| # It's not recommended to modify this file in-place, because it |
| # will be overwritten during upgrades. If you want to customize, |
| # the best way is to use the "systemctl edit" command. |
| |
| [Unit] |
| Description=The PHP FastCGI Process Manager |
| After=network.target |
| |
| [Service] |
| Type=simple |
| PIDFile=@LOCALSTATEDIR@/run/php-fpm.pid |
| ExecStart=@SBINDIR@/php-fpm --nodaemonize --fpm-config /etc/php-fpm.conf |
| ExecReload=@BINDIR@/kill -USR2 $MAINPID |
| |
| # Set up a new file system namespace and mounts private /tmp and /var/tmp directories |
| # so this service cannot access the global directories and other processes cannot |
| # access this service's directories. |
| PrivateTmp=true |
| |
| # Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit. |
| ProtectSystem=full |
| |
| # Sets up a new /dev namespace for the executed processes and only adds API pseudo devices |
| # such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, |
| # but no physical devices such as /dev/sda. |
| PrivateDevices=true |
| |
| # Explicit module loading will be denied. This allows to turn off module load and unload |
| # operations on modular kernels. It is recommended to turn this on for most services that |
| # do not need special file systems or extra kernel modules to work. |
| ProtectKernelModules=true |
| |
| # Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats, |
| # /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes |
| # of the unit. Usually, tunable kernel variables should only be written at boot-time, with the |
| # sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence |
| # recommended to turn this on for most services. |
| ProtectKernelTunables=true |
| |
| # The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be |
| # made read-only to all processes of the unit. Except for container managers no services should |
| # require write access to the control groups hierarchies; it is hence recommended to turn this on |
| # for most services |
| ProtectControlGroups=true |
| |
| # Any attempts to enable realtime scheduling in a process of the unit are refused. |
| RestrictRealtime=true |
| |
| # Restricts the set of socket address families accessible to the processes of this unit. |
| # Protects against vulnerabilities such as CVE-2016-8655 |
| RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX |
| |
| # Takes away the ability to create or manage any kind of namespace |
| RestrictNamespaces=true |
| |
| [Install] |
| WantedBy=multi-user.target |