From 6b7a1a3679f1facbc192d4abd209530002510f34 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 22 Apr 2024 11:34:59 +0200 Subject: [PATCH] man: document explicitly that bind restrictions cannot be escaped by opening a new netns And while we are at it reword the introductary sentence a bit to make it clearer. Fixes: #30555 --- man/systemd.resource-control.xml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index d5b77dc833f..b6efb5b990a 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -890,8 +890,10 @@ CPUWeight=20 DisableControllers=cpu / \ SocketBindDeny=bind-rule - Allow or deny binding a socket address to a socket by matching it with the bind-rule and - applying a corresponding action if there is a match. + Configures restrictions on the ability of unit processes to invoke bind2 on a + socket. Both allow and deny rules may defined that restrict which addresses a socket may be bound + to. bind-rule describes socket properties such as address-family, transport-protocol and ip-ports. @@ -938,6 +940,13 @@ CPUWeight=20 DisableControllers=cpu / \ The feature is implemented with cgroup/bind4 and cgroup/bind6 cgroup-bpf hooks. + + Note that these settings apply to any bind2 + system call invocation by the unit processes, regardless in which network namespace they are + placed. Or in other words: changing the network namespace is not a suitable mechanism for escaping + these restrictions on bind(). + Examples:… # Allow binding IPv6 socket addresses with a port greater than or equal to 10000. [Service] -- 2.47.3