ProtectKernelTunables setting
This article has last been updated at .
The property ProtectKernelTunables is a systemd unit setting used for sandboxing. It is available since systemd 232.
Purpose: limit access to Linux kernel tunables and make others read-only
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use ProtectKernelTunables
The systemd unit setting ProtectKernelTunables aims to protect Linux kernel information and settings, so-called kernel tunables. These tunables are stored within /proc and /sys.
This setting will also restrict access fully to /proc/kallsyms as well as /proc/kcore .
/proc/kallsyms
contains a symbol table from the Linux kernel providing function and variable names. It may be used by developers and system administrators to troubleshoot kernel issues.
See What is the file /proc/kallsyms on Linux? for more details.
Valid options
The value no is the default setting and will not restrict access. Use yes to mark most of the Linux kernel tunables read-only and restrict access to the /proc/kallsyms as well as /proc/kcore .
Generic advice
For most services the value ProtectKernelTunables=yes can be used to restrict access to the kernel tunables.
Values
Systemd unit setting ProtectKernelTunables expects a boolean (yes/no or true/false) or string value.
| Value | Intended action | Available since systemd version |
|---|---|---|
| no | normal access allowed to /proc and /sys - default | |
| yes | restrict permissions within /proc and /sys |
Example to show the current value of ProtectKernelTunables for the ssh service:
systemctl show --property=ProtectKernelTunables ssh.serviceRelated hardening profiles
The systemd unit setting ProtectKernelTunables is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.
