LockPersonality setting
The property LockPersonality is a systemd unit setting used for sandboxing. It is available since systemd 235.
Purpose: prevent processes switching their personality, a kernel execution domain
Why and when to use LockPersonality
The systemd unit setting LockPersonality prevents changing the personality with personality(2). This is a syscall that defines the kernel execution domain for a process. Normally this kernel execution domain is set to default, unless specified with the Personality= setting.
Configuration options of LockPersonality
When this unit setting is set to ‘yes’, no changes in the personality are allowed.
Generic advice
Most services can be configured with LockPersonality=yes.
Values
Systemd unit setting LockPersonality expects a boolean (yes/no or true/false).
Value | Intended action | Available since systemd version |
---|---|---|
no | processes may switch the personality for a process - default | |
yes | no personality adjustment is permitted |
Example to show the current value of LockPersonality for the ssh service:
systemctl show --property=LockPersonality ssh.serviceRelated hardening profiles
The systemd unit setting LockPersonality is used in the following hardening profiles.