1# It's not recommended to modify this file in-place, because it 2# will be overwritten during upgrades. If you want to customize, 3# the best way is to use the "systemctl edit" command. 4 5[Unit] 6Description=The PHP FastCGI Process Manager 7After=network.target 8 9[Service] 10Type=simple 11PIDFile=@LOCALSTATEDIR@/run/php-fpm.pid 12ExecStart=@SBINDIR@/php-fpm --nodaemonize --fpm-config /etc/php-fpm.conf 13ExecReload=@BINDIR@/kill -USR2 $MAINPID 14 15# Set up a new file system namespace and mounts private /tmp and /var/tmp directories 16# so this service cannot access the global directories and other processes cannot 17# access this service's directories. 18PrivateTmp=true 19 20# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit. 21ProtectSystem=full 22 23# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices 24# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, 25# but no physical devices such as /dev/sda. 26PrivateDevices=true 27 28# Explicit module loading will be denied. This allows to turn off module load and unload 29# operations on modular kernels. It is recommended to turn this on for most services that 30# do not need special file systems or extra kernel modules to work. 31ProtectKernelModules=true 32 33# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats, 34# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes 35# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the 36# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence 37# recommended to turn this on for most services. 38ProtectKernelTunables=true 39 40# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be 41# made read-only to all processes of the unit. Except for container managers no services should 42# require write access to the control groups hierarchies; it is hence recommended to turn this on 43# for most services 44ProtectControlGroups=true 45 46# Any attempts to enable realtime scheduling in a process of the unit are refused. 47RestrictRealtime=true 48 49# Restricts the set of socket address families accessible to the processes of this unit. 50# Protects against vulnerabilities such as CVE-2016-8655 51RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX 52 53# Takes away the ability to create or manage any kind of namespace 54RestrictNamespaces=true 55 56[Install] 57WantedBy=multi-user.target 58