Systemd Adds New "ProtectSystem Strict" Option, Other New Tunables
Written by Michael Larabel in systemd on 28 September 2016 at 07:33 AM EDT. 43 Comments
SYSTEMD --
Landing over night in systemd Git were several new tunables for offering better system security/protection. The systemd-udevd.service is also now run in a Seccomp-based sandbox to prohibit any network access.

One of the new tunables is ProtectKernelTunables=. The ProtectKernelTunables option makes kernel variables via /proc/sys, /proc/acpi, and some other /proc interfaces read-only to all processes of the unit.

The ProtectControlGroups= tunable makes the cgroups hierarchies through /sys/fs/cgroups now read-only to all processes of the units. With the exception of container managers, systemd is seeking to block other services from having write-access to the Linux Control Groups hierarchies.

Lastly, the ProtectSystem= tunable now accepts a strict argument. When ProtectSystem is set to the strict mode, the entire file-system hierarchy is mounted read-only except for API file-system sub-trees of /dev, /proc, and /sys while those directories can be further protected with the ProtectControlGroups, ProtectKernelTunables, and PrivateDevices tunables).

Ultimately systemd developers are looking at setting ProtectSystem=strict for all long-running services to for further lock-down where services have write-access.

Those wishing to learn more about these latest additions to systemd that add more than one thousand lines of new code can see this Git merge with all of the details.
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related systemd News
Popular News