[PATCH 2/2] paccache.service.in: Restrict all (network) address families
Frederik “Freso” S. Olesen
freso.dk at gmail.com
Tue Nov 30 12:53:56 UTC 2021
RestrictAddressFamilies used to not have an option to restrict all
address families, but systemd 249 introduced a special value "none"
exactly for this purpose.
Signed-off-by: Frederik “Freso” S. Olesen <freso.dk at gmail.com>
---
src/paccache.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/paccache.service.in b/src/paccache.service.in
index a821daf..57390ea 100644
--- a/src/paccache.service.in
+++ b/src/paccache.service.in
@@ -28,7 +28,7 @@ ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
-RestrictAddressFamilies=AF_UNIX
+RestrictAddressFamilies=none
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
--
2.34.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-contrib/attachments/20211130/66707974/attachment.sig>
More information about the pacman-contrib
mailing list