« Back to Settings for systemd units

CapabilityBoundingSet setting

This article has last been updated at .

The property CapabilityBoundingSet is a systemd unit setting used for sandboxing. It is available since systemd 21.

Purpose: Define what capabilities are allowed within the service unit

New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.

Why and when to use CapabilityBoundingSet

Systemd provides the setting CapabilityBoundingSet which aims to limit the capabilities of a process or its children. This powerful filter restricts what a Linux process can do greatly, but requires some in-depth knowledge of the related process and its child processes.

See the Linux capabilities 101 for an introduction, as well the overview of capabilities for more details.

Configuration

This setting takes a space-separated list and may be specified multiple times. If specified multiple times, the capabilities are stacked.

To reset an earlier defined set, use ‘CapabilityBoundingSet=~’.

When prefixed with ~, inversion of the setting is applied. So defined capabilities will be denied.

Generic advice

This setting is a powerful option to restrict what processes can or can’t do. It requires more than average knowledge from a system administrator, but with some research it is typically possible to get a working and hardened service. Use with caution on active production systems, first test on non-critical systems.

Implementation and examples

When implementing this option, there are multiple methods to discover what capabilities are required:

  • Look at binary and see if capability is linked (e.g. using filecap, pscap)
  • Block all capabilities, look at errors in journal
  • Look at syscall usage and map them against a capability

To find out what capabilities might be used within an application, consult How to harden a systemd service unit for additional tips.

Example testing using systemd-run

$ touch test
$ systemd-run --pty --property=CapabilityBoundingSet=~CAP_CHOWN chown michael:michael test

This command should fail, as the CAP_CHOWN capability is not allowed

Related hardening profiles

The systemd unit setting CapabilityBoundingSet is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.