mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-23 17:34:00 +03:00
man: Document that RestrictAddressFamilies= doesn't work on s390/s390x/...
We already say that it doesn't work on i386, but there are more archs like that apparently.
This commit is contained in:
parent
ad8f1479b4
commit
142bd808a1
@ -1508,40 +1508,29 @@
|
||||
<varlistentry>
|
||||
<term><varname>RestrictAddressFamilies=</varname></term>
|
||||
|
||||
<listitem><para>Restricts the set of socket address families
|
||||
accessible to the processes of this unit. Takes a
|
||||
space-separated list of address family names to whitelist,
|
||||
such as
|
||||
<constant>AF_UNIX</constant>,
|
||||
<constant>AF_INET</constant> or
|
||||
<constant>AF_INET6</constant>. When
|
||||
prefixed with <constant>~</constant> the listed address
|
||||
families will be applied as blacklist, otherwise as whitelist.
|
||||
Note that this restricts access to the
|
||||
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
||||
system call only. Sockets passed into the process by other
|
||||
means (for example, by using socket activation with socket
|
||||
units, see
|
||||
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
|
||||
are unaffected. Also, sockets created with
|
||||
<function>socketpair()</function> (which creates connected
|
||||
AF_UNIX sockets only) are unaffected. Note that this option
|
||||
has no effect on 32-bit x86 and is ignored (but works
|
||||
correctly on x86-64). If running in user mode, or in system
|
||||
mode, but without the <constant>CAP_SYS_ADMIN</constant>
|
||||
capability (e.g. setting <varname>User=nobody</varname>),
|
||||
<varname>NoNewPrivileges=yes</varname> is implied. By
|
||||
default, no restriction applies, all address families are
|
||||
accessible to processes. If assigned the empty string, any
|
||||
previous list changes are undone.</para>
|
||||
<listitem><para>Restricts the set of socket address families accessible to the processes of this unit. Takes a
|
||||
space-separated list of address family names to whitelist, such as <constant>AF_UNIX</constant>,
|
||||
<constant>AF_INET</constant> or <constant>AF_INET6</constant>. When prefixed with <constant>~</constant> the
|
||||
listed address families will be applied as blacklist, otherwise as whitelist. Note that this restricts access
|
||||
to the <citerefentry
|
||||
project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call
|
||||
only. Sockets passed into the process by other means (for example, by using socket activation with socket
|
||||
units, see <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
|
||||
are unaffected. Also, sockets created with <function>socketpair()</function> (which creates connected AF_UNIX
|
||||
sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x, mips, mips-le,
|
||||
ppc, ppc-le, pcc64, ppc64-le and is ignored (but works correctly on other architectures, including x86-64). If
|
||||
running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability
|
||||
(e.g. setting <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is implied. By default,
|
||||
no restrictions apply, all address families are accessible to processes. If assigned the empty string, any
|
||||
previous address familiy restriction changes are undone. This setting does not affect commands prefixed with
|
||||
<literal>+</literal>.</para>
|
||||
|
||||
<para>Use this option to limit exposure of processes to remote
|
||||
systems, in particular via exotic network protocols. Note that
|
||||
in most cases, the local <constant>AF_UNIX</constant> address
|
||||
family should be included in the configured whitelist as it is
|
||||
frequently used for local communication, including for
|
||||
<para>Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive
|
||||
network protocols, such as <constant>AF_PACKET</constant>. Note that in most cases, the local
|
||||
<constant>AF_UNIX</constant> address family should be included in the configured whitelist as it is frequently
|
||||
used for local communication, including for
|
||||
<citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
||||
logging. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
|
||||
logging.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
|
Loading…
Reference in New Issue
Block a user