diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 02b83a060f..b350c19dcb 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -2216,28 +2216,36 @@ BindReadOnlyPaths=/var/lib/systemd
address_families7
for all possible options. When none is specified, then all address
families will be denied. When prefixed with ~ the listed address
- families will be applied as deny list, otherwise as allow list. Note that this restricts access
- to the
- socket2
+ families will be applied as deny list, otherwise as allow list.
+
+ By default, no restrictions apply, all address families are accessible to processes. If
+ assigned the empty string, any previous address family restriction changes are undone. This setting
+ does not affect commands prefixed with +.
+
+ Use this option to limit exposure of processes to remote access, in particular via exotic and
+ sensitive network protocols, such as AF_PACKET. Note that in most cases, the
+ local AF_UNIX address family should be included in the configured allow list as
+ it is frequently used for local communication, including for
+ syslog2
+ logging.
+
+ Note that this restricts access to the socket2
system call only. Sockets passed into the process by other means (for example, by using socket
activation with socket units, see
systemd.socket5)
are unaffected. Also, sockets created with socketpair() (which creates connected
- AF_UNIX sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x,
- mips, mips-le, ppc, ppc-le, ppc64, ppc64-le and is ignored (but works correctly on other ABIs,
- including x86-64). Note that on systems supporting multiple ABIs (such as x86/x86-64) it is
- recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the
- restrictions of this option. Specifically, it is recommended to combine this option with
- SystemCallArchitectures=native or similar. By default, no restrictions apply, all
- address families are accessible to processes. If assigned the empty string, any previous address family
- restriction changes are undone. This setting does not affect commands prefixed with +.
+ AF_UNIX sockets) or the
+ io_uring7
+ functions, are not affected. Thus, it is recommended to combined this setting with
+ SystemCallFilter=@service, to only allow a limited subset of system calls.
- Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive
- network protocols, such as AF_PACKET. Note that in most cases, the local
- AF_UNIX address family should be included in the configured allow list as it is frequently
- used for local communication, including for
- syslog2
- logging.
+ Note that this option is limited to some ABIs, in particular x86-64, but currently has no
+ effect on 32-bit x86, s390, s390x, mips, mips-le, ppc, ppc-le, ppc64, or ppc64-le, and is ignored. On
+ systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off alternative ABIs
+ for services, so that they cannot be used to circumvent the restrictions of this option.
+ Specifically, it is recommended to combine this option with
+ SystemCallArchitectures=native or similar.