xref: /PHP-8.0/sapi/fpm/php-fpm.service.in (revision 578a8113)
1# It's not recommended to modify this file in-place, because it
2# will be overwritten during upgrades.  If you want to customize,
3# the best way is to use the "systemctl edit" command.
4
5[Unit]
6Description=The PHP FastCGI Process Manager
7After=network.target
8
9[Service]
10Type=@php_fpm_systemd@
11PIDFile=@EXPANDED_LOCALSTATEDIR@/run/php-fpm.pid
12ExecStart=@EXPANDED_SBINDIR@/php-fpm --nodaemonize --fpm-config @EXPANDED_SYSCONFDIR@/php-fpm.conf
13ExecReload=/bin/kill -USR2 $MAINPID
14
15# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
16# so this service cannot access the global directories and other processes cannot
17# access this service's directories.
18PrivateTmp=true
19
20# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
21ProtectSystem=full
22
23# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
24# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
25# but no physical devices such as /dev/sda.
26PrivateDevices=true
27
28# Explicit module loading will be denied. This allows to turn off module load and unload
29# operations on modular kernels. It is recommended to turn this on for most services that
30# do not need special file systems or extra kernel modules to work.
31ProtectKernelModules=true
32
33# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
34# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
35# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
36# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
37# recommended to turn this on for most services.
38ProtectKernelTunables=true
39
40# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
41# made read-only to all processes of the unit. Except for container managers no services should
42# require write access to the control groups hierarchies; it is hence recommended to turn this on
43# for most services
44ProtectControlGroups=true
45
46# Any attempts to enable realtime scheduling in a process of the unit are refused.
47RestrictRealtime=true
48
49# Restricts the set of socket address families accessible to the processes of this unit.
50# Protects against vulnerabilities such as CVE-2016-8655
51RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
52
53# Takes away the ability to create or manage any kind of namespace
54RestrictNamespaces=true
55
56[Install]
57WantedBy=multi-user.target
58