Kernel Log

ProtectKernelLogs setting

capabilities
configuration
kernel log
linux
systemd

Restrict systemd units to read or write to the kernel log ring buffer with the unit setting ProtectKernelLogs.

Summary

Background The Linux kernel exposes its kernel log ring buffer to userspace via /dev/kmsg and /proc/kmsg. When this setting is defined as yes, the capability CAP_SYS_MODULE will be removed from the capability bounding set. This means that all processes in the unit will no longer have access to the kernel log ring buffer. Generic advice For most common services access to the kernel log ring buffer is not need, therefore safe to disable (ProtectKernelLogs=yes).