diff options
Diffstat (limited to 'man')
-rw-r--r-- | man/systemd.exec.xml | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 19839937c7..413d81d330 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1122,6 +1122,55 @@ </varlistentry> <varlistentry> + <term><varname>RestrictAddressFamilies=</varname></term> + + <listitem><para>Restricts the set of + socket address families accessible to + the processes of this unit. Takes a + space-separated list of address family + names to whitelist, such as + <constant>AF_UNIX</constant>, + <constant>AF_INET</constant> or + <constant>AF_INET6</constant>. When + prefixed with <constant>~</constant> + the listed address families will be + applied as blacklist, otherwise as + whitelist. Note that this restricts + access to the + <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> + system call only. Sockets passed into + the process by other means (for + example, by using socket activation + with socket units, see + <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>) + are unaffected. Also, sockets created + with <function>socketpair()</function> + (which creates connected AF_UNIX + sockets only) are unaffected. Note + that this option has no effect on + 32bit x86 and is ignored (but works + correctly on x86-64). By default no + restriction applies, all address + families are accessible to + processes. If assigned the empty + string any previous list changes are + undone.</para> + + <para>Use this option to limit + exposure of processes to remote + systems, in particular via exotic + network protocols. Note that in most + cases the local + <constant>AF_UNIX</constant> address + family should be included in the + configured whitelist as it is + frequently used for local + communication, including for + <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry> + logging.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>Personality=</varname></term> <listitem><para>Controls which @@ -1138,6 +1187,7 @@ host system's kernel.</para></listitem> </varlistentry> + </variablelist> </refsect1> |