1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-23 17:34:00 +03:00

man: Document that RestrictAddressFamilies= doesn't work on s390/s390x/...

We already say that it doesn't work on i386, but there are more archs
like that apparently.
This commit is contained in:
Lennart Poettering 2017-02-03 18:33:04 +01:00
parent ad8f1479b4
commit 142bd808a1

View File

@ -1508,40 +1508,29 @@
<varlistentry>
<term><varname>RestrictAddressFamilies=</varname></term>
<listitem><para>Restricts the set of socket address families
accessible to the processes of this unit. Takes a
space-separated list of address family names to whitelist,
such as
<constant>AF_UNIX</constant>,
<constant>AF_INET</constant> or
<constant>AF_INET6</constant>. When
prefixed with <constant>~</constant> the listed address
families will be applied as blacklist, otherwise as whitelist.
Note that this restricts access to the
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
system call only. Sockets passed into the process by other
means (for example, by using socket activation with socket
units, see
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
are unaffected. Also, sockets created with
<function>socketpair()</function> (which creates connected
AF_UNIX sockets only) are unaffected. Note that this option
has no effect on 32-bit x86 and is ignored (but works
correctly on x86-64). If running in user mode, or in system
mode, but without the <constant>CAP_SYS_ADMIN</constant>
capability (e.g. setting <varname>User=nobody</varname>),
<varname>NoNewPrivileges=yes</varname> is implied. By
default, no restriction applies, all address families are
accessible to processes. If assigned the empty string, any
previous list changes are undone.</para>
<listitem><para>Restricts the set of socket address families accessible to the processes of this unit. Takes a
space-separated list of address family names to whitelist, such as <constant>AF_UNIX</constant>,
<constant>AF_INET</constant> or <constant>AF_INET6</constant>. When prefixed with <constant>~</constant> the
listed address families will be applied as blacklist, otherwise as whitelist. Note that this restricts access
to the <citerefentry
project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call
only. Sockets passed into the process by other means (for example, by using socket activation with socket
units, see <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
are unaffected. Also, sockets created with <function>socketpair()</function> (which creates connected AF_UNIX
sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x, mips, mips-le,
ppc, ppc-le, pcc64, ppc64-le and is ignored (but works correctly on other architectures, including x86-64). If
running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability
(e.g. setting <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is implied. By default,
no restrictions apply, all address families are accessible to processes. If assigned the empty string, any
previous address familiy restriction changes are undone. This setting does not affect commands prefixed with
<literal>+</literal>.</para>
<para>Use this option to limit exposure of processes to remote
systems, in particular via exotic network protocols. Note that
in most cases, the local <constant>AF_UNIX</constant> address
family should be included in the configured whitelist as it is
frequently used for local communication, including for
<para>Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive
network protocols, such as <constant>AF_PACKET</constant>. Note that in most cases, the local
<constant>AF_UNIX</constant> address family should be included in the configured whitelist as it is frequently
used for local communication, including for
<citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
logging. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
logging.</para></listitem>
</varlistentry>
<varlistentry>