On Mon, 12.12.16 21:22, Paul Wouters (paul@xxxxxxxxx) wrote: > > that's totally possible, and can be functionality-wise entirely > > equivalent. The only difference is: systemd makes all of this > > trivially easy to use, by making this a single-line change in a unit > > file without involving C hacking. > > For us (libreswan) it probably makes less sense to restrict address > family in the daemon. Our daemon just listens to UDP 500/4500, so it > would never be affected by any other kind of address families. Well, if it creates that UDP socket itself then it needs access to AF_INET, and AF_INET6 at least. And things like syslog() usually imply AF_UNIX, hence it would probably be a good idea to add "RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX" if your service really needs nothing else. That way the service will lose access to AF_PACKET, AF_NETLINK, AF_BLUETOOTH, … and everything else. Lennart -- Lennart Poettering, Red Hat _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
