« Back to Settings for systemd units

SocketBindAllow setting

The property SocketBindAllow is a systemd unit setting used for sandboxing. It is available since systemd 249.

Purpose: define which address families, transport protocols, and/or ports are allowed to bind() to a socket

Why and when to use SocketBindAllow

The setting SocketBindAllow is used together with SocketBindDeny and defines restrictions on the usage of the system call bind(2) on a network socket.

Settings

Both SocketBindAllow and SocketBindDeny use a bind-rule. See SocketBindDeny for the details.

Generic advice

This setting is useful in combination with SocketBindDeny to create an allow-list.

Examples

Allow binding on TCP port 80

[Service]
SocketBindDeny=any
SocketBindAllow=tcp:80

Allow binding on port 443 (IPv4/IPv6, TCP/UDP)

[Service]
SocketBindDeny=any
SocketBindAllow=443

Related hardening profiles

The systemd unit setting SocketBindAllow is used in the following hardening profiles.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon