From 142bd808a1a1a4a7dc4e75b7a9d1bda6c1530dfd Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 3 Feb 2017 18:33:04 +0100 Subject: [PATCH] man: Document that RestrictAddressFamilies= doesn't work on s390/s390x/... We already say that it doesn't work on i386, but there are more archs like that apparently. --- man/systemd.exec.xml | 53 ++++++++++++++++++-------------------------- 1 file changed, 21 insertions(+), 32 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 8079b4b210..bb38ea2467 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1508,40 +1508,29 @@ RestrictAddressFamilies= - Restricts the set of socket address families - accessible to the processes of this unit. Takes a - space-separated list of address family names to whitelist, - such as - AF_UNIX, - AF_INET or - AF_INET6. When - prefixed with ~ the listed address - families will be applied as blacklist, otherwise as whitelist. - Note that this restricts access to the - socket2 - system call only. Sockets passed into the process by other - means (for example, by using socket activation with socket - units, see - systemd.socket5) - are unaffected. Also, sockets created with - socketpair() (which creates connected - AF_UNIX sockets only) are unaffected. Note that this option - has no effect on 32-bit x86 and is ignored (but works - correctly on x86-64). If running in user mode, or in system - mode, but without the CAP_SYS_ADMIN - capability (e.g. setting User=nobody), - NoNewPrivileges=yes is implied. By - default, no restriction applies, all address families are - accessible to processes. If assigned the empty string, any - previous list changes are undone. + Restricts the set of socket address families accessible to the processes of this unit. Takes a + space-separated list of address family names to whitelist, such as AF_UNIX, + AF_INET or AF_INET6. When prefixed with ~ the + listed address families will be applied as blacklist, otherwise as whitelist. Note that this restricts access + to the socket2 system call + only. Sockets passed into the process by other means (for example, by using socket activation with socket + units, see systemd.socket5) + are unaffected. Also, sockets created with socketpair() (which creates connected AF_UNIX + sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x, mips, mips-le, + ppc, ppc-le, pcc64, ppc64-le and is ignored (but works correctly on other architectures, including x86-64). If + running in user mode, or in system mode, but without the CAP_SYS_ADMIN capability + (e.g. setting User=nobody), NoNewPrivileges=yes is implied. By default, + no restrictions apply, all address families are accessible to processes. If assigned the empty string, any + previous address familiy restriction changes are undone. This setting does not affect commands prefixed with + +. - Use this option to limit exposure of processes to remote - systems, in particular via exotic network protocols. Note that - in most cases, the local AF_UNIX address - family should be included in the configured whitelist as it is - frequently used for local communication, including for + Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive + network protocols, such as AF_PACKET. Note that in most cases, the local + AF_UNIX address family should be included in the configured whitelist as it is frequently + used for local communication, including for syslog2 - logging. This does not affect commands prefixed with +. + logging.