core: add RestrictAddressFamilies=none to deny all address families

Closes #15753.

man/systemd.exec.xml

@@ -1777,11 +1777,13 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
         <term><varname>RestrictAddressFamilies=</varname></term>
 
         <listitem><para>Restricts the set of socket address families accessible to the processes of this
-        unit. Takes a space-separated list of address family names to allow-list, such as
-        <constant>AF_UNIX</constant>, <constant>AF_INET</constant> or <constant>AF_INET6</constant>. When
-        prefixed with <constant>~</constant> the listed address families will be applied as deny list,
-        otherwise as allow list.  Note that this restricts access to the <citerefentry
-        project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+        unit. Takes <literal>none</literal>, or a space-separated list of address family names to
+        allow-list, such as <constant>AF_UNIX</constant>, <constant>AF_INET</constant> or
+        <constant>AF_INET6</constant>. When <literal>none</literal> is specified, then all address
+        families will be denied. When prefixed with <literal>~</literal> the listed address
+        families will be applied as deny list, otherwise as allow list. Note that this restricts access
+        to the
+        <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
         system call only. Sockets passed into the process by other means (for example, by using socket
         activation with socket units, see
         <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)

src/core/dbus-execute.c

@@ -2379,8 +2379,8 @@ int bus_exec_context_set_transient_property(
                 return 1;
 
         } else if (streq(name, "RestrictAddressFamilies")) {
-                int allow_list;
                 _cleanup_strv_free_ char **l = NULL;
+                int allow_list;
 
                 r = sd_bus_message_enter_container(message, 'r', "bas");
                 if (r < 0)
@@ -2403,10 +2403,11 @@ int bus_exec_context_set_transient_property(
                         char **s;
 
                         if (strv_isempty(l)) {
-                                c->address_families_allow_list = false;
+                                c->address_families_allow_list = allow_list;
                                 c->address_families = set_free(c->address_families);
 
-                                unit_write_settingf(u, flags, name, "RestrictAddressFamilies=");
+                                unit_write_settingf(u, flags, name, "RestrictAddressFamilies=%s",
+                                                    allow_list ? "none" : "");
                                 return 1;
                         }
 
@@ -2430,7 +2431,7 @@ int bus_exec_context_set_transient_property(
                                         if (r < 0)
                                                 return r;
                                 } else
-                                        (void) set_remove(c->address_families, INT_TO_PTR(af));
+                                        set_remove(c->address_families, INT_TO_PTR(af));
                         }
 
                         joined = strv_join(l, " ");

src/core/load-fragment.c

@@ -3437,6 +3437,13 @@ int config_parse_address_families(
                 return 0;
         }
 
+        if (streq(rvalue, "none")) {
+                /* Forbid all address families. */
+                c->address_families = set_free(c->address_families);
+                c->address_families_allow_list = true;
+                return 0;
+        }
+
         if (rvalue[0] == '~') {
                 invert = true;
                 rvalue++;