« Back to Settings for systemd units

RestrictNamespaces setting

This article has last been updated at .

The property RestrictNamespaces is a systemd unit setting used for sandboxing. It is available since systemd 233.

Purpose: control if namespaces usage is allowed

New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.

Why and when to use RestrictNamespaces

Systemd provides the setting RestrictNamespaces which aims to restrict what namespaces can be used. Linux namespaces create an abstraction layer around a global resource, such as a filesystem, to isolate it from other processes.

Relevant namespaces include:

  • cgroup
  • ipc
  • mnt
  • net
  • pid
  • user
  • uts

When using this option, the default is that it is used as an allow-list and define which namespaces are allowed.

To know if a process uses namespaces, consider looking at the source code for the following syscalls:

  • clone(2)
  • setns(2)
  • unshare(2)

An alternative is to inspect a binary with the strings command or analyze a process with strace.

Settings

This setting may be used once or multiple times. When it is used multiple times, it adds to the list (logical OR). Lines that have a value with tilde (~) prepended, will turn it into AND, blocking the relevant items.

To create a deny-list, add only those namespaces to block by prepending the list with a tilde (~).

When this setting is not configured, there are no restrictions when it comes to namespaces that a service can use.

Caveats

This setting only works on:

  • x86, x86-64
  • mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32
  • ppc64, ppc64-le
  • s390, s390x

Generic advice

Using this option depends really on the type of service and if a restriction is needed. Normally namespaces may already help shielding a service from a global resource. So this option should be used with care.

Values

Systemd unit setting RestrictNamespaces expects a boolean (yes/no or true/false) or string value.

Values for systemd unit setting RestrictNamespaces
ValueIntended actionAvailable since
systemd version
[LIST OF NAMESPACESdefine namespaces that are allowed or denied

Example to show the current value of RestrictNamespaces for the ssh service:

systemctl show --property=RestrictNamespaces ssh.service

Related hardening profiles

The systemd unit setting RestrictNamespaces is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is also a cheat sheet available.

See the full list of Linux commands for additional system administration tools.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.