ProcSubset setting

The property ProcSubset is a systemd unit setting used for sandboxing. It is available since systemd 247.

Purpose: define the subset of access by unit to /proc

Why and when to use ProcSubset

The setting ProcSubset controls the “subset” mount option of /proc for the unit.

Caveats

This function does not if the “subnet” option for procfs is not supported.

Generic advice

The Linux kernel shares information from various kernel APIs via /proc. When activating this setting, these kernel APIs are also made unavailable, which might break common software, unless it is a trivial process. So this option is to be used with care. Typically it may be better to implement the ProtectProc setting.

Values

Systemd unit setting ProcSubset expects a boolean (yes/no or true/false) or string value.

Values for systemd unit setting ProcSubset
Value	Intended action	Available since systemd version
all	no restriction of information from /proc - default
pid	restricts information from /proc that not directly associated with process management and introspection

Example to show the current value of ProcSubset for the ssh service:

systemctl show --property=ProcSubset ssh.service

Related hardening profiles

The systemd unit setting ProcSubset is used in the following hardening profiles.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!