« Back to Settings for systemd units

RestrictRealtime setting

The property RestrictRealtime is a systemd unit setting used for sandboxing. It is available since systemd 231.

Purpose: limit the ability to use realtime scheduling

Why and when to use RestrictRealtime

The setting RestrictRealtime aims to restrict the usage of realtime scheduling by a service.

When using this option enabled, a service won’t be able to use realtime scheduling policies, such as:

  • SCHED_FIFO
  • SCHED_RR
  • SCHED_DEADLINE
  • SCHED_OTHER / SCHED_NORMAL

Generic advice

This option can be applied to most services. Typically only a small amount of services that require priority scheduling should not be restricted.

To find out if any scheduling policy is used, considering looking in the code of the program or use the strings command.

Values

This setting expects a boolean (yes or no).

  • no: do not restrict a service - default
  • yes: prevent service from using realtime scheduling

Example to show the current value of RestrictRealtime for the dmesg service:

systemctl show --property=RestrictRealtime dmesg.service

Related hardening profiles

The systemd unit setting RestrictRealtime is used in the following hardening profiles.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon