| Patrick Williams | 73bd93f | 2024-02-20 08:07:48 -0600 | [diff] [blame^] | 1 | # It's not recommended to modify this file in-place, because it |
| 2 | # will be overwritten during upgrades. If you want to customize, |
| 3 | # the best way is to use the "systemctl edit" command. |
| 4 | |
| Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame] | 5 | [Unit] |
| Patrick Williams | 73bd93f | 2024-02-20 08:07:48 -0600 | [diff] [blame^] | 6 | Description=The PHP FastCGI Process Manager |
| Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame] | 7 | After=network.target |
| Patrick Williams | 73bd93f | 2024-02-20 08:07:48 -0600 | [diff] [blame^] | 8 | |
| Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame] | 9 | [Service] |
| Patrick Williams | 73bd93f | 2024-02-20 08:07:48 -0600 | [diff] [blame^] | 10 | Type=simple |
| 11 | PIDFile=@LOCALSTATEDIR@/run/php-fpm.pid |
| 12 | ExecStart=@SBINDIR@/php-fpm --nodaemonize --fpm-config /etc/php-fpm.conf |
| 13 | ExecReload=@BINDIR@/kill -USR2 $MAINPID |
| 14 | |
| 15 | # Set up a new file system namespace and mounts private /tmp and /var/tmp directories |
| 16 | # so this service cannot access the global directories and other processes cannot |
| 17 | # access this service's directories. |
| 18 | PrivateTmp=true |
| 19 | |
| 20 | # Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit. |
| 21 | ProtectSystem=full |
| 22 | |
| 23 | # Sets up a new /dev namespace for the executed processes and only adds API pseudo devices |
| 24 | # such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, |
| 25 | # but no physical devices such as /dev/sda. |
| 26 | PrivateDevices=true |
| 27 | |
| 28 | # Explicit module loading will be denied. This allows to turn off module load and unload |
| 29 | # operations on modular kernels. It is recommended to turn this on for most services that |
| 30 | # do not need special file systems or extra kernel modules to work. |
| 31 | ProtectKernelModules=true |
| 32 | |
| 33 | # Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats, |
| 34 | # /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes |
| 35 | # of the unit. Usually, tunable kernel variables should only be written at boot-time, with the |
| 36 | # sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence |
| 37 | # recommended to turn this on for most services. |
| 38 | ProtectKernelTunables=true |
| 39 | |
| 40 | # The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be |
| 41 | # made read-only to all processes of the unit. Except for container managers no services should |
| 42 | # require write access to the control groups hierarchies; it is hence recommended to turn this on |
| 43 | # for most services |
| 44 | ProtectControlGroups=true |
| 45 | |
| 46 | # Any attempts to enable realtime scheduling in a process of the unit are refused. |
| 47 | RestrictRealtime=true |
| 48 | |
| 49 | # Restricts the set of socket address families accessible to the processes of this unit. |
| 50 | # Protects against vulnerabilities such as CVE-2016-8655 |
| 51 | RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX |
| 52 | |
| 53 | # Takes away the ability to create or manage any kind of namespace |
| 54 | RestrictNamespaces=true |
| 55 | |
| Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame] | 56 | [Install] |
| 57 | WantedBy=multi-user.target |