Securing applications with systemd

Did you know that systemd has built-in options for process isolation? With sandboxing techniques it can restrict an application from performing certain types of operations. Today we’ll review basic concepts and security settings in detail.

PrivateTmp=true|false If enabled, makes separate /tmp directory for systemd.unit. This prevents certain kinds of DoS attacks.

PrivateNetwork=true|false If set to true, isolates an application into a separate network namespace: only loopback interface will be available. Useful to restrict one from dialing to the internet.

ProtectSystem=true|full|strict – If set to yes, the /usr and /boot directories become read-only. ‘full’ adds /etc to the list and ‘strict’ makes the whole filesystem read-only.

PrivateDevices=true|false hides devices in /dev, except for standard UNIX interfaces e.g. /dev/null

ProtectHome=true|false Prevents read and write access to /home, /root and /run/user. Useful to protect your precious data.