single write-protected page\\&. This feature should only be enabled for " "jobs that share the same security domain\\&. For details, see " "\\m[blue]B\\m[]\\&\\s-2\\u[7]\\d\\s+2 in the kernel " "documentation\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Note that this functionality might not be available, for example if KSM is " "disabled in the kernel, or the kernel doesn\\*(Aqt support controlling KSM " "at the process level through B(2)\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If true, sets up a new user namespace for the " "executed processes and configures a minimal user and group mapping, that " "maps the \"root\" user and group as well as the unit\\*(Aqs own user and " "group to themselves and everything else to the \"nobody\" user and group\\&. " "This is useful to securely detach the user and group databases used by the " "unit from the rest of the system, and thus to create an effective sandbox " "environment\\&. All files, directories, processes, IPC objects and other " "resources owned by users/groups not equaling \"root\" or the unit\\*(Aqs own " "will stay visible from within the unit but appear owned by the \"nobody\" " "user and group\\&. If this mode is enabled, all unit processes are run " "without privileges in the host user namespace (regardless if the unit\\*(Aqs " "own user/group is \"root\" or not)\\&. Specifically this means that the " "process will have zero process capabilities on the host\\*(Aqs user " "namespace, but full capabilities within the service\\*(Aqs user " "namespace\\&. Settings such as I will affect only " "the latter, and there\\*(Aqs no way to acquire additional capabilities in " "the host\\*(Aqs user namespace\\&. Defaults to off\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When this setting is set up by a per-user instance of the service manager, " "the mapping of the \"root\" user and group to itself is omitted (unless the " "user manager is root)\\&. Additionally, in the per-user instance manager " "case, the user namespace will be set up before most other namespaces\\&. " "This means that combining IB with other namespaces will " "enable use of features not normally supported by the per-user instances of " "the service manager\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This setting is particularly useful in conjunction with I/" "I, as the need to synchronize the user and group databases in " "the root directory and on the host is reduced, as the only users and groups " "who need to be matched are \"root\", \"nobody\" and the unit\\*(Aqs own user " "and group\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that the implementation of this setting might be impossible (for " "example if user namespaces are not available), and the unit should be " "written in a way that does not solely rely on this setting for security\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. When set, sets up a new UTS namespace for the " "executed processes\\&. In addition, changing hostname or domainname is " "prevented\\&. Defaults to off\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that the implementation of this setting might be impossible (for " "example if UTS namespaces are not available), and the unit should be written " "in a way that does not solely rely on this setting for security\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that when this option is enabled for a service hostname changes no " "longer propagate from the system into the service, it is hence not suitable " "for services that need to take notice of system hostname changes " "dynamically\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If set, writes to the hardware clock or system " "clock will be denied\\&. Defaults to off\\&. Enabling this option removes " "B and B from the capability bounding set for " "this unit, installs a system call filter to block calls that can set the " "clock, and I is implied\\&. Note that the system " "calls are blocked altogether, the filter does not take into account that " "some of the calls can be used to read the clock state with some parameter " "combinations\\&. Effectively, /dev/rtc0, /dev/rtc1, etc\\&. are made read-" "only to the service\\&. See B(5) for the details " "about I\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "It is recommended to turn this on for most services that do not need modify " "the clock or check its state\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 245\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If true, kernel variables accessible through /" "proc/sys/, /sys/, /proc/sysrq-trigger, /proc/latency_stats, /proc/acpi, /" "proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all " "processes of the unit\\&. Usually, tunable kernel variables should be " "initialized only at boot-time, for example with the B(5) " "mechanism\\&. Few services need to write to these at runtime; it is hence " "recommended to turn this on for most services\\&. For this setting the same " "restrictions regarding mount propagation and privileges apply as for " "I and related calls, see above\\&. Defaults to off\\&. Note " "that this option does not prevent indirect changes to kernel tunables " "effected by IPC calls to other processes\\&. However, I " "may be used to make relevant IPC file system objects inaccessible\\&. If " "I is set, I is implied\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If true, explicit module loading will be " "denied\\&. This allows module load and unload operations to be turned off on " "modular kernels\\&. It is recommended to turn this on for most services that " "do not need special file systems or extra kernel modules to work\\&. " "Defaults to off\\&. Enabling this option removes B from the " "capability bounding set for the unit, and installs a system call filter to " "block module system calls, also /usr/lib/modules is made inaccessible\\&. " "For this setting the same restrictions regarding mount propagation and " "privileges apply as for I and related calls, see above\\&. " "Note that limited automatic module loading due to user configuration or " "kernel mapping tables might still happen as side effect of requested user " "operations, both privileged and unprivileged\\&. To disable module auto-load " "feature please see B(5) B mechanism " "and /proc/sys/kernel/modules_disabled documentation\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If true, access to the kernel log ring buffer " "will be denied\\&. It is recommended to turn this on for most services that " "do not need to read from or write to the kernel log ring buffer\\&. Enabling " "this option removes B from the capability bounding set for this " "unit, and installs a system call filter to block the B(2) system " "call (not to be confused with the libc API B(3) for userspace " "logging)\\&. The kernel exposes its log buffer to userspace via /dev/kmsg " "and /proc/kmsg\\&. If enabled, these are made inaccessible to all the " "processes in the unit\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If true, the Linux Control Groups " "(B(7)) hierarchies accessible through /sys/fs/cgroup/ will be made " "read-only to all processes of the unit\\&. Except for container managers no " "services should require write access to the control groups hierarchies; it " "is hence recommended to turn this on for most services\\&. For this setting " "the same restrictions regarding mount propagation and privileges apply as " "for I and related calls, see above\\&. Defaults to off\\&. " "If I is set, I is implied\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Restricts the set of socket address families accessible to the processes of " "this unit\\&. Takes \"none\", or a space-separated list of address family " "names to allow-list, such as B, B or B\\&. When " "\"none\" is specified, then all address families will be denied\\&. When " "prefixed with \"~\" the listed address families will be applied as deny " "list, otherwise as allow list\\&. Note that this restricts access to the " "B(2) system call only\\&. Sockets passed into the process by other " "means (for example, by using socket activation with socket units, see " "B(5)) are unaffected\\&. Also, sockets created with " "B (which creates connected AF_UNIX sockets only) are " "unaffected\\&. Note that this option has no effect on 32-bit x86, s390, " "s390x, mips, mips-le, ppc, ppc-le, ppc64, ppc64-le and is ignored (but works " "correctly on other ABIs, including x86-64)\\&. Note that on systems " "supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off " "alternative ABIs for services, so that they cannot be used to circumvent the " "restrictions of this option\\&. Specifically, it is recommended to combine " "this option with I or similar\\&. By " "default, no restrictions apply, all address families are accessible to " "processes\\&. If assigned the empty string, any previous address family " "restriction changes are undone\\&. This setting does not affect commands " "prefixed with \"+\"\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Use this option to limit exposure of processes to remote access, in " "particular via exotic and sensitive network protocols, such as " "B\\&. Note that in most cases, the local B address " "family should be included in the configured allow list as it is frequently " "used for local communication, including for B(2) logging\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Restricts the set of filesystems processes of this unit can open files " "on\\&. Takes a space-separated list of filesystem names\\&. Any filesystem " "listed is made accessible to the unit\\*(Aqs processes, access to filesystem " "types not listed is prohibited (allow-listing)\\&. If the first character of " "the list is \"~\", the effect is inverted: access to the filesystems listed " "is prohibited (deny-listing)\\&. If the empty string is assigned, access to " "filesystems is not restricted\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If you specify both types of this option (i\\&.e\\&. allow-listing and deny-" "listing), the first encountered will take precedence and will dictate the " "default action (allow access to the filesystem or deny it)\\&. Then the next " "occurrences of this option will add or delete the listed filesystems from " "the set of the restricted filesystems, depending on its type and the default " "action\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "RestrictFileSystems=ext4 tmpfs\n" "RestrictFileSystems=ext2 ext4\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "then access to B, B, and B is allowed and access to other " "filesystems is denied\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "RestrictFileSystems=ext4 tmpfs\n" "RestrictFileSystems=~ext4\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "then only access B is allowed\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "RestrictFileSystems=~ext4 tmpfs\n" "RestrictFileSystems=ext4\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "then only access to B is denied\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "As the number of possible filesystems is large, predefined sets of " "filesystems are provided\\&. A set starts with \"@\" character, followed by " "name of the set\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "B" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Set" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Description" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "l l" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "l l." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@basic-api" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Basic filesystem API\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@auxiliary-api" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Auxiliary filesystem API\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@common-block" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Common block device filesystems\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@historical-block" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Historical block device filesystems\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@network" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Well-known network filesystems\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@privileged-api" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Privileged filesystem API\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@temporary" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Temporary filesystems: tmpfs, ramfs\\&." msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@known" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "All known filesystems defined by the kernel\\&. This list is defined statically in systemd based on a kernel version that was available when this systemd version was released\\&. It will become progressively more out-of-date as the kernel is updated\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Use B(1)\\*(Aqs B command to retrieve a list " "of filesystems defined on the local system\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that this setting might not be supported on some systems (for example " "if the LSM eBPF hook is not enabled in the underlying kernel or if not using " "the unified control group hierarchy)\\&. In that case this setting has no " "effect\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This option cannot be bypassed by prefixing \"+\" to the executable path in " "the service unit, as it applies to the whole control group\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Restricts access to Linux namespace functionality for the processes of this " "unit\\&. For details about Linux namespaces, see B(7)\\&. Either " "takes a boolean argument, or a space-separated list of namespace type " "identifiers\\&. If false (the default), no restrictions on namespace " "creation and switching are made\\&. If true, access to any kind of " "namespacing is prohibited\\&. Otherwise, a space-separated list of namespace " "type identifiers must be specified, consisting of any combination of: " "B, B, B, B, B, B and B\\&. Any " "namespace type listed is made accessible to the unit\\*(Aqs processes, " "access to namespace types not listed is prohibited (allow-listing)\\&. By " "prepending the list with a single tilde character (\"~\") the effect may be " "inverted: only the listed namespace types will be made inaccessible, all " "unlisted ones are permitted (deny-listing)\\&. If the empty string is " "assigned, the default namespace restrictions are applied, which is " "equivalent to false\\&. This option may appear more than once, in which case " "the namespace types are merged by B, or by B if the lines are " "prefixed with \"~\" (see examples below)\\&. Internally, this setting limits " "access to the B(2), B(2) and B(2) system calls, " "taking the specified flags parameters into account\\&. Note that \\(em if " "this option is used \\(em in addition to restricting creation and switching " "of the specified types of namespaces (or all of them, if true) access to the " "B system call with a zero flags parameter is prohibited\\&. This " "setting is only supported on x86, x86-64, mips, mips-le, mips64, mips64-le, " "mips64-n32, mips64-le-n32, ppc64, ppc64-le, s390 and s390x, and enforces no " "restrictions on other architectures\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "RestrictNamespaces=cgroup ipc\n" "RestrictNamespaces=cgroup net\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "then B, B, and B are set\\&. If the second line is " "prefixed with \"~\", e\\&.g\\&.," msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "RestrictNamespaces=cgroup ipc\n" "RestrictNamespaces=~cgroup net\n" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "then, only B is set\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If set, locks down the B(2) " "system call so that the kernel execution domain may not be changed from the " "default or the personality selected with I directive\\&. This " "may be useful to improve security, because odd personality emulations may be " "poorly tested and source of vulnerabilities\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If set, attempts to create memory mappings that " "are writable and executable at the same time, or to change existing memory " "mappings to become executable, or mapping shared memory segments as " "executable, are prohibited\\&. Specifically, a system call filter is added " "(or preferably, an equivalent kernel check is enabled with B(2)) that " "rejects B(2) system calls with both B and B " "set, B(2) or B(2) system calls with B " "set and B(2) system calls with B set\\&. Note that this " "option is incompatible with programs and libraries that generate program " "code dynamically at runtime, including JIT execution engines, executable " "stacks, and code \"trampoline\" feature of various C compilers\\&. This " "option improves service security, as it makes harder for software exploits " "to change running code dynamically\\&. However, the protection can be " "circumvented, if the service can write to a filesystem, which is not mounted " "with B (such as /dev/shm), or it can use B\\&. This " "can be prevented by making such file systems inaccessible to the service " "(e\\&.g\\&. I) and installing further system " "call filters (I)\\&. Note that this feature " "is fully available on x86-64, and partially on x86\\&. Specifically, the " "B protection is not available on x86\\&. Note that on systems " "supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off " "alternative ABIs for services, so that they cannot be used to circumvent the " "restrictions of this option\\&. Specifically, it is recommended to combine " "this option with I or similar\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If set, any attempts to enable realtime " "scheduling in a process of the unit are refused\\&. This restricts access to " "realtime task scheduling policies such as B, B or " "B\\&. See B(7) for details about these scheduling " "policies\\&. Realtime scheduling policies may be used to monopolize CPU time " "for longer periods of time, and may hence be used to lock up or otherwise " "trigger Denial-of-Service situations on the system\\&. It is hence " "recommended to restrict access to realtime scheduling to the few programs " "that actually require them\\&. Defaults to off\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Takes a boolean argument\\&. If set, any attempts to set the set-user-ID " "(SUID) or set-group-ID (SGID) bits on files or directories will be denied " "(for details on these bits see B(7))\\&. As the SUID/SGID bits are " "mechanisms to elevate privileges, and allow users to acquire the identity of " "other users, it is recommended to restrict creation of SUID/SGID files to " "the few programs that actually require them\\&. Note that this restricts " "marking of any type of file system object with these bits, including both " "regular files and directories (where the SGID is a different meaning than " "for files, see documentation)\\&. This option is implied if I " "is enabled\\&. Defaults to off\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean parameter\\&. If set, all System V and POSIX IPC objects " "owned by the user and group the processes of this unit are run as are " "removed when the unit is stopped\\&. This setting only has an effect if at " "least one of I, I and I are used\\&. It has no " "effect on IPC objects owned by the root user\\&. Specifically, this removes " "System V semaphores, as well as System V and POSIX shared memory segments " "and message queues\\&. If multiple units use the same user or group the IPC " "objects are removed when the last of these units is stopped\\&. This setting " "is implied if I is set\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a boolean parameter\\&. If set, the processes of this unit will be run " "in their own private file system (mount) namespace with all mount " "propagation from the processes towards the host\\*(Aqs main file system " "namespace turned off\\&. This means any file system mount points established " "or removed by the unit\\*(Aqs processes will be private to them and not be " "visible to the host\\&. However, file system mount points established or " "removed on the host will be propagated to the unit\\*(Aqs processes\\&. See " "B(7) for details on file system namespaces\\&. Defaults " "to off\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When turned on, this executes three operations for each invoked process: a " "new B namespace is created, after which all existing mounts are " "remounted to B to disable propagation from the unit\\*(Aqs " "processes to the host (but leaving propagation in the opposite direction in " "effect)\\&. Finally, the mounts are remounted again to the propagation mode " "configured with I, see below\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "File system namespaces are set up individually for each process forked off " "by the service manager\\&. Mounts established in the namespace of the " "process created by I will hence be cleaned up automatically " "as soon as that process exits and will not be available to subsequent " "processes forked off for I (and similar applies to the various " "other commands configured for units)\\&. Similarly, I " "does not permit sharing kernel mount namespaces between units, it only " "enables sharing of the /tmp/ and /var/tmp/ directories\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm fedora-40 mageia-cauldron opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Other file system namespace unit settings \\(em I, " "I, I, I, I, " "I, I, I, \\&... \\(em " "also enable file system namespacing in a fashion equivalent to this " "option\\&. Hence it is primarily useful to explicitly request this behaviour " "if none of the other settings are used\\&." msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "Added in version 239\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Takes a mount propagation setting: B, B or B, which " "controls whether file system mount points in the file system namespaces set " "up for this unit\\*(Aqs processes will receive or propagate mounts and " "unmounts from other file system namespaces\\&. See B(2) for details " "on mount propagation, and the three propagation flags in particular\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This setting only controls the I propagation setting in effect on all " "mount points of the file system namespace created for each process of this " "unit\\&. Other file system namespacing unit settings (see the discussion in " "I above) will implicitly disable mount and unmount " "propagation from the unit\\*(Aqs processes towards the host by changing the " "propagation setting of all mount points in the unit\\*(Aqs file system " "namespace to B first\\&. Setting this option to B does not " "reestablish propagation in that case\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If not set \\(en but file system namespaces are enabled through another file " "system namespace unit setting \\(en B mount propagation is used, but " "\\(em as mentioned \\(em as B is applied first, propagation from the " "unit\\*(Aqs processes to the host is still turned off\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "It is not recommended to use B mount propagation for units, as this " "means temporary mounts (such as removable media) of the host will stay " "mounted and thus indefinitely busy in forked off processes, as unmount " "propagation events won\\*(Aqt be received by the file system namespace of " "the unit\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Usually, it is best to leave this setting unmodified, and use higher level " "file system namespacing options instead, in particular I, " "see above\\&." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "SYSTEM CALL FILTERING" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I" msgstr "" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-tumbleweed msgid "" "Takes a space-separated list of system call names\\&. If this setting is " "used, all system calls executed by the unit processes except for the listed " "ones will result in immediate process termination with the B signal " "(allow-listing)\\&. (See I below for changing the " "default action)\\&. If the first character of the list is \"~\", the effect " "is inverted: only the listed system calls will result in immediate process " "termination (deny-listing)\\&. Deny-listed system calls and system call " "groups may optionally be suffixed with a colon (\":\") and \"errno\" error " "number (between 0 and 4095) or errno name such as B, B or " "B (see B(3) for a full list)\\&. This value will be " "returned when a deny-listed system call is triggered, instead of terminating " "the processes immediately\\&. Special setting \"kill\" can be used to " "explicitly specify killing\\&. This value takes precedence over the one " "given in I, see below\\&. This feature makes use of " "the Secure Computing Mode 2 interfaces of the kernel (\\*(Aqseccomp " "filtering\\*(Aq) and is useful for enforcing a minimal sandboxing " "environment\\&. Note that the B, B, B, " "B, B, B system calls and the " "system calls for querying time and sleeping are implicitly allow-listed and " "do not need to be listed explicitly\\&. This option may be specified more " "than once, in which case the filter masks are merged\\&. If the empty string " "is assigned, the filter is reset, all prior assignments will have no " "effect\\&. This does not affect commands prefixed with \"+\"\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that on systems supporting multiple ABIs (such as x86/x86-64) it is " "recommended to turn off alternative ABIs for services, so that they cannot " "be used to circumvent the restrictions of this option\\&. Specifically, it " "is recommended to combine this option with I " "or similar\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that strict system call filters may impact execution and error handling " "code paths of the service invocation\\&. Specifically, access to the " "B system call is required for the execution of the service binary " "\\(em if it is blocked service invocation will necessarily fail\\&. Also, if " "execution of the service binary fails for some reason (for example: missing " "service executable), the error handling logic might require access to an " "additional set of system calls in order to process and log this failure " "correctly\\&. It might be necessary to temporarily disable system call " "filters in order to simplify debugging of such failures\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If you specify both types of this option (i\\&.e\\&. allow-listing and deny-" "listing), the first encountered will take precedence and will dictate the " "default action (termination or approval of a system call)\\&. Then the next " "occurrences of this option will add or delete the listed system calls from " "the set of the filtered system calls, depending of its type and the default " "action\\&. (For example, if you have started with an allow list rule for " "B and B, and right after it add a deny list rule for " "B, then B will be removed from the set\\&.)" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "As the number of possible system calls is large, predefined sets of system " "calls are provided\\&. A set starts with \"@\" character, followed by name " "of the set\\&." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "B" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@aio" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Asynchronous I/O (B(2), B(2), and related calls)" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@basic-io" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "System calls for basic I/O: reading, writing, seeking, file descriptor duplication and closing (B(2), B(2), and related calls)" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@chown" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Changing file ownership (B(2), B(2), and related calls)" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@clock" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "System calls for changing the system clock (B(2), B(2), and related calls)" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@cpu-emulation" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "System calls for CPU emulation functionality (B(2) and related calls)" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@debug" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Debugging, performance monitoring and tracing functionality (B(2), B(2) and related calls)" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@file-system" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "File system operations: opening, creating files and directories for read and write, renaming and removing them, reading file properties, or creating hard and symbolic links" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "@io-event" msgstr "" #. type: tbl table #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Event loop system calls (B(2), B