summaryrefslogtreecommitdiff
path: root/man/systemd.exec.xml
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-02-25 20:37:03 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-26 02:19:28 +0100
commit4298d0b5128326621c8f537107c4c8b459490721 (patch)
tree38ed9f6806b45d153f39ea9da61eae5d34530523 /man/systemd.exec.xml
parent9875fd7875d433eea5c6e3319916e1be18722086 (diff)
core: add new RestrictAddressFamilies= switch
This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r--man/systemd.exec.xml50
1 files changed, 50 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 19839937c7..413d81d330 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1122,6 +1122,55 @@
</varlistentry>
<varlistentry>
+ <term><varname>RestrictAddressFamilies=</varname></term>
+
+ <listitem><para>Restricts the set of
+ socket address families accessible to
+ the processes of this unit. Takes a
+ space-separated list of address family
+ names to whitelist, such as
+ <constant>AF_UNIX</constant>,
+ <constant>AF_INET</constant> or
+ <constant>AF_INET6</constant>. When
+ prefixed with <constant>~</constant>
+ the listed address families will be
+ applied as blacklist, otherwise as
+ whitelist. Note that this restricts
+ access to the
+ <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ system call only. Sockets passed into
+ the process by other means (for
+ example, by using socket activation
+ with socket units, see
+ <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
+ are unaffected. Also, sockets created
+ with <function>socketpair()</function>
+ (which creates connected AF_UNIX
+ sockets only) are unaffected. Note
+ that this option has no effect on
+ 32bit x86 and is ignored (but works
+ correctly on x86-64). By default no
+ restriction applies, all address
+ families are accessible to
+ processes. If assigned the empty
+ string any previous list changes are
+ undone.</para>
+
+ <para>Use this option to limit
+ exposure of processes to remote
+ systems, in particular via exotic
+ network protocols. Note that in most
+ cases the local
+ <constant>AF_UNIX</constant> address
+ family should be included in the
+ configured whitelist as it is
+ frequently used for local
+ communication, including for
+ <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ logging.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>Personality=</varname></term>
<listitem><para>Controls which
@@ -1138,6 +1187,7 @@
host system's
kernel.</para></listitem>
</varlistentry>
+
</variablelist>
</refsect1>