ProtectControlGroups setting
The property ProtectControlGroups is a systemd unit setting used for sandboxing. It is available since systemd 232.
Purpose: limit write access to control groups directory structure under /sys/fs/cgroup
Why and when to use ProtectControlGroups
The systemd unit setting ProtectControlGroups reduces write access to cgroup or Linux control groups. Information about cgroups are normally available under /sys/fs/cgroup. This setting may restrict a process from writing anything to this directory structure.
Configuration options
Before systemd 257, only boolean values (yes/no, true/false) were accepted. With systemd 257 private and strict where added.
if set to “private” a new cgroup namespace is allocated for the service and cgroupfs mounted accordingly;
Generic advice
For most services ProtectControlGroups can be turned on. Only container managers do require write access to the control groups structures.
Example configuration
[Service]
ProtectControlGroups=yes
Values
Systemd unit setting ProtectControlGroups expects a boolean (yes/no or true/false) or string value.
Value | Intended action | Available since systemd version |
---|---|---|
no | do not limit write access - default | |
yes | restrict access and mark control group directory structure as read-only | |
private | new cgroup namespace will be allocated and relevant cgroupsfs mounted | 257 |
strict | new cgroup namespace will be allocated and its cgroupfs mounted read-only | 257 |
Example to show the current value of ProtectControlGroups for the ssh service:
systemctl show --property=ProtectControlGroups ssh.serviceRelated hardening profiles
The systemd unit setting ProtectControlGroups is used in the following hardening profiles.