Procfs

ProcSubset setting

Restrict systemd units to access information from the /proc directory with the unit setting ProcSubset.

Summary

Why and when to use ProcSubset

The setting ProcSubset controls the “subset” mount option of /proc for the unit.

Caveats

This function does not if the “subnet” option for procfs is not supported.

Generic advice

The Linux kernel shares information from various kernel APIs via /proc. When activating this setting, these kernel APIs are also made unavailable, which might break common software, unless it is a trivial process. So this option is to be used with care. Typically it may be better to implement the ProtectProc setting.

ProtectProc setting

Restrict systemd units to access information from the /proc directory with the unit setting ProtectProc.

Summary

Why and when to use ProtectProc

The setting ProtectProc aims to protect information that normally can be retrieved from /proc.

Settings

The value default, which is also the default, will not restrict access. Value invisible will hide information, where ptraceable restrict the set to only processes that be monitored with the system call ptrace(). The value noaccess is the most strict option.

Caveats

This setting will not have effect if the kernel does not support the hidepid mount option per individual mount point.