From 6359811021f113e8ba782be3fbdfa0b587a7bebd Mon Sep 17 00:00:00 2001
From: Julia Kartseva <hex@fb.com>
Date: Wed, 18 Nov 2020 00:32:14 -0800
Subject: [PATCH] man: add SocketBind{Allow|Deny}= documentation

---
 man/systemd.resource-control.xml | 70 ++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index a2d01f7afb..d9b570e232 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -762,6 +762,76 @@ BPFProgram=bind6:/sys/fs/bpf/sock-addr-hook
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>SocketBindAllow=<replaceable>bind-rule</replaceable></varname></term>
+        <term><varname>SocketBindDeny=<replaceable>bind-rule</replaceable></varname></term>
+
+        <listitem>
+          <para>Allow or deny binding a socket address to a socket by matching it with the <replaceable>bind-rule</replaceable> and
+          applying a corresponding action if there is a match.</para>
+
+          <para><replaceable>bind-rule</replaceable> describes socket properties such as <replaceable>address-family</replaceable>
+          and <replaceable>ip-ports</replaceable>.</para>
+
+          <para><replaceable>bind-rule</replaceable> := [<replaceable>address-family</replaceable><constant>:</constant>]<replaceable>ip-ports</replaceable></para>
+
+          <para><replaceable>address-family</replaceable> := { <constant>IPv4</constant> | <constant>IPv6</constant> }</para>
+
+          <para><replaceable>ip-ports</replaceable> := { <replaceable>ip-port</replaceable> | <replaceable>ip-port-range</replaceable> |
+          <constant>any</constant> }</para>
+
+          <para>An optional <replaceable>address-family</replaceable> expects <constant>IPv4</constant> or <constant>IPv6</constant> values.
+          If not specified, a rule will be matched for both IPv4 and IPv6 addresses and applied depending on other socket fields, e.g.
+          <replaceable>ip-port</replaceable>.</para>
+
+          <para><replaceable>ip-port</replaceable> value must lie within 1…65535 interval inclusively, i.e.
+          dynamic port <constant>0</constant> is not allowed. A range of sequential ports is described by
+          <replaceable>ip-port-range</replaceable> := <replaceable>ip-port-low</replaceable><constant>-</constant><replaceable>ip-port-high</replaceable>,
+          where <replaceable>ip-port-low</replaceable> is smaller than or equal to <replaceable>ip-port-high</replaceable>
+          and both are within 1…65535 inclusively. A special value <constant>any</constant>
+          should be used to apply a rule to any port with a positive value.</para>
+
+          <para>To allow multiple rules assign <varname>SocketBindAllow=</varname> or <varname>SocketBindDeny=</varname> multiple times.
+          To clear the existing assignments pass an empty <varname>SocketBindAllow=</varname> or <varname>SocketBindDeny=</varname>
+          assignment.</para>
+
+          <para>For each of <varname>SocketBindAllow=</varname> and <varname>SocketBindDeny=</varname>, maximum allowed number of assignments is
+          <constant>128</constant>.</para>
+
+          <itemizedlist>
+            <listitem><para>Binding to a socket is allowed when a socket address matches an entry in the
+            <varname>SocketBindAllow=</varname> list.</para></listitem>
+
+            <listitem><para>Otherwise, binding is denied when the socket address matches an entry in the
+            <varname>SocketBindDeny=</varname> list.</para></listitem>
+
+            <listitem><para>Otherwise, binding is allowed.</para></listitem>
+          </itemizedlist>
+
+          <para>The feature is implemented with <constant>cgroup/bind4</constant> and <constant>cgroup/bind6</constant> cgroup-bpf hooks.</para>
+          <para>Examples:<programlisting>…
+# Allow binding IPv6 socket addresses with a port greater than or equal to 10000.
+[Service]
+SocketBindAllow=IPv6:10000-65535
+SocketBindDeny=any
+…
+# Allow binding IPv4 and IPv6 socket addresses with 1234 and 4321 ports.
+[Service]
+SocketBindAllow=1234
+SocketBindAllow=4321
+SocketBindDeny=any
+…
+# Deny binding IPv6 socket addresses.
+[Service]
+SocketBindDeny=IPv6:any
+…
+# Deny binding IPv4 and IPv6 socket addresses.
+[Service]
+SocketBindDeny=any
+…</programlisting></para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>DeviceAllow=</varname></term>