ProcSubset setting
This article has last been updated at .
The property ProcSubset is a systemd unit setting used for sandboxing. It is available since systemd 247.
Purpose: define the subset of access by unit to /proc
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use ProcSubset
The systemd unit setting ProcSubset controls the “subset” mount option of /proc for the unit. By using the option, top-level entries are hidden for the process and its children.
The ‘subset=pid’ was introduced in Linux 5.8.
Caveats
This function does not if the “subnet” option for procfs is not supported.
Generic advice
The Linux kernel shares information from various kernel APIs via /proc. When activating this setting, these kernel APIs are also made unavailable, which might break common software, unless it is a trivial process. So this option is to be used with care. Typically it may be better to implement the ProtectProc setting.
Values
Systemd unit setting ProcSubset expects a boolean (yes/no or true/false) or string value.
| Value | Intended action | Available since systemd version |
|---|---|---|
| all | no restriction of information from /proc - default | |
| pid | restricts information from /proc that not directly associated with process management and introspection |
Example to show the current value of ProcSubset for the ssh service:
systemctl show --property=ProcSubset ssh.serviceRelated hardening profiles
The systemd unit setting ProcSubset is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.
