CapabilityBoundingSet setting
The property CapabilityBoundingSet is a systemd unit setting used for sandboxing.
Purpose: Define what capabilities are allowed within the service unit
Why and when to use CapabilityBoundingSet
The setting CapabilityBoundingSet aims to limit the capabilities. This powerful filtering restricts what a process can do greatly, but requires some in-depth knowledge of the related process and its child process.
See the Linux capabilities 101 for an introduction, as well the overview of capabilities for more details.
Configuration
This setting takes a space-separated list and may be specified multiple times. If specified multiple times, the capabilities are stacked.
To reset an earlier defined set, use ‘CapabilityBoundingSet=~’.
When prefixed with ~, inversion of the setting is applied. So defined capabilities will be denied.
Generic advice
This setting is a powerful option to restrict what processes can or can’t do. It requires more than average knowledge from a system administrator, but with some research it is typically possible to get a working and hardened service. Use with caution on active production systems, first test on non-critical systems.
$ touch test
$ systemd-run --pty --property=CapabilityBoundingSet=~CAP_CHOWN chown michael:michael test
This command should fail, as CAP_CHOWN capability is not allowed
Related hardening profiles
The systemd unit setting CapabilityBoundingSet is used in the following hardening profiles.