diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-02-25 20:37:03 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-02-26 02:19:28 +0100 |
commit | 4298d0b5128326621c8f537107c4c8b459490721 (patch) | |
tree | 38ed9f6806b45d153f39ea9da61eae5d34530523 /man/systemd.exec.xml | |
parent | 9875fd7875d433eea5c6e3319916e1be18722086 (diff) |
core: add new RestrictAddressFamilies= switch
This new unit settings allows restricting which address families are
available to processes. This is an effective way to minimize the attack
surface of services, by turning off entire network stacks for them.
This is based on seccomp, and does not work on x86-32, since seccomp
cannot filter socketcall() syscalls on that platform.
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r-- | man/systemd.exec.xml | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 19839937c7..413d81d330 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1122,6 +1122,55 @@ </varlistentry> <varlistentry> + <term><varname>RestrictAddressFamilies=</varname></term> + + <listitem><para>Restricts the set of + socket address families accessible to + the processes of this unit. Takes a + space-separated list of address family + names to whitelist, such as + <constant>AF_UNIX</constant>, + <constant>AF_INET</constant> or + <constant>AF_INET6</constant>. When + prefixed with <constant>~</constant> + the listed address families will be + applied as blacklist, otherwise as + whitelist. Note that this restricts + access to the + <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> + system call only. Sockets passed into + the process by other means (for + example, by using socket activation + with socket units, see + <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>) + are unaffected. Also, sockets created + with <function>socketpair()</function> + (which creates connected AF_UNIX + sockets only) are unaffected. Note + that this option has no effect on + 32bit x86 and is ignored (but works + correctly on x86-64). By default no + restriction applies, all address + families are accessible to + processes. If assigned the empty + string any previous list changes are + undone.</para> + + <para>Use this option to limit + exposure of processes to remote + systems, in particular via exotic + network protocols. Note that in most + cases the local + <constant>AF_UNIX</constant> address + family should be included in the + configured whitelist as it is + frequently used for local + communication, including for + <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry> + logging.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>Personality=</varname></term> <listitem><para>Controls which @@ -1138,6 +1187,7 @@ host system's kernel.</para></listitem> </varlistentry> + </variablelist> </refsect1> |