SystemCallArchitectures setting

This article has last been updated at January 28, 2025.

The property SystemCallArchitectures is a systemd unit setting used for sandboxing. It is available since systemd 209.

Purpose: restrict the subset of CPU instructions

New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.

Why and when to use SystemCallArchitectures

Usually Linux user processes talk via an interface with an operating system facility using a so-called ABI . For common instructions this is done using a syscall. When a system supports multiple ABIs, it may be useful to restrict the set that can be used to prevent circumventing a systemd setting like SystemCallFilter. The setting SystemCallArchitectures can be used to restrict this.

Generic advice

For most systemd units, the setting SystemCallArchitectures=native is advised to restrict access one set of CPU instructions.

Related hardening profiles

The systemd unit setting SystemCallArchitectures is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Feedback

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Like to learn more? Here is a list of articles within the same category or having similar tags.