]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 4c9ce72) | patch
nspawn: Add --restrict-address-families= option
authorDaan De Meyer <daan.j.demeyer@gmail.com>
Mon, 22 Dec 2025 10:22:34 +0000 (11:22 +0100)
committerDaan De Meyer <daan.j.demeyer@gmail.com>
Mon, 13 Apr 2026 09:14:11 +0000 (11:14 +0200)
commit4bbdc8a6a2eaca3b717810bbae0265eb375ab68c
tree9a02886da931783595212cc3ebb679f5ca503020tree | snapshot
parent4c9ce728e788be00749a8718ff24c56c01ddb4cacommit | diff
nspawn: Add --restrict-address-families= option

Add a new --restrict-address-families= command line option and
corresponding RestrictAddressFamilies= setting for .nspawn files to
restrict which socket address families may be used inside a container.

Many address families such as AF_VSOCK and AF_NETLINK are not
network-namespaced, so restricting access to them in containers
improves isolation. The option supports allowlist and denylist modes
(via ~ prefix), as well as "none" to block all families, matching the
semantics of RestrictAddressFamilies= in unit files.

The address family parsing logic is extracted into a shared
parse_address_families() helper in parse-helpers.c, which is now also
used by config_parse_address_families() in load-fragment.c.

This is currently opt-in. In a future version, the default will be
changed to restrict address families to AF_INET, AF_INET6 and AF_UNIX.
14 files changed:
NEWS diff | blob | blame | history
man/systemd-nspawn.xml diff | blob | blame | history
man/systemd.nspawn.xml diff | blob | blame | history
shell-completion/bash/systemd-nspawn diff | blob | blame | history
shell-completion/zsh/_systemd-nspawn diff | blob | blame | history
src/core/load-fragment.c diff | blob | blame | history
src/nspawn/nspawn-gperf.gperf diff | blob | blame | history
src/nspawn/nspawn-seccomp.c diff | blob | blame | history
src/nspawn/nspawn-seccomp.h diff | blob | blame | history
src/nspawn/nspawn-settings.c diff | blob | blame | history
src/nspawn/nspawn-settings.h diff | blob | blame | history
src/nspawn/nspawn.c diff | blob | blame | history
src/shared/parse-helpers.c diff | blob | blame | history
src/shared/parse-helpers.h diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.