« Back to Settings for systemd units

ProtectControlGroups setting

The property ProtectControlGroups is a systemd unit setting used for sandboxing. It is available since systemd 232.

Purpose: limit write access to control groups directory structure under /sys/fs/cgroup

Why and when to use ProtectControlGroups

The setting ProtectControlGroups reduces write access to cgroup or Linux control groups. Information about cgroups are normally available under /sys/fs/cgroup. This setting may restrict a process from writing anything to this directory structure.

Generic advice

For most services ProtectControlGroups can be turned on. Only container managers do require write access to the control groups structures.

Example configuration

[Service]
ProtectControlGroups=yes

Values

This setting expects a boolean (yes or no).

  • no: do not limit write access - default
  • yes: restrict access and mark control group directory structure as read-only

Example to show the current value of ProtectControlGroups for the dmesg service:

systemctl show --property=ProtectControlGroups dmesg.service

Related hardening profiles

The systemd unit setting ProtectControlGroups is used in the following hardening profiles.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon