core: add RestrictAddressFamilies=none to deny all address families

author Yu Watanabe <watanabe.yu+github@gmail.com>

Sat, 17 Apr 2021 04:04:28 +0000 (13:04 +0900)

committer Luca Boccassi <luca.boccassi@gmail.com>

Mon, 19 Apr 2021 10:47:08 +0000 (11:47 +0100)
author Yu Watanabe <watanabe.yu+github@gmail.com>
Sat, 17 Apr 2021 04:04:28 +0000 (13:04 +0900)
committer Luca Boccassi <luca.boccassi@gmail.com>
Mon, 19 Apr 2021 10:47:08 +0000 (11:47 +0100)
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml

index 6ae630f615462634381742de4bf62927a8d1c71b..2aefb4eb2552c859159bfc57ae52d3e0d2418d8a 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1777,11 +1777,13 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
          <term><varname>RestrictAddressFamilies=</varname></term>
  
          <listitem><para>Restricts the set of socket address families accessible to the processes of this
-        unit. Takes a space-separated list of address family names to allow-list, such as
-        <constant>AF_UNIX</constant>, <constant>AF_INET</constant> or <constant>AF_INET6</constant>. When
-        prefixed with <constant>~</constant> the listed address families will be applied as deny list,
-        otherwise as allow list.  Note that this restricts access to the <citerefentry
-        project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+        unit. Takes <literal>none</literal>, or a space-separated list of address family names to
+        allow-list, such as <constant>AF_UNIX</constant>, <constant>AF_INET</constant> or
+        <constant>AF_INET6</constant>. When <literal>none</literal> is specified, then all address
+        families will be denied. When prefixed with <literal>~</literal> the listed address
+        families will be applied as deny list, otherwise as allow list. Note that this restricts access
+        to the
+        <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
          system call only. Sockets passed into the process by other means (for example, by using socket
          activation with socket units, see
          <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c

index 3012c8786465f4c830b15f09fbcc01916024d4a5..9c141d73b1052dc7a768ee51e3cd564657737214 100644 (file)
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -2379,8 +2379,8 @@ int bus_exec_context_set_transient_property(
                  return 1;
  
          } else if (streq(name, "RestrictAddressFamilies")) {
-                int allow_list;
                  _cleanup_strv_free_ char **l = NULL;
+                int allow_list;
  
                  r = sd_bus_message_enter_container(message, 'r', "bas");
                  if (r < 0)
@@ -2403,10 +2403,11 @@ int bus_exec_context_set_transient_property(
                          char **s;
  
                          if (strv_isempty(l)) {
-                                c->address_families_allow_list = false;
+                                c->address_families_allow_list = allow_list;
                                  c->address_families = set_free(c->address_families);
  
-                                unit_write_settingf(u, flags, name, "RestrictAddressFamilies=");
+                                unit_write_settingf(u, flags, name, "RestrictAddressFamilies=%s",
+                                                    allow_list ? "none" : "");
                                  return 1;
                          }
  
@@ -2430,7 +2431,7 @@ int bus_exec_context_set_transient_property(
                                          if (r < 0)
                                                  return r;
                                  } else
-                                        (void) set_remove(c->address_families, INT_TO_PTR(af));
+                                        set_remove(c->address_families, INT_TO_PTR(af));
                          }
  
                          joined = strv_join(l, " ");
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c

index 561142d5779a344e44408561f32f8a27cc071e64..9be495e1efefbbc6733d71b91d7b7e71965b9d6f 100644 (file)
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -3437,6 +3437,13 @@ int config_parse_address_families(
                  return 0;
          }
  
+        if (streq(rvalue, "none")) {
+                /* Forbid all address families. */
+                c->address_families = set_free(c->address_families);
+                c->address_families_allow_list = true;
+                return 0;
+        }
+
          if (rvalue[0] == '~') {
                  invert = true;
                  rvalue++;
author	Yu Watanabe <watanabe.yu+github@gmail.com>
	Sat, 17 Apr 2021 04:04:28 +0000 (13:04 +0900)
committer	Luca Boccassi <luca.boccassi@gmail.com>
	Mon, 19 Apr 2021 10:47:08 +0000 (11:47 +0100)
man/systemd.exec.xml		patch \| blob \| blame \| history
src/core/dbus-execute.c		patch \| blob \| blame \| history
src/core/load-fragment.c		patch \| blob \| blame \| history