Home Explore Help
Sign In
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
csu3_am335x
/
EVSE
/
GPL
/
php-8.1.12
/
sapi
/
fpm
/
php-fpm.service.in

php-fpm.service.in 2.5 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 
  1. # It's not recommended to modify this file in-place, because it
    2. 

  2. # will be overwritten during upgrades.  If you want to customize,
    3. 

  3. # the best way is to use the "systemctl edit" command.
    4. 

  4. 

  5. [Unit]
    6. 

  6. Description=The PHP FastCGI Process Manager
    7. 

  7. After=network.target
    8. 

  8. 

  9. [Service]
    10. 

  10. Type=@php_fpm_systemd@
    11. 

  11. PIDFile=@EXPANDED_LOCALSTATEDIR@/run/php-fpm.pid
    12. 

  12. ExecStart=@EXPANDED_SBINDIR@/php-fpm --nodaemonize --fpm-config @EXPANDED_SYSCONFDIR@/php-fpm.conf
    13. 

  13. ExecReload=/bin/kill -USR2 $MAINPID
    14. 

  14. 

  15. # Set up a new file system namespace and mounts private /tmp and /var/tmp directories
    16. 

  16. # so this service cannot access the global directories and other processes cannot
    17. 

  17. # access this service's directories.
    18. 

  18. PrivateTmp=true
    19. 

  19. 

  20. # Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
    21. 

  21. ProtectSystem=full
    22. 

  22. 

  23. # Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
    24. 

  24. # such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
    25. 

  25. # but no physical devices such as /dev/sda.
    26. 

  26. PrivateDevices=true
    27. 

  27. 

  28. # Explicit module loading will be denied. This allows to turn off module load and unload
    29. 

  29. # operations on modular kernels. It is recommended to turn this on for most services that
    30. 

  30. # do not need special file systems or extra kernel modules to work.
    31. 

  31. ProtectKernelModules=true
    32. 

  32. 

  33. # Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
    34. 

  34. # /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
    35. 

  35. # of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
    36. 

  36. # sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
    37. 

  37. # recommended to turn this on for most services.
    38. 

  38. ProtectKernelTunables=true
    39. 

  39. 

  40. # The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
    41. 

  41. # made read-only to all processes of the unit. Except for container managers no services should
    42. 

  42. # require write access to the control groups hierarchies; it is hence recommended to turn this on
    43. 

  43. # for most services
    44. 

  44. ProtectControlGroups=true
    45. 

  45. 

  46. # Any attempts to enable realtime scheduling in a process of the unit are refused.
    47. 

  47. RestrictRealtime=true
    48. 

  48. 

  49. # Restricts the set of socket address families accessible to the processes of this unit.
    50. 

  50. # Protects against vulnerabilities such as CVE-2016-8655
    51. 

  51. RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
    52. 

  52. 

  53. # Takes away the ability to create or manage any kind of namespace
    54. 

  54. RestrictNamespaces=true
    55. 

  55. 

  56. [Install]
    57. 

  57. WantedBy=multi-user.target
    58.