InaccessiblePaths setting
The property InaccessiblePaths is a systemd unit setting used for sandboxing. It is available since systemd 231.
Purpose: define paths that should not be accessible
Why and when to use InaccessiblePaths
The setting InaccessiblePaths defines paths that should never be accessible. Instead of using the principles of an allow list, it is an explicit deny list. It can be used to block access by a process to a location with sensitive data or a path commonly misused for exploits.
Values
Define the paths that are granted write access.
[Service]
InaccessiblePaths=/dev/shm
- When a path is prefixed with a minus (-), it is ignored if it does not exist
- When a path is prefixed with a plus (+), the path is considered relative to root of directory (e.g. configured with RootDirectory)
Generic advice
This setting is not as powerful as others that can make larger parts of the system inaccessible, while defining just a few paths that still should be. In may still be useful when there is a need to block a very sensitive path. A good example for this is when using the MemoryDenyWriteExecute setting.
Related hardening profiles
The systemd unit setting InaccessiblePaths is used in the following hardening profiles.
