1# SPDX-License-Identifier: LGPL-2.1-or-later 2# 3# This file is part of systemd. 4# 5# systemd is free software; you can redistribute it and/or modify it 6# under the terms of the GNU Lesser General Public License as published by 7# the Free Software Foundation; either version 2.1 of the License, or 8# (at your option) any later version. 9 10[Unit] 11Description=Journal Service 12Documentation=man:systemd-journald.service(8) man:journald.conf(5) 13DefaultDependencies=no 14Requires=systemd-journald.socket 15After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket syslog.socket 16Before=sysinit.target 17 18[Service] 19DeviceAllow=char-* rw 20ExecStart={{ROOTLIBEXECDIR}}/systemd-journald 21FileDescriptorStoreMax=4224 22IPAddressDeny=any 23LockPersonality=yes 24MemoryDenyWriteExecute=yes 25NoNewPrivileges=yes 26OOMScoreAdjust=-250 27ProtectClock=yes 28Restart=always 29RestartSec=0 30RestrictAddressFamilies=AF_UNIX AF_NETLINK 31RestrictNamespaces=yes 32RestrictRealtime=yes 33RestrictSUIDSGID=yes 34RuntimeDirectory=systemd/journal 35RuntimeDirectoryPreserve=yes 36Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket 37StandardOutput=null 38SystemCallArchitectures=native 39SystemCallErrorNumber=EPERM 40SystemCallFilter=@system-service 41Type=notify 42{{SERVICE_WATCHDOG}} 43 44# In case you're wondering why CAP_SYS_PTRACE is needed, access to 45# /proc/<pid>/exe requires this capability. Thus if this capability is missing 46# the _EXE=/OBJECT_EXE= fields will be missing from the journal entries. 47CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE 48 49# If there are many split up journal files we need a lot of fds to access them 50# all in parallel. 51LimitNOFILE={{HIGH_RLIMIT_NOFILE}} 52