« Back to Settings for systemd units

SystemCallArchitectures setting

The property SystemCallArchitectures is a systemd unit setting used for sandboxing. It is available since systemd 209.

Purpose: restrict the subset of CPU instructions

Why and when to use SystemCallArchitectures

Usually Linux user processes talk via interface with a facility of the operating system, a so-called ABI . For common instructions this is done using a syscall. When a system supports multiple ABIs, it may be useful to restrict the set that can be used to prevent circumventing a setting like SystemCallFilter.

Generic advice

For most systemd units, the setting SystemCallArchitectures=native is advised to restrict access one set of CPU instructions.

Related hardening profiles

The systemd unit setting SystemCallArchitectures is used in the following hardening profiles.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon