Procfs
ProcSubset setting
Restrict systemd units to access information from the /proc directory with the unit setting ProcSubset.
Summary
Why and when to use ProcSubset
The setting ProcSubset controls the “subset” mount option of /proc for the unit.
Caveats
This function does not if the “subnet” option for procfs is not supported.
Generic advice
The Linux kernel shares information from various kernel APIs via /proc. When activating this setting, these kernel APIs are also made unavailable, which might break common software, unless it is a trivial process. So this option is to be used with care. Typically it may be better to implement the ProtectProc setting.
ProtectProc setting
Restrict systemd units to access information from the /proc directory with the unit setting ProtectProc.
Summary
Why and when to use ProtectProc
The setting ProtectProc aims to protect information that normally can be retrieved from /proc.
Settings
The value default, which is also the default, will not restrict access. Value invisible will hide information, where ptraceable restrict the set to only processes that be monitored with the system call ptrace(). The value noaccess is the most strict option.
Caveats
This setting will not have effect if the kernel does not support the hidepid mount option per individual mount point.