From: Lennart Poettering Date: Mon, 22 Apr 2024 09:34:59 +0000 (+0200) Subject: man: document explicitly that bind restrictions cannot be escaped by opening a new... X-Git-Tag: v256-rc1~71^2~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6b7a1a3679f1facbc192d4abd209530002510f34;p=thirdparty%2Fsystemd.git man: document explicitly that bind restrictions cannot be escaped by opening a new netns And while we are at it reword the introductary sentence a bit to make it clearer. Fixes: #30555 --- diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index d5b77dc833f..b6efb5b990a 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -890,8 +890,10 @@ CPUWeight=20 DisableControllers=cpu / \ SocketBindDeny=bind-rule - Allow or deny binding a socket address to a socket by matching it with the bind-rule and - applying a corresponding action if there is a match. + Configures restrictions on the ability of unit processes to invoke bind2 on a + socket. Both allow and deny rules may defined that restrict which addresses a socket may be bound + to. bind-rule describes socket properties such as address-family, transport-protocol and ip-ports. @@ -938,6 +940,13 @@ CPUWeight=20 DisableControllers=cpu / \ The feature is implemented with cgroup/bind4 and cgroup/bind6 cgroup-bpf hooks. + + Note that these settings apply to any bind2 + system call invocation by the unit processes, regardless in which network namespace they are + placed. Or in other words: changing the network namespace is not a suitable mechanism for escaping + these restrictions on bind(). + Examples:… # Allow binding IPv6 socket addresses with a port greater than or equal to 10000. [Service]