ProtectSystem setting

The property ProtectSystem is a systemd unit setting used for sandboxing. It is available since systemd 214.

Purpose: mark some file system paths as read-only

Why and when to use ProtectSystem

The setting ProtectSystem reduces write access to specific paths based on the setting.

Generic advice

For most services ProtectSystem can be used with yes, full, or strict. The latter is the most strict setting and often requires ReadWritePaths to allow application-specific paths to work.

Testing

Use the systemd-run command to see if file creation is restricted by setting it to ‘strict’.

systemd-run --pty --property=ProtectSystem=strict touch ./testfile

This should return an error:

/usr/bin/touch: cannot touch './testfile': Read-only file system

Example configuration

Values

Define the paths that are granted write access.

[Service]
ProtectSystem=strict
ReadWritePaths=/var/log/application-logs /var/run/application

Caveats of ProtectSystem

The option ProtectSystem has no effect when:

• kernel has no file system namespacing
• service manager within a container manager that makes file system namespacing unavailable

Values

• no: do not limit file system for invoked processes - default
• yes: mount /usr and boot loader paths (/boot, /efi) read-only for invoked processes
• full: mount /usr, /boot, /efi, /etc as read-only for invoked processes
• strict: mount full file system read-only, except /dev, /proc, and /sys

Example to show the current value of ProtectSystem for the dmesg service:

Related hardening profiles

The systemd unit setting ProtectSystem is used in the following hardening profiles.

• Nginx hardening profile