« Back to Settings for systemd units

CapabilityBoundingSet setting

The property CapabilityBoundingSet is a systemd unit setting used for sandboxing.

Purpose: Define what capabilities are allowed within the service unit

Why and when to use CapabilityBoundingSet

The setting CapabilityBoundingSet aims to limit the capabilities. This powerful filtering restricts what a process can do greatly, but requires some in-depth knowledge of the related process and its child process.

See the Linux capabilities 101 for an introduction, as well the overview of capabilities for more details.

Configuration

This setting takes a space-separated list and may be specified multiple times. If specified multiple times, the capabilities are stacked.

To reset an earlier defined set, use ‘CapabilityBoundingSet=~’.

When prefixed with ~, inversion of the setting is applied. So defined capabilities will be denied.

Generic advice

This setting is a powerful option to restrict what processes can or can’t do. It requires more than average knowledge from a system administrator, but with some research it is typically possible to get a working and hardened service. Use with caution on active production systems, first test on non-critical systems.

$ touch test
$ systemd-run --pty --property=CapabilityBoundingSet=~CAP_CHOWN chown michael:michael test

This command should fail, as CAP_CHOWN capability is not allowed

Related hardening profiles

The systemd unit setting CapabilityBoundingSet is used in the following hardening profiles.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon