diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-02-25 20:37:03 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-02-26 02:19:28 +0100 |
| commit | 4298d0b5128326621c8f537107c4c8b459490721 (patch) | |
| tree | 38ed9f6806b45d153f39ea9da61eae5d34530523 /src/shared/exit-status.c | |
| parent | 9875fd7875d433eea5c6e3319916e1be18722086 (diff) | |
core: add new RestrictAddressFamilies= switch
This new unit settings allows restricting which address families are
available to processes. This is an effective way to minimize the attack
surface of services, by turning off entire network stacks for them.
This is based on seccomp, and does not work on x86-32, since seccomp
cannot filter socketcall() syscalls on that platform.
Diffstat (limited to 'src/shared/exit-status.c')
| -rw-r--r-- | src/shared/exit-status.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/shared/exit-status.c b/src/shared/exit-status.c index 902f55ac65..c1b04a3868 100644 --- a/src/shared/exit-status.c +++ b/src/shared/exit-status.c @@ -139,6 +139,9 @@ const char* exit_status_to_string(ExitStatus status, ExitStatusLevel level) { case EXIT_APPARMOR_PROFILE: return "APPARMOR"; + + case EXIT_ADDRESS_FAMILIES: + return "ADDRESS_FAMILIES"; } } |