LockPersonality setting
This article has last been updated at .
The property LockPersonality is a systemd unit setting used for sandboxing. It is available since systemd 235.
Purpose: prevent processes switching their personality, a kernel execution domain
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use LockPersonality
The systemd unit setting LockPersonality prevents changing the personality with personality(2). This is a syscall that defines the kernel execution domain for a process. Normally this kernel execution domain is set to default, unless specified with the Personality= setting.
Configuration options of LockPersonality
When this unit setting is set to ‘yes’, no changes in the personality are allowed.
Generic advice
Most services can be configured with LockPersonality=yes.
Values
Systemd unit setting LockPersonality expects a boolean (yes/no or true/false).
| Value | Intended action | Available since systemd version |
|---|---|---|
| no | processes may switch the personality for a process - default | |
| yes | no personality adjustment is permitted |
Example to show the current value of LockPersonality for the ssh service:
systemctl show --property=LockPersonality ssh.serviceRelated hardening profiles
The systemd unit setting LockPersonality is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.
