diff options
| -rw-r--r-- | man/systemd.exec.xml | 55 | 
1 files changed, 22 insertions, 33 deletions
| diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 8079b4b210..bb38ea2467 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1508,40 +1508,29 @@        <varlistentry>          <term><varname>RestrictAddressFamilies=</varname></term> -        <listitem><para>Restricts the set of socket address families -        accessible to the processes of this unit. Takes a -        space-separated list of address family names to whitelist, -        such as -        <constant>AF_UNIX</constant>, -        <constant>AF_INET</constant> or -        <constant>AF_INET6</constant>. When -        prefixed with <constant>~</constant> the listed address -        families will be applied as blacklist, otherwise as whitelist. -        Note that this restricts access to the -        <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> -        system call only. Sockets passed into the process by other -        means (for example, by using socket activation with socket -        units, see -        <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>) -        are unaffected. Also, sockets created with -        <function>socketpair()</function> (which creates connected -        AF_UNIX sockets only) are unaffected. Note that this option -        has no effect on 32-bit x86 and is ignored (but works -        correctly on x86-64). If running in user mode, or in system -        mode, but without the <constant>CAP_SYS_ADMIN</constant> -        capability (e.g. setting <varname>User=nobody</varname>), -        <varname>NoNewPrivileges=yes</varname> is implied. By -        default, no restriction applies, all address families are -        accessible to processes. If assigned the empty string, any -        previous list changes are undone.</para> - -        <para>Use this option to limit exposure of processes to remote -        systems, in particular via exotic network protocols. Note that -        in most cases, the local <constant>AF_UNIX</constant> address -        family should be included in the configured whitelist as it is -        frequently used for local communication, including for +        <listitem><para>Restricts the set of socket address families accessible to the processes of this unit. Takes a +        space-separated list of address family names to whitelist, such as <constant>AF_UNIX</constant>, +        <constant>AF_INET</constant> or <constant>AF_INET6</constant>. When prefixed with <constant>~</constant> the +        listed address families will be applied as blacklist, otherwise as whitelist.  Note that this restricts access +        to the <citerefentry +        project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call +        only. Sockets passed into the process by other means (for example, by using socket activation with socket +        units, see <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>) +        are unaffected. Also, sockets created with <function>socketpair()</function> (which creates connected AF_UNIX +        sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x, mips, mips-le, +        ppc, ppc-le, pcc64, ppc64-le and is ignored (but works correctly on other architectures, including x86-64). If +        running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability +        (e.g. setting <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is implied. By default, +        no restrictions apply, all address families are accessible to processes. If assigned the empty string, any +        previous address familiy restriction changes are undone. This setting does not affect commands prefixed with +        <literal>+</literal>.</para> + +        <para>Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive +        network protocols, such as <constant>AF_PACKET</constant>. Note that in most cases, the local +        <constant>AF_UNIX</constant> address family should be included in the configured whitelist as it is frequently +        used for local communication, including for          <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry> -        logging. This does not affect commands prefixed with <literal>+</literal>.</para></listitem> +        logging.</para></listitem>        </varlistentry>        <varlistentry> | 
