ExecPaths setting
The property ExecPaths is a systemd unit setting used for sandboxing. It is available since systemd 231.
Purpose: define the paths from which programs can be executed
Why and when to use ExecPaths
The setting ExecPaths defines that paths that are allowed for program execution. It is the opposite of NoExecPaths and they are typically used together. A common option is first to disable execution from ‘/’ with NoExecPaths, then define the paths in ExecPaths where the related binaries of the service are located.
Configuration options of ExecPaths
Define the paths that are allowed for program execution. This is typically done after a more generic ‘block’ has been defined using NoExecPaths, such as the root path.
Example
Execution is only allowed if the binary is /usr/sbin/myprogram and libraries from /usr/lib.
NoExecPaths=/
ExecPaths=/usr/lib /usr/sbin/myprogram
Testing
To see if a program works with this property, consider using the systemd-run command.
systemd-run --pty --property=NoExecPaths=/tmp --property=ExecPaths=/tmp/testing /tmp/testing/mytestfile
For this example to work correctly, make sure that the path /tmp/testing does exist. The mytestfile could be something like a copy of the /bin/ps file.
Related hardening profiles
The systemd unit setting ExecPaths is used in the following hardening profiles.
