« Back to Settings for systemd units

SystemCallFilter setting

This article has last been updated at .

The property SystemCallFilter is a systemd unit setting used for sandboxing. It is available since systemd 187.

Purpose: define what syscalls are allowed or forbidden to be used by a process

New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.

Why and when to use SystemCallFilter

Systemd has the unit setting SystemCallFilter which aims to prevent misuse of syscalls that are not needed for normal functioning of a process or its children. This powerful filtering uses seccomp and defines what syscalls are allowed. In other words, it restricts the abilities of a process (sandboxing). At the same time, it requires understanding of processes by the system administrator. See the overview of Linux syscalls for more details.

Configuration

This setting takes a space-separated list and may be specified multiple times.

Allow-listing

By default the list contains the entries of allowed system call names. Unspecified syscalls will be denied and result in its process execution being stopped immediately.

Deny-listing

Another approach is to reverse this action by using a ~ as its first character. The principle of deny-listing will then be used. A match then will stop the execution of the process.

Combination

When both (allow-listing and deny-listing) are used, the first match will take precedence and define the default action to take.

Filter sets

Instead of defining each syscall, there are also predefined sets that can be used:

  • @aio
  • @basic-io
  • @chown
  • @clock
  • @cpu-emulation
  • @debug
  • @file-system
  • @io-event
  • @ipc
  • @keyring
  • @memlock
  • @module
  • @mount
  • @network-io
  • @obsolete
  • @pkey
  • @privileged
  • @process
  • @raw-io
  • @reboot
  • @resources
  • @sandbox
  • @setuid
  • @signal
  • @swap
  • @sync
  • @system-service
  • @timer
  • @known

See systemd syscall filtering for more details, usage, and information about the predefined sets.

To know what syscalls are part of a set:

# systemd-analyze syscall-filter @mount
@mount
    # Mounting and unmounting of file systems
    chroot
    fsconfig
    fsmount
    fsopen
    fspick
    mount
    mount_setattr
    move_mount
    open_tree
    pivot_root
    umount
    umount2

Generic advice

This setting is a powerful option to restrict what processes can do.

Related hardening profiles

The systemd unit setting SystemCallFilter is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.