chiark / gitweb /
~ianmdlvl / elogind.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9875fd7) | patch
core: add new RestrictAddressFamilies= switch
authorLennart Poettering <lennart@poettering.net>
Tue, 25 Feb 2014 19:37:03 +0000 (20:37 +0100)
committerLennart Poettering <lennart@poettering.net>
Wed, 26 Feb 2014 01:19:28 +0000 (02:19 +0100)
commit4298d0b5128326621c8f537107c4c8b459490721
tree38ed9f6806b45d153f39ea9da61eae5d34530523tree | snapshot
parent9875fd7875d433eea5c6e3319916e1be18722086commit | diff
core: add new RestrictAddressFamilies= switch

This new unit settings allows restricting which address families are
available to processes. This is an effective way to minimize the attack
surface of services, by turning off entire network stacks for them.

This is based on seccomp, and does not work on x86-32, since seccomp
cannot filter socketcall() syscalls on that platform.
13 files changed:
Makefile.am diff | blob | history
man/systemd.exec.xml diff | blob | history
src/core/dbus-execute.c diff | blob | history
src/core/execute.c diff | blob | history
src/core/execute.h diff | blob | history
src/core/load-fragment-gperf.gperf.m4 diff | blob | history
src/core/load-fragment.c diff | blob | history
src/core/load-fragment.h diff | blob | history
src/shared/.gitignore diff | blob | history
src/shared/af-list.c [new file with mode: 0644] blob
src/shared/af-list.h [new file with mode: 0644] blob
src/shared/exit-status.c diff | blob | history
src/shared/exit-status.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.