On Mon, May 30, 2016 at 4:24 PM, george Karakou <mad-proffes...@hotmail.com> wrote:
> Hi again, i am a bit curious about these two directives. Can somebody > explain in a few words how are these implemented? Using linux network > namespaces? Or simply put somehow services using these 2 directives are > forbidden to bind to l3, l4 sockets and only allowed to communicate via > unix domain sockets? Its an interesting feature, i thought i should give it > a try. > Yes, they use network namespaces, the same kind as `ip netns` or `unshare --net`. Compare /proc/<pid>/ns/net of affected processes. (RestrictAddressFamilies=, however, uses seccomp to forbid using certain types of sockets.) -- Mantas Mikulėnas <graw...@gmail.com>
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel