<varlistentry>
<term><varname>SystemCallFilter=</varname></term>
- <listitem><para>Takes a space-separated
- list of system call
+ <listitem><para>Takes a
+ space-separated list of system call
names. If this setting is used, all
system calls executed by the unit
processes except for the listed ones
the effect is inverted: only the
listed system calls will result in
immediate process termination
- (blacklisting). If this option is used,
+ (blacklisting). If running in user
+ mode and this option is used,
<varname>NoNewPrivileges=yes</varname>
- is implied. This feature makes use of
- the Secure Computing Mode 2 interfaces
- of the kernel ('seccomp filtering')
- and is useful for enforcing a minimal
+ is implied. This feature makes use of the
+ Secure Computing Mode 2 interfaces of
+ the kernel ('seccomp filtering') and
+ is useful for enforcing a minimal
sandboxing environment. Note that the
<function>execve</function>,
<function>rt_sigreturn</function>,
<constant>x86</constant>,
<constant>x86-64</constant>,
<constant>x32</constant>,
- <constant>arm</constant> as well as the
- special identifier
- <constant>native</constant>. Only system
- calls of the specified architectures
- will be permitted to processes of this
- unit. This is an effective way to
- disable compatibility with non-native
- architectures for processes, for
- example to prohibit execution of
- 32-bit x86 binaries on 64-bit x86-64
- systems. The special
+ <constant>arm</constant> as well as
+ the special identifier
+ <constant>native</constant>. Only
+ system calls of the specified
+ architectures will be permitted to
+ processes of this unit. This is an
+ effective way to disable compatibility
+ with non-native architectures for
+ processes, for example to prohibit
+ execution of 32-bit x86 binaries on
+ 64-bit x86-64 systems. The special
<constant>native</constant> identifier
implicitly maps to the native
architecture of the system (or more
strictly: to the architecture the
- system manager is compiled for). Note
- that setting this option to a
- non-empty list implies that
- <constant>native</constant> is included
- too. By default, this option is set to
- the empty list, i.e. no architecture
- system call filtering is
+ system manager is compiled for). If
+ running in user mode and this option
+ is used,
+ <varname>NoNewPrivileges=yes</varname>
+ is implied. Note that setting this
+ option to a non-empty list implies
+ that <constant>native</constant> is
+ included too. By default, this option
+ is set to the empty list, i.e. no
+ architecture system call filtering is
applied.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>RestrictAddressFamilies=</varname></term>
+
+ <listitem><para>Restricts the set of
+ socket address families accessible to
+ the processes of this unit. Takes a
+ space-separated list of address family
+ names to whitelist, such as
+ <constant>AF_UNIX</constant>,
+ <constant>AF_INET</constant> or
+ <constant>AF_INET6</constant>. When
+ prefixed with <constant>~</constant>
+ the listed address families will be
+ applied as blacklist, otherwise as
+ whitelist. Note that this restricts
+ access to the
+ <citerefentry><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ system call only. Sockets passed into
+ the process by other means (for
+ example, by using socket activation
+ with socket units, see
+ <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
+ are unaffected. Also, sockets created
+ with <function>socketpair()</function>
+ (which creates connected AF_UNIX
+ sockets only) are unaffected. Note
+ that this option has no effect on
+ 32bit x86 and is ignored (but works
+ correctly on x86-64). If running in user
+ mode and this option is used,
+ <varname>NoNewPrivileges=yes</varname>
+ is implied. By default no
+ restriction applies, all address
+ families are accessible to
+ processes. If assigned the empty
+ string any previous list changes are
+ undone.</para>
+
+ <para>Use this option to limit
+ exposure of processes to remote
+ systems, in particular via exotic
+ network protocols. Note that in most
+ cases the local
+ <constant>AF_UNIX</constant> address
+ family should be included in the
+ configured whitelist as it is
+ frequently used for local
+ communication, including for
+ <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ logging.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>Personality=</varname></term>
host system's
kernel.</para></listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><varname>RuntimeDirectory=</varname></term>
+ <term><varname>RuntimeDirectoryMode=</varname></term>
+
+ <listitem><para>Takes a list of
+ directory names. If set one or more
+ directories by the specified names
+ will be created below
+ <filename>/run</filename> (for system
+ services) or below
+ <varname>$XDG_RUNTIME_DIR</varname>
+ (for user services) when the unit is
+ started and removed when the unit is
+ stopped. The directories will have the
+ access mode specified in
+ <varname>RuntimeDirectoryMode=</varname>,
+ and will be owned by the user and
+ group specified in
+ <varname>User=</varname> and
+ <varname>Group=</varname>. Use this to
+ manage one or more runtime directories
+ of the unit and bind their lifetime to
+ the daemon runtime. The specified
+ directory names must be relative, and
+ may not include a
+ <literal>/</literal>, i.e. must refer
+ to simple directories to create or
+ remove. This is particularly useful
+ for unpriviliges daemons that cannot
+ create runtime directories in
+ <filename>/run</filename> due to lack
+ of privileges, and to make sure the
+ runtime directory is cleaned up
+ automatically after use. For runtime
+ directories that require more complex
+ or different configuration or lifetime
+ guarantees, please consider using
+ <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
<citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>exec</refentrytitle><manvolnum>3</manvolnum></citerefentry>
</para>
</refsect1>