diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-02-25 20:37:03 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-02-26 02:19:28 +0100 |
commit | 4298d0b5128326621c8f537107c4c8b459490721 (patch) | |
tree | 38ed9f6806b45d153f39ea9da61eae5d34530523 /src/shared/af-list.h | |
parent | 9875fd7875d433eea5c6e3319916e1be18722086 (diff) |
core: add new RestrictAddressFamilies= switch
This new unit settings allows restricting which address families are
available to processes. This is an effective way to minimize the attack
surface of services, by turning off entire network stacks for them.
This is based on seccomp, and does not work on x86-32, since seccomp
cannot filter socketcall() syscalls on that platform.
Diffstat (limited to 'src/shared/af-list.h')
-rw-r--r-- | src/shared/af-list.h | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/src/shared/af-list.h b/src/shared/af-list.h new file mode 100644 index 0000000000..e346ab87f5 --- /dev/null +++ b/src/shared/af-list.h @@ -0,0 +1,27 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +#pragma once + +/*** + This file is part of systemd. + + Copyright 2014 Lennart Poettering + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +const char *af_to_name(int id); +int af_from_name(const char *name); + +int af_max(void); |