« Back to Settings for systemd units

ProtectKernelTunables setting

The property ProtectKernelTunables is a systemd unit setting used for sandboxing. It is available since systemd 232.

Purpose: limit access to Linux kernel tunables and make others read-only

Why and when to use ProtectKernelTunables

The systemd unit setting ProtectKernelTunables aims to protect Linux kernel information and settings, so-called kernel tunables. These tunables are stored within /proc and /sys.

This setting will also restrict access fully to /proc/kallsyms as well as /proc/kcore .

/proc/kallsyms

contains a symbol table from the Linux kernel providing function and variable names. It may be used by developers and system administrators to troubleshoot kernel issues.

See What is the file /proc/kallsyms on Linux? for more details.

Valid options

The value no is the default setting and will not restrict access. Use yes to mark most of the Linux kernel tunables read-only and restrict access to the /proc/kallsyms as well as /proc/kcore .

Generic advice

For most services the value ProtectKernelTunables=yes can be used to restrict access to the kernel tunables.

Values

Systemd unit setting ProtectKernelTunables expects a boolean (yes/no or true/false) or string value.

Values for systemd unit setting ProtectKernelTunables
ValueIntended actionAvailable since
systemd version
nonormal access allowed to /proc and /sys - default
yesrestrict permissions within /proc and /sys

Example to show the current value of ProtectKernelTunables for the ssh service:

systemctl show --property=ProtectKernelTunables ssh.service

Related hardening profiles

The systemd unit setting ProtectKernelTunables is used in the following hardening profiles.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon