mirror of
https://github.com/systemd/systemd
synced 2024-07-21 18:24:38 +00:00
man: document explicitly that bind restrictions cannot be escaped by opening a new netns
And while we are at it reword the introductary sentence a bit to make it clearer. Fixes: #30555
This commit is contained in:
parent
0adce85ebe
commit
6b7a1a3679
|
@ -890,8 +890,10 @@ CPUWeight=20 DisableControllers=cpu / \
|
|||
<term><varname>SocketBindDeny=<replaceable>bind-rule</replaceable></varname></term>
|
||||
|
||||
<listitem>
|
||||
<para>Allow or deny binding a socket address to a socket by matching it with the <replaceable>bind-rule</replaceable> and
|
||||
applying a corresponding action if there is a match.</para>
|
||||
<para>Configures restrictions on the ability of unit processes to invoke <citerefentry
|
||||
project='man-pages'><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry> on a
|
||||
socket. Both allow and deny rules may defined that restrict which addresses a socket may be bound
|
||||
to.</para>
|
||||
|
||||
<para><replaceable>bind-rule</replaceable> describes socket properties such as <replaceable>address-family</replaceable>,
|
||||
<replaceable>transport-protocol</replaceable> and <replaceable>ip-ports</replaceable>.</para>
|
||||
|
@ -938,6 +940,13 @@ CPUWeight=20 DisableControllers=cpu / \
|
|||
</itemizedlist>
|
||||
|
||||
<para>The feature is implemented with <constant>cgroup/bind4</constant> and <constant>cgroup/bind6</constant> cgroup-bpf hooks.</para>
|
||||
|
||||
<para>Note that these settings apply to any <citerefentry
|
||||
project='man-pages'><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
||||
system call invocation by the unit processes, regardless in which network namespace they are
|
||||
placed. Or in other words: changing the network namespace is not a suitable mechanism for escaping
|
||||
these restrictions on <function>bind()</function>.</para>
|
||||
|
||||
<para>Examples:<programlisting>…
|
||||
# Allow binding IPv6 socket addresses with a port greater than or equal to 10000.
|
||||
[Service]
|
||||
|
|
Loading…
Reference in a new issue