« Back to Settings for systemd units

LockPersonality setting

The property LockPersonality is a systemd unit setting used for sandboxing. It is available since systemd 235.

Purpose: prevent processes switching their personality, a kernel execution domain

Why and when to use LockPersonality

The systemd unit setting LockPersonality prevents changing the personality with personality(2). This is a syscall that defines the kernel execution domain for a process. Normally this kernel execution domain is set to default, unless specified with the Personality= setting.

Configuration options of LockPersonality

When this unit setting is set to ‘yes’, no changes in the personality are allowed.

Generic advice

Most services can be configured with LockPersonality=yes.

Values

Systemd unit setting LockPersonality expects a boolean (yes/no or true/false).

Values for systemd unit setting LockPersonality
ValueIntended actionAvailable since
systemd version
noprocesses may switch the personality for a process - default
yesno personality adjustment is permitted

Example to show the current value of LockPersonality for the ssh service:

systemctl show --property=LockPersonality ssh.service

Related hardening profiles

The systemd unit setting LockPersonality is used in the following hardening profiles.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon