ProtectSystem setting
The property ProtectSystem is a systemd unit setting used for sandboxing. It is available since systemd 214.
Purpose: mark some file system paths as read-only
Why and when to use ProtectSystem
The setting ProtectSystem reduces write access to specific paths based on the setting.
Generic advice
For most services ProtectSystem can be used with yes, full, or strict. The latter is the most strict setting and often requires ReadWritePaths to allow application-specific paths to work.
Testing
Use the systemd-run command to see if file creation is restricted by setting it to ‘strict’.
systemd-run --pty --property=ProtectSystem=strict touch ./testfile
This should return an error:
/usr/bin/touch: cannot touch './testfile': Read-only file system
Example configuration
Values
Define the paths that are granted write access.
[Service]
ProtectSystem=strict
ReadWritePaths=/var/log/application-logs /var/run/application
Caveats of ProtectSystem
The option ProtectSystem has no effect when:
- kernel has no file system namespacing
- service manager within a container manager that makes file system namespacing unavailable
Values
Systemd unit setting ProtectSystem expects a boolean (yes/no or true/false) or string value.
Value | Intended action | Available since systemd version |
---|---|---|
no | do not limit file system for invoked processes - default | |
yes | mount /usr and boot loader paths (/boot, /efi) read-only for invoked processes | |
full | mount /usr, /boot, /efi, /etc as read-only for invoked processes | |
strict | mount full file system read-only, except /dev, /proc, and /sys |
Example to show the current value of ProtectSystem for the ssh service:
systemctl show --property=ProtectSystem ssh.serviceRelated hardening profiles
The systemd unit setting ProtectSystem is used in the following hardening profiles.