CapabilityBoundingSet setting
The property CapabilityBoundingSet is a systemd unit setting used for sandboxing.
Purpose: Define what capabilities are allowed within the service unit
Why and when to use CapabilityBoundingSet
Systemd provides the setting CapabilityBoundingSet which aims to limit the capabilities of a process or its children. This powerful filter restricts what a Linux process can do greatly, but requires some in-depth knowledge of the related process and its child processes.
See the Linux capabilities 101 for an introduction, as well the overview of capabilities for more details.
Configuration
This setting takes a space-separated list and may be specified multiple times. If specified multiple times, the capabilities are stacked.
To reset an earlier defined set, use ‘CapabilityBoundingSet=~’.
When prefixed with ~, inversion of the setting is applied. So defined capabilities will be denied.
Generic advice
This setting is a powerful option to restrict what processes can or can’t do. It requires more than average knowledge from a system administrator, but with some research it is typically possible to get a working and hardened service. Use with caution on active production systems, first test on non-critical systems.
Implementation and examples
When implementing this option, there are multiple methods to discover what capabilities are required:
- Look at binary and see if capability is linked (e.g. using filecap, pscap)
- Block all capabilities, look at errors in journal
- Look at syscall usage and map them against a capability
To find out what capabilities might be used within an application, consult How to harden a systemd service unit for additional tips.
Example testing using systemd-run
$ touch test
$ systemd-run --pty --property=CapabilityBoundingSet=~CAP_CHOWN chown michael:michael test
This command should fail, as the CAP_CHOWN capability is not allowed
Related hardening profiles
The systemd unit setting CapabilityBoundingSet is used in the following hardening profiles.