ProtectControlGroups setting
The property ProtectControlGroups is a systemd unit setting used for sandboxing. It is available since systemd 232.
Purpose: limit write access to control groups directory structure under /sys/fs/cgroup
Why and when to use ProtectControlGroups
The systemd unit setting ProtectControlGroups reduces write access to cgroup or Linux control groups. Information about cgroups are normally available under /sys/fs/cgroup. This setting may restrict a process from writing anything to this directory structure.
Configuration options
Before systemd 257, only boolean values (yes/no, true/false) were accepted. With systemd 257 private and strict where added.
Generic advice
For most services ProtectControlGroups can be turned on. Only container managers do require write access to the control groups structures.
Example configuration
[Service]
ProtectControlGroups=yes
Values
Systemd unit setting ProtectControlGroups expects a boolean (yes/no or true/false) or string value.
Value | Intended action | Available since systemd version |
---|---|---|
no | do not limit write access - default | |
yes | restrict access and mark control group directory structure as read-only | |
private | new cgroup namespace will be allocated and relevant cgroupsfs mounted | 257 |
strict | new cgroup namespace will be allocated and its cgroupfs mounted read-only | 257 |
Example to show the current value of ProtectControlGroups for the ssh service:
systemctl show --property=ProtectControlGroups ssh.serviceRelated hardening profiles
The systemd unit setting ProtectControlGroups is used in the following hardening profiles.