RestrictAddressFamilies setting
The property RestrictAddressFamilies is a systemd unit setting used for sandboxing. It is available since systemd 211.
Purpose: control what socket address families can be used by a unit
Why and when to use RestrictAddressFamilies
The setting RestrictAddressFamilies aims to restrict what socket address families can be used. When using it, the default is that it is used as an allow-list and define what address families can be used.
Settings
When this setting is not configured, there are no restrictions to what address families can be used.
Setting the value to none will block all address families.
To block specific address families only, a ~ can be used to turn the allow-list into a deny-list.
Caveats
This setting does not have effect on hardware platforms like:
- 32-bit x86
- s390 / s390x
- mips / mips-le
- ppc / ppc-le / ppc64/ ppc64-le
This setting does also not have effect on sockets created using alternative methods, including the systemd socket unit type or those created with the syscall socketpair(2).
Generic advice
Services that use networking functonality typically use AF_INET (IPv4) and AF_INET6 (IPv6). Using the address family AF_UNIX is suggested, as it may be used for local communication between services, including the usage of syslog syscall.
It is advised to use SystemCallArchitectures=native in combination with this setting, to prevent easy circumvention of the restrictions.
Example
A common combination might look like this.
[Service]
SystemCallArchitectures=native
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
Values
- none: all socket address families will be blocked
- [LIST OF FAMILIES]: socket address families listed will be allowed
Example to show the current value of RestrictAddressFamilies for the dmesg service:
systemctl show --property=RestrictAddressFamilies dmesg.serviceRelated hardening profiles
The systemd unit setting RestrictAddressFamilies is used in the following hardening profiles.
