<html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <p><br> </p> <br> <div class="moz-cite-prefix">On 05/30/2016 04:32 PM, Mantas Mikulėnas wrote:<br> </div> <blockquote cite="mid:CAPWNY8XJg=Snq94EMDp6rWZzyEES=WhRGWoAKKPYhLxPOGbWDA@mail.gmail.com" type="cite"> <div dir="ltr"> <div class="gmail_extra"> <div class="gmail_quote">On Mon, May 30, 2016 at 4:24 PM, george Karakou <span dir="ltr"><<a moz-do-not-send="true" href="mailto:mad-proffessor@hotmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mad-proffessor@hotmail.com">mad-proffessor@hotmail.com</a></a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hi again, i am a bit curious about these two directives. Can somebody explain in a few words how are these implemented? Using linux network namespaces? Or simply put somehow services using these 2 directives are forbidden to bind to l3, l4 sockets and only allowed to communicate via unix domain sockets? Its an interesting feature, i thought i should give it a try.<br> </blockquote> <div><br> </div> <div>Yes, they use network namespaces, the same kind as `ip netns` or `unshare --net`. Compare /proc/<pid>/ns/net of affected processes.</div> <div><br> </div> <div>(RestrictAddressFamilies=, however, uses seccomp to forbid using certain types of sockets.)<br> </div> </div> <div><br> </div> -- <br> <div class="gmail_signature" data-smartmail="gmail_signature"> <div dir="ltr">Mantas Mikulėnas <<a moz-do-not-send="true" href="mailto:grawity@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:grawity@gmail.com">grawity@gmail.com</a></a>></div> </div> </div> </div> </blockquote> Well, thanks my use case was dbus and dbus activated services but i couldn't make udisks2 work using PrivateNetwork and dbus'es namespace.<br> </body> </html>