RestrictNamespaces setting
The property RestrictNamespaces is a systemd unit setting used for sandboxing. It is available since systemd 233.
Purpose: control allow namespaces
Why and when to use RestrictNamespaces
The setting RestrictNamespaces aims to restrict what namespaces can be used. Namespaces create an abstraction layer around a global resource, such as a filesystem.
Relevant namespaces include:
- cgroup
- ipc
- mnt
- net
- pid
- user
- uts
When using this option, the default is that it is used as an allow-list and define what namespaces only can be used.
Settings
This setting may be used once or multiple times. When it is used multiple times, it adds to the list (logical OR). Lines that have a value with tilde (~) prepended, will turn it into AND, blocking the relevant items.
To create a deny-list, add only those namespaces to block by prepending the list with a tilde (~).
When this setting is not configured, there are no restrictions when it comes to namespaces that a service can use.
Caveats
This setting only works on:
- x86, x86-64
- mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32
- ppc64, ppc64-le
- s390, s390x
Generic advice
Using this option depends really on the type of service and if a restriction is needed. Normally namespaces may already help shielding a service from a global resource. So this option should be used with care.
Values
- [LIST OF NAMESPACES: define namespaces that are allowed or denied
Example to show the current value of RestrictNamespaces for the dmesg service:
systemctl show --property=RestrictNamespaces dmesg.serviceRelated hardening profiles
The systemd unit setting RestrictNamespaces is used in the following hardening profiles.
