« Back to Settings for systemd units

ProtectControlGroups setting

The property ProtectControlGroups is a systemd unit setting used for sandboxing. It is available since systemd 232.

Purpose: limit write access to control groups directory structure under /sys/fs/cgroup

Why and when to use ProtectControlGroups

The systemd unit setting ProtectControlGroups reduces write access to cgroup or Linux control groups. Information about cgroups are normally available under /sys/fs/cgroup. This setting may restrict a process from writing anything to this directory structure.

Configuration options

Before systemd 257, only boolean values (yes/no, true/false) were accepted. With systemd 257 private and strict where added.

Generic advice

For most services ProtectControlGroups can be turned on. Only container managers do require write access to the control groups structures.

Example configuration

[Service]
ProtectControlGroups=yes

Values

Systemd unit setting ProtectControlGroups expects a boolean (yes/no or true/false) or string value.

Values for systemd unit setting ProtectControlGroups
ValueIntended actionAvailable since
systemd version
nodo not limit write access - default
yesrestrict access and mark control group directory structure as read-only
privatenew cgroup namespace will be allocated and relevant cgroupsfs mounted257
strictnew cgroup namespace will be allocated and its cgroupfs mounted read-only257

Example to show the current value of ProtectControlGroups for the ssh service:

systemctl show --property=ProtectControlGroups ssh.service

Related hardening profiles

The systemd unit setting ProtectControlGroups is used in the following hardening profiles.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon