New sandbox features in systemd

November 4, 2016

Restricting the privileges of Linux services and reducing the actor vector has always been challenging. You need to adapt your software or start looking for a sandbox program or a manager that handles this for you. And at this moment you should look at systemd.

systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. systemd provides aggressive parallelization capabilities, uses socket starting services, offers on-demand starting of daemons and keeps track of processes using Linux control groups. systemd also supports SysV and LSB init scripts and works as a replacement for sysvinit. [1]

Securing services is not only useful for the cloud but also for the embedded and IoT industries. In a world where all components are tied together, things move fast and you have to accelerate your development/shipping cycle, you need a manager for your services or applications that will keep you secure.

It should

1) solve the most basic problems of system and service management in an efficient way.

2) handle security and sandbox operations. If your service is affected by a vulnerability, then you want to reduce the exposure.

3) handle resources consumption.

4) be reliable, stable and able to restart your services on failures.

And this is where systemd enters the arena. systemd is supported by the major actors in the industry, for example Red Hat, Intel or SUSE. These players offer the resources to make it a reliable technology, while it covers all these issues we just listed.

Current states

In this quick summary we will show you some of the security features that help you secure your services and applications:

alt text

1) Set root directory for your service

RootDirectory= | Sets the root directory for executed processes of the unit. It uses the plain old chroot() functionality.

2) Protect your file system and disk

PrivateDevices=yes | Prevents your services from accessing the raw disks.

3) Disable network

PrivateNetwork=yes | Securely turn off network access for executed processes of the unit.

4) Protect your file system

ProtectSystem= | Makes /usr, /boot and even the full file system read only. Preventing any modification of the file system. This is particularly useful for Embedded Systems to support factory reset.

5) Private temporary directory

PrivateTmp=yes | Gives a private temporary file system for the processes of the unit that is not shared by other processes.

6) Set user, group and supplementary groups for your service

User=, Group= , SupplementaryGroups= | Sets the user, group, and supplementary Unix groups under which the processes of the unit are executed.

7) Watchdog and restart your services on failure

RuntimeWatchdogSec= of /etc/systemd/system.conf, ShutdownWatchdogSec=, WatchdogSec=, Restart=on-failure | Supports hardware and software watchdog features to allow the hardware to reset itself, or to enable automatic service restarts on failure using the software watchdog feature.

8) Control CPU usage

LimitCPU=, CPUAccounting=, CPUQuota= | Turn on CPU accounting and sets the CPU limits for the processes of the unit.

9) Control Memory usage

MemoryMax=, MemoryLow=, MemoryHigh= and TasksMax=N | Sets the memory limits for processes of the unit and the maximum number of tasks that can be created.

10) Control Linux Capabilities

CapabilityBoundingSet= and AmbientCapabilities= | Sets which Linux capabilities the processes of the unit will have.

11) Block access to Linux interfaces

SystemCallFilter= | Blocks access to Linux system calls. This is particular useful if there is a vulnerability in Linux and you want to block access to it. As an example you could block the recent Linux kernel madvise vulnerability [2] by using “SystemCallFilter=~madvise” . This blocks access to Linux madvice system call, thus effectively blocking all exploits.

New security features:

These are cool features, but there is more. Endocode engineers helped with and contributed to some new features that will improve the security of your system even more.

Here are some of the new features we just worked on:

alt text

1) Block loading and unloading arbitrary Linux kernel modules.

ProtectKernelModules=yes | Blocks explicit loading and unloading of kernel modules, drivers, etc. Particularly useful for Embedded Systems to make sure that your kernel is not modified.

2) Protect your file system

ProtectSystem=strict | Makes the whole file system read only for the processes of the unit.

3) Prevent Linux kernel tuning

ProtectKernelTunables=yes | Prevents tuning and configuring some Linux kernel parameters during run-time.

4) Prevent manipulation of Control Groups

ProtectControlGroups=yes | Prevents tuning resources parameters of processes.

5) Dynamic User and group

DynamicUser=yes | Dynamically creates a user and group for your services. The user and group are re-cycled when the service terminates and all its files removed. Particularly useful for Embedded Systems to run services or apps with an empty /etc without even /etc/passwd and /etc/group databases.

Check out systemd version 232 release notes for more information.


In this short blog post we showed how systemd can be used on Embedded Systems to manage your services, solve the most basic problems and sandbox your services. Naturally as software continues to advance, more problems are found and we are keen to continue solving them.

Follow us on twitter, check out our blog posts,other propaganda and join us for our meetups.


[1] []

[2] []