From 2dc4e87849e2ae2ea93e9ccf6365c44ad1602ac6 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 6 May 2025 20:59:59 +0200 Subject: [PATCH] man/systemd.exec: reword description of RestrictAddressFamilies= The text is reordered and broken into more paragraphs. A recommendation to combine RestrictAddressFamilies= with SystemCallFilter=@service is added. --- man/systemd.exec.xml | 44 ++++++++++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 18 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 02b83a060f5..b350c19dcb0 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -2216,28 +2216,36 @@ BindReadOnlyPaths=/var/lib/systemd address_families7 for all possible options. When none is specified, then all address families will be denied. When prefixed with ~ the listed address - families will be applied as deny list, otherwise as allow list. Note that this restricts access - to the - socket2 + families will be applied as deny list, otherwise as allow list. + + By default, no restrictions apply, all address families are accessible to processes. If + assigned the empty string, any previous address family restriction changes are undone. This setting + does not affect commands prefixed with +. + + Use this option to limit exposure of processes to remote access, in particular via exotic and + sensitive network protocols, such as AF_PACKET. Note that in most cases, the + local AF_UNIX address family should be included in the configured allow list as + it is frequently used for local communication, including for + syslog2 + logging. + + Note that this restricts access to the socket2 system call only. Sockets passed into the process by other means (for example, by using socket activation with socket units, see systemd.socket5) are unaffected. Also, sockets created with socketpair() (which creates connected - AF_UNIX sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x, - mips, mips-le, ppc, ppc-le, ppc64, ppc64-le and is ignored (but works correctly on other ABIs, - including x86-64). Note that on systems supporting multiple ABIs (such as x86/x86-64) it is - recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the - restrictions of this option. Specifically, it is recommended to combine this option with - SystemCallArchitectures=native or similar. By default, no restrictions apply, all - address families are accessible to processes. If assigned the empty string, any previous address family - restriction changes are undone. This setting does not affect commands prefixed with +. - - Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive - network protocols, such as AF_PACKET. Note that in most cases, the local - AF_UNIX address family should be included in the configured allow list as it is frequently - used for local communication, including for - syslog2 - logging. + AF_UNIX sockets) or the + io_uring7 + functions, are not affected. Thus, it is recommended to combined this setting with + SystemCallFilter=@service, to only allow a limited subset of system calls. + + Note that this option is limited to some ABIs, in particular x86-64, but currently has no + effect on 32-bit x86, s390, s390x, mips, mips-le, ppc, ppc-le, ppc64, or ppc64-le, and is ignored. On + systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off alternative ABIs + for services, so that they cannot be used to circumvent the restrictions of this option. + Specifically, it is recommended to combine this option with + SystemCallArchitectures=native or similar. -- 2.47.3