systemd.exec — Execution environment configuration
service.servicesocket.socketmount.mountswap.swap
Unit configuration files for services, sockets, mount points and swap devices share a subset of configuration options which define the execution environment of spawned processes.
This man page lists the configuration options shared by these four unit types. See systemd.unit(5) for the common options of all unit configuration files, and systemd.service(5), systemd.socket(5), systemd.swap(5) and systemd.mount(5) for more information on the specific unit configuration files. The execution specific configuration options are configured in the [Service], [Socket], [Mount], or [Swap] sections, depending on the unit type.
WorkingDirectory=¶Takes an absolute directory path. Sets the working directory for executed processes. If not set defaults to the root directory when systemd is running as a system instance and the respective user's home directory if run as user.
RootDirectory=¶Takes an absolute
                                directory path. Sets the root
                                directory for executed processes, with
                                the
                                chroot(2)
                                system call. If this is used it must
                                be ensured that the process and all
                                its auxiliary files are available in
                                the chroot()
                                jail.
User=, Group=¶Sets the Unix user or group that the processes are executed as, respectively. Takes a single user or group name or ID as argument. If no group is set, the default group of the user is chosen.
SupplementaryGroups=¶Sets the supplementary Unix groups the processes are executed as. This takes a space separated list of group names or IDs. This option may be specified more than once in which case all listed groups are set as supplementary groups. When the empty string is assigned the list of supplementary groups is reset, and all assignments prior to this one will have no effect. In any way, this option does not override, but extends the list of supplementary groups configured in the system group database for the user.
Nice=¶Sets the default nice level (scheduling priority) for executed processes. Takes an integer between -20 (highest priority) and 19 (lowest priority). See setpriority(2) for details.
OOMScoreAdjust=¶Sets the adjustment level for the Out-Of-Memory killer for executed processes. Takes an integer between -1000 (to disable OOM killing for this process) and 1000 (to make killing of this process under memory pressure very likely). See proc.txt for details.
IOSchedulingClass=¶Sets the IO scheduling
                                class for executed processes. Takes an
                                integer between 0 and 3 or one of the
                                strings none,
                                realtime,
                                best-effort or
                                idle. See
                                ioprio_set(2)
                                for details.
IOSchedulingPriority=¶Sets the IO scheduling priority for executed processes. Takes an integer between 0 (highest priority) and 7 (lowest priority). The available priorities depend on the selected IO scheduling class (see above). See ioprio_set(2) for details.
CPUSchedulingPolicy=¶Sets the CPU
                                scheduling policy for executed
                                processes. Takes one of
                                other,
                                batch,
                                idle,
                                fifo or
                                rr. See
                                sched_setscheduler(2)
                                for details.
CPUSchedulingPriority=¶Sets the CPU scheduling priority for executed processes. The available priority range depends on the selected CPU scheduling policy (see above). For real-time scheduling policies an integer between 1 (lowest priority) and 99 (highest priority) can be used. See sched_setscheduler(2) for details.
CPUSchedulingResetOnFork=¶Takes a boolean argument. If true elevated CPU scheduling priorities and policies will be reset when the executed processes fork, and can hence not leak into child processes. See sched_setscheduler(2) for details. Defaults to false.
CPUAffinity=¶Controls the CPU affinity of the executed processes. Takes a space-separated list of CPU indexes. This option may be specified more than once in which case the specificed CPU affinity masks are merged. If the empty string is assigned the mask is reset, all assignments prior to this will have no effect. See sched_setaffinity(2) for details.
UMask=¶Controls the file mode creation mask. Takes an access mode in octal notation. See umask(2) for details. Defaults to 0022.
Environment=¶Sets environment variables for executed processes. Takes a space-separated list of variable assignments. This option may be specified more than once in which case all listed variables will be set. If the same variable is set twice the later setting will override the earlier setting. If the empty string is assigned to this option the list of environment variables is reset, all prior assignments have no effect. Variable expansion is not performed inside the strings, and $ has no special meaning. If you need to assign a value containing spaces to a variable, use double quotes (") for the assignment.
Example:
Environment="VAR1=word1 word2" VAR2=word3 "VAR3=word 5 6"
                                gives three variables VAR1,
                                VAR2, VAR3.
                                
See environ(7) for details about environment variables.
EnvironmentFile=¶Similar to
                                Environment= but
                                reads the environment variables from a
                                text file. The text file should
                                contain new-line separated variable
                                assignments. Empty lines and lines
                                starting with ; or # will be ignored,
                                which may be used for commenting. A line
                                ending with a backslash will be concatenated
                                with the following one, allowing multiline variable
                                definitions. The parser strips leading
                                and trailing whitespace from the values
                                of assignments, unless you use
                                double quotes (").
The argument passed should be an absolute file name or wildcard expression, optionally prefixed with "-", which indicates that if the file does not exist it won't be read and no error or warning message is logged. This option may be specified more than once in which case all specified files are read. If the empty string is assigned to this option the list of file to read is reset, all prior assignments have no effect.
The files listed with this
                                directive will be read shortly before
                                the process is executed. Settings from
                                these files override settings made
                                with
                                Environment=. If
                                the same variable is set twice from
                                these files the files will be read in
                                the order they are specified and the
                                later setting will override the
                                earlier setting.
StandardInput=¶Controls where file
                                descriptor 0 (STDIN) of the executed
                                processes is connected to. Takes one
                                of null,
                                tty,
                                tty-force,
                                tty-fail or
                                socket. If
                                null is selected
                                standard input will be connected to
                                /dev/null,
                                i.e. all read attempts by the process
                                will result in immediate EOF. If
                                tty is selected
                                standard input is connected to a TTY
                                (as configured by
                                TTYPath=, see
                                below) and the executed process
                                becomes the controlling process of the
                                terminal. If the terminal is already
                                being controlled by another process the
                                executed process waits until the current
                                controlling process releases the
                                terminal.
                                tty-force
                                is similar to tty,
                                but the executed process is forcefully
                                and immediately made the controlling
                                process of the terminal, potentially
                                removing previous controlling
                                processes from the
                                terminal. tty-fail is
                                similar to tty but if
                                the terminal already has a controlling
                                process start-up of the executed
                                process fails.  The
                                socket option is only
                                valid in socket-activated services,
                                and only when the socket configuration
                                file (see
                                systemd.socket(5)
                                for details) specifies a single socket
                                only. If this option is set standard
                                input will be connected to the socket
                                the service was activated from, which
                                is primarily useful for compatibility
                                with daemons designed for use with the
                                traditional
                                inetd(8)
                                daemon. This setting defaults to
                                null.
StandardOutput=¶Controls where file
                                descriptor 1 (STDOUT) of the executed
                                processes is connected to. Takes one
                                of inherit,
                                null,
                                tty,
                                syslog,
                                kmsg,
                                journal,
                                syslog+console,
                                kmsg+console,
                                journal+console or
                                socket. If set to
                                inherit the file
                                descriptor of standard input is
                                duplicated for standard output. If set
                                to null standard
                                output will be connected to
                                /dev/null,
                                i.e. everything written to it will be
                                lost. If set to tty
                                standard output will be connected to a
                                tty (as configured via
                                TTYPath=, see
                                below). If the TTY is used for output
                                only the executed process will not
                                become the controlling process of the
                                terminal, and will not fail or wait
                                for other processes to release the
                                terminal. syslog
                                connects standard output to the
                                syslog(3)
                                system syslog
                                service. kmsg
                                connects it with the kernel log buffer
                                which is accessible via
                                dmesg(1). journal
                                connects it with the journal which is
                                accessible via
                                journalctl(1)
                                (Note that everything that is written
                                to syslog or kmsg is implicitly stored
                                in the journal as well, those options
                                are hence supersets of this
                                one). syslog+console,
                                journal+console and
                                kmsg+console work
                                similarly but copy the output to the
                                system console as
                                well. socket connects
                                standard output to a socket from
                                socket activation, semantics are
                                similar to the respective option of
                                StandardInput=.
                                This setting defaults to the value set
                                with
                                DefaultStandardOutput=
                                in
                                systemd-system.conf(5),
                                which defaults to
                                journal.
StandardError=¶Controls where file
                                descriptor 2 (STDERR) of the executed
                                processes is connected to. The
                                available options are identical to
                                those of
                                StandardOutput=,
                                with one exception: if set to
                                inherit the file
                                descriptor used for standard output is
                                duplicated for standard error. This
                                setting defaults to the value set with
                                DefaultStandardError=
                                in
                                systemd-system.conf(5),
                                which defaults to
                                inherit.
TTYPath=¶Sets the terminal
                                device node to use if standard input,
                                output or stderr are connected to a
                                TTY (see above). Defaults to
                                /dev/console.
TTYReset=¶Reset the terminal
                                device specified with
                                TTYPath= before and
                                after execution. Defaults to
                                no.
TTYVHangup=¶Disconnect all clients
                                which have opened the terminal device
                                specified with
                                TTYPath=
                                before and after execution. Defaults
                                to
                                no.
TTYVTDisallocate=¶If the terminal
                                device specified with
                                TTYPath= is a
                                virtual console terminal try to
                                deallocate the TTY before and after
                                execution. This ensures that the
                                screen and scrollback buffer is
                                cleared. Defaults to
                                no.
SyslogIdentifier=¶Sets the process name
                                to prefix log lines sent to syslog or
                                the kernel log buffer with. If not set
                                defaults to the process name of the
                                executed process. This option is only
                                useful when
                                StandardOutput= or
                                StandardError= are
                                set to syslog or
                                kmsg.
SyslogFacility=¶Sets the syslog
                                facility to use when logging to
                                syslog. One of kern,
                                user,
                                mail,
                                daemon,
                                auth,
                                syslog,
                                lpr,
                                news,
                                uucp,
                                cron,
                                authpriv,
                                ftp,
                                local0,
                                local1,
                                local2,
                                local3,
                                local4,
                                local5,
                                local6 or
                                local7. See
                                syslog(3)
                                for details. This option is only
                                useful when
                                StandardOutput= or
                                StandardError= are
                                set to syslog.
                                Defaults to
                                daemon.
SyslogLevel=¶Default syslog level
                                to use when logging to syslog or the
                                kernel log buffer. One of
                                emerg,
                                alert,
                                crit,
                                err,
                                warning,
                                notice,
                                info,
                                debug. See
                                syslog(3)
                                for details. This option is only
                                useful when
                                StandardOutput= or
                                StandardError= are
                                set to syslog or
                                kmsg. Note that
                                individual lines output by the daemon
                                might be prefixed with a different log
                                level which can be used to override
                                the default log level specified
                                here. The interpretation of these
                                prefixes may be disabled with
                                SyslogLevelPrefix=,
                                see below. For details see
                                sd-daemon(3).
                                Defaults to
                                info.
SyslogLevelPrefix=¶Takes a boolean
                                argument. If true and
                                StandardOutput= or
                                StandardError= are
                                set to syslog,
                                kmsg or
                                journal, log lines
                                written by the executed process that
                                are prefixed with a log level will be
                                passed on to syslog with this log
                                level set but the prefix removed. If
                                set to false, the interpretation of
                                these prefixes is disabled and the
                                logged lines are passed on as-is. For
                                details about this prefixing see
                                sd-daemon(3).
                                Defaults to true.
TimerSlackNSec=¶Sets the timer slack in nanoseconds for the executed processes. The timer slack controls the accuracy of wake-ups triggered by timers. See prctl(2) for more information. Note that in contrast to most other time span definitions this parameter takes an integer value in nano-seconds if no unit is specified. The usual time units are understood too.
LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=, LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=, LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=, LimitRTTIME=¶These settings control
                                various resource limits for executed
                                processes. See
                                setrlimit(2)
                                for details. Use the string
                                infinity to
                                configure no limit on a specific
                                resource.
PAMName=¶Sets the PAM service
                                name to set up a session as. If set
                                the executed process will be
                                registered as a PAM session under the
                                specified service name. This is only
                                useful in conjunction with the
                                User= setting. If
                                not set no PAM session will be opened
                                for the executed processes. See
                                pam(8)
                                for details.
TCPWrapName=¶If this is a socket-activated service this sets the tcpwrap service name to check the permission for the current connection with. This is only useful in conjunction with socket-activated services, and stream sockets (TCP) in particular. It has no effect on other socket types (e.g. datagram/UDP) and on processes unrelated to socket-based activation. If the tcpwrap verification fails daemon start-up will fail and the connection is terminated. See tcpd(8) for details. Note that this option may be used to do access control checks only. Shell commands and commands described in hosts_options(5) are not supported.
CapabilityBoundingSet=¶Controls which
                                capabilities to include in the
                                capability bounding set for the
                                executed process. See
                                capabilities(7)
                                for details. Takes a whitespace
                                separated list of capability names as
                                read by
                                cap_from_name(3),
                                e.g. CAP_SYS_ADMIN
                                CAP_DAC_OVERRIDE
                                CAP_SYS_PTRACE.
                                Capabilities listed will be included
                                in the bounding set, all others are
                                removed. If the list of capabilities
                                is prefixed with ~
                                all but the listed capabilities will
                                be included, the effect of the
                                assignment inverted. Note that this
                                option also affects the respective
                                capabilities in the effective,
                                permitted and inheritable capability
                                sets, on top of what
                                Capabilities=
                                does. If this option is not used the
                                capability bounding set is not
                                modified on process execution, hence
                                no limits on the capabilities of the
                                process are enforced. This option may
                                appear more than once in which case
                                the bounding sets are merged. If the
                                empty string is assigned to this
                                option the bounding set is reset to
                                the empty capability set, and all
                                prior settings have no effect. If set
                                to ~ (without any
                                further argument) the bounding set is
                                reset to the full set of available
                                capabilities, also undoing any
                                previous settings.
SecureBits=¶Controls the secure
                                bits set for the executed process. See
                                capabilities(7)
                                for details. Takes a list of strings:
                                keep-caps,
                                keep-caps-locked,
                                no-setuid-fixup,
                                no-setuid-fixup-locked,
                                noroot and/or
                                noroot-locked. This
                                option may appear more than once in
                                which case the secure bits are
                                ORed. If the empty string is assigned
                                to this option the bits are reset to
                                0.
Capabilities=¶Controls the
                                capabilities(7)
                                set for the executed process. Take a
                                capability string describing the
                                effective, permitted and inherited
                                capability sets as documented in
                                cap_from_text(3).
                                Note that these capability sets are
                                usually influenced by the capabilities
                                attached to the executed file. Due to
                                that
                                CapabilityBoundingSet=
                                is probably the much more useful
                                setting.
ControlGroup=¶Controls the control
                                groups the executed processes shall be
                                made members of. Takes a
                                space-separated list of cgroup
                                identifiers. A cgroup identifier is
                                formatted like
                                cpu:/foo/bar,
                                where "cpu" indicates the kernel
                                control group controller used, and
                                /foo/bar is the
                                control group path. The controller
                                name and ":" may be omitted in which
                                case the named systemd control group
                                hierarchy is implied. Alternatively,
                                the path and ":" may be omitted, in
                                which case the default control group
                                path for this unit is implied.
This option may be used to place
                                executed processes in arbitrary groups
                                in arbitrary hierarchies -- which may
                                then be externally configured with
                                additional execution limits. By
                                default systemd will place all
                                executed processes in separate
                                per-unit control groups (named after
                                the unit) in the systemd named
                                hierarchy. This option is primarily
                                intended to place executed processes
                                in specific paths in specific kernel
                                controller hierarchies. It is not
                                recommended to manipulate the service
                                control group path in the private
                                systemd named hierarchy
                                (i.e. name=systemd),
                                and doing this might result in
                                undefined behaviour. For details about
                                control groups see cgroups.txt.
This option may appear more than once, in which case the list of control group assignments is merged. If the same hierarchy gets two different paths assigned only the later setting will take effect. If the empty string is assigned to this option the list of control group assignments is reset, all previous assignments will have no effect.
Note that the list of control
                                group assignments of a unit is
                                extended implicitly based on the
                                settings of
                                DefaultControllers=
                                of
                                systemd-system.conf(5),
                                but a unit's
                                ControlGroup=
                                setting for a specific controller
                                takes precedence.
ControlGroupModify=¶Takes a boolean
                                argument. If true, the control groups
                                created for this unit will be owned by
                                the user specified with
                                User= (and the
                                appropriate group), and he/she can create
                                subgroups as well as add processes to
                                the group.
ControlGroupPersistent=¶Takes a boolean argument. If true, the control groups created for this unit will be marked to be persistent, i.e. systemd will not remove them when stopping the unit. The default is false, meaning that the control groups will be removed when the unit is stopped. For details about the semantics of this logic see PaxControlGroups.
ControlGroupAttribute=¶Set a specific control
                                group attribute for executed
                                processes, and (if needed) add the
                                executed processes to a cgroup in the
                                hierarchy of the controller the
                                attribute belongs to. Takes two
                                space-separated arguments: the
                                attribute name (syntax is
                                cpu.shares where
                                cpu refers to a
                                specific controller and
                                shares to the
                                attribute name), and the attribute
                                value. Example:
                                ControlGroupAttribute=cpu.shares
                                512. If this option is used
                                for an attribute that belongs to a
                                kernel controller hierarchy the unit
                                is not already configured to be added
                                to (for example via the
                                ControlGroup=
                                option) then the unit will be added to
                                the controller and the default unit
                                cgroup path is implied. Thus, using
                                ControlGroupAttribute=
                                is in most cases sufficient to make
                                use of control group enforcements,
                                explicit
                                ControlGroup= are
                                only necessary in case the implied
                                default control group path for a
                                service is not desirable. For details
                                about control group attributes see
                                cgroups.txt. This
                                option may appear more than once, in
                                order to set multiple control group
                                attributes. If this option is used
                                multiple times for the same cgroup
                                attribute only the later setting takes
                                effect. If the empty string is
                                assigned to this option the list of
                                attributes is reset, all previous
                                cgroup attribute settings have no
                                effect, including those done with
                                CPUShares=,
                                MemoryLimit=,
                                MemorySoftLimit,
                                DeviceAllow=,
                                DeviceDeny=,
                                BlockIOWeight=,
                                BlockIOReadBandwidth=,
                                BlockIOWriteBandwidth=.
                                
Assign the specified
                                overall CPU time shares to the
                                processes executed. Takes an integer
                                value. This controls the
                                cpu.shares control
                                group attribute, which defaults to
                                1024. For details about this control
                                group attribute see sched-design-CFS.txt.
MemoryLimit=, MemorySoftLimit=¶Limit the overall memory usage
                                of the executed processes to a certain
                                size. Takes a memory size in bytes. If
                                the value is suffixed with K, M, G or
                                T the specified memory size is parsed
                                as Kilobytes, Megabytes, Gigabytes,
                                or Terabytes (to the base
                                1024), respectively. This controls the
                                memory.limit_in_bytes
                                and
                                memory.soft_limit_in_bytes
                                control group attributes. For details
                                about these control group attributes
                                see memory.txt.
DeviceAllow=, DeviceDeny=¶Control access to
                                specific device nodes by the executed processes. Takes two
                                space separated strings: a device node
                                path (such as
                                /dev/null)
                                followed by a combination of r, w, m
                                to control reading, writing, or
                                creating of the specific device node
                                by the unit, respectively. This controls the
                                devices.allow
                                and
                                devices.deny
                                control group attributes. For details
                                about these control group attributes
                                see devices.txt.
BlockIOWeight=¶Set the default or
                                per-device overall block IO weight
                                value for the executed
                                processes. Takes either a single
                                weight value (between 10 and 1000) to
                                set the default block IO weight, or a
                                space separated pair of a file path
                                and a weight value to specify the
                                device specific weight value (Example:
                                "/dev/sda 500"). The file path may be
                                specified as path to a block device
                                node or as any other file in which
                                case the backing block device of the
                                file system of the file is
                                determined. This controls the
                                blkio.weight and
                                blkio.weight_device
                                control group attributes, which
                                default to 1000. Use this option
                                multiple times to set weights for
                                multiple devices. For details about
                                these control group attributes see
                                blkio-controller.txt.
BlockIOReadBandwidth=, BlockIOWriteBandwidth=¶Set the per-device
                                overall block IO bandwidth limit for
                                the executed processes. Takes a space
                                separated pair of a file path and a
                                bandwidth value (in bytes per second)
                                to specify the device specific
                                bandwidth. The file path may be
                                specified as path to a block device
                                node or as any other file in which
                                case the backing block device of the
                                file system of the file is determined.
                                If the bandwidth is suffixed with K, M,
                                G, or T the specified bandwidth is
                                parsed as Kilobytes, Megabytes,
                                Gigabytes, or Terabytes, respectively (Example:
                                "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
                                5M"). This controls the
                                blkio.read_bps_device
                                and
                                blkio.write_bps_device
                                control group attributes. Use this
                                option multiple times to set bandwidth
                                limits for multiple devices. For
                                details about these control group
                                attributes see blkio-controller.txt.
ReadWriteDirectories=, ReadOnlyDirectories=, InaccessibleDirectories=¶Sets up a new
                                file-system name space for executed
                                processes. These options may be used
                                to limit access a process might have
                                to the main file-system
                                hierarchy. Each setting takes a
                                space-separated list of absolute
                                directory paths. Directories listed in
                                ReadWriteDirectories=
                                are accessible from within the
                                namespace with the same access rights
                                as from outside. Directories listed in
                                ReadOnlyDirectories=
                                are accessible for reading only,
                                writing will be refused even if the
                                usual file access controls would
                                permit this. Directories listed in
                                InaccessibleDirectories=
                                will be made inaccessible for
                                processes inside the namespace. Note
                                that restricting access with these
                                options does not extend to submounts
                                of a directory. You must list
                                submounts separately in these settings
                                to ensure the same limited
                                access. These options may be specified
                                more than once in which case all
                                directories listed will have limited
                                access from within the namespace. If
                                the empty string is assigned to this
                                option the specific list is reset, and
                                all prior assignments have no
                                effect.
PrivateTmp=¶Takes a boolean
                                argument. If true sets up a new file
                                system namespace for the executed
                                processes and mounts private
                                /tmp and
                                /var/tmp directories
                                inside it, that are not shared by
                                processes outside of the
                                namespace. This is useful to secure
                                access to temporary files of the
                                process, but makes sharing between
                                processes via
                                /tmp or
                                /var/tmp
                                impossible. All temporary data created
                                by service will be removed after service
                                is stopped. Defaults to
                                false.
PrivateNetwork=¶Takes a boolean
                                argument. If true sets up a new
                                network namespace for the executed
                                processes and configures only the
                                loopback network device
                                lo inside it. No
                                other network devices will be
                                available to the executed process.
                                This is useful to securely turn off
                                network access by the executed
                                process. Defaults to
                                false.
MountFlags=¶Takes a mount
                                propagation flag:
                                shared,
                                slave or
                                private, which
                                control whether the file system
                                namespace set up for this unit's
                                processes will receive or propagate
                                new mounts. See
                                mount(2)
                                for details. Default to
                                shared.
UtmpIdentifier=¶Takes a four character identifier string for an utmp/wtmp entry for this service. This should only be set for services such as getty implementations where utmp/wtmp entries must be created and cleared before and after execution. If the configured string is longer than four characters it is truncated and the terminal four characters are used. This setting interprets %I style string replacements. This setting is unset by default, i.e. no utmp/wtmp entries are created or cleaned up for this service.
IgnoreSIGPIPE=¶Takes a boolean argument. If true causes SIGPIPE to be ignored in the executed process. Defaults to true, since SIGPIPE generally is useful only in shell pipelines.
NoNewPrivileges=¶Takes a boolean argument. If true ensures that the service process and all its children can never gain new privileges. This option is more powerful than the respective secure bits flags (see above), as it also prohibits UID changes of any kind. This is the simplest, most effective way to ensure that a process and its children can never elevate privileges again.
SystemCallFilter=¶Takes a space
                                separated list of system call
                                names. If this setting is used all
                                system calls executed by the unit
                                process except for the listed ones
                                will result in immediate process
                                termination with the SIGSYS signal
                                (whitelisting). If the first character
                                of the list is ~
                                the effect is inverted: only the
                                listed system calls will result in
                                immediate process termination
                                (blacklisting). If this option is used
                                NoNewPrivileges=yes
                                is implied. This feature makes use of
                                the Secure Computing Mode 2 interfaces
                                of the kernel ('seccomp filtering')
                                and is useful for enforcing a minimal
                                sandboxing environment. Note that the
                                execve,
                                rt_sigreturn,
                                sigreturn,
                                exit_group,
                                exit system calls
                                are implicitly whitelisted and don't
                                need to be listed explicitly. This
                                option may be specified more than once
                                in which case the filter masks are
                                merged. If the empty string is
                                assigned the filter is reset, all
                                prior assignments will have no
                                effect.