ProcSubset setting

This systemd unit setting was added since systemd 247.

Purpose: define the subset of access by unit to /proc

Why and when to use ProcSubset

The setting ProcSubset controls the “subset” mount option of /proc for the unit.

Caveats

This function does not if the “subnet” option for procfs is not supported.

Generic advice

The Linux kernel shares information from various kernel APIs via /proc. When activating this setting, these kernel APIs are also made unavailable, which might break common software, unless it is a trivial process. So this option is to be used with care. Typically it may be better to implement the ProtectProc setting.

Values

all: no restriction of information from /proc - default
pid: restricts information from /proc that not directly associated with process management and introspection

Example to show the current value of ProcSubset for the dmesg service:

systemctl show --property=ProcSubset dmesg.service

Feedback

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!