[systemd-devel] Using IPAddressAllow/IPAddressDeny on --user scopes
Farblos
AKFKQU.9DF7RP at vodafonemail.de
Tue Dec 13 21:34:15 UTC 2022
Hi,
I use
------------------------- snip -------------------------
[~]$ systemd --version
systemd 252 (252.1-1)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS
+OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD
+LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY -P11KIT +QRENCODE +TPM2 +BZIP2
+LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT
default-hierarchy=unified
[~]$ uname -a
Linux sappc1 6.0.0-4-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.8-1 (2022-11-11) x86_64 GNU/Linux
------------------------- snip -------------------------
on Debian testing. Without Gnome, if that matters, but rather with lightdm
and fvwm3.
The following works as expected:
------------------------- snip -------------------------
[~]$ systemd-run --scope -p IPAddressDeny=any /bin/bash
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to manage system services or other units.
Authenticating as: Farblos,,, (farblos)
Password:
==== AUTHENTICATION COMPLETE ====
Running scope as unit: run-u294.scope
[~]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2052ms
------------------------- snip -------------------------
But with "--user" it does not, packets are not blocked:
------------------------- snip -------------------------
[~]$ systemd-run --user --scope -p IPAddressDeny=any /bin/bash
Running scope as unit: run-r256958d66c5342048ef95da34ca76b68.scope
[~]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=30.4 ms
^C
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 30.432/30.432/30.432/0.000 ms
------------------------- snip -------------------------
I can imagine that the latter scenario is not supported or requires
additional configuration (which?), but I have not found any hints on that,
neither in systemd.resource-control(5) nor in [1.] or [8.] from that man
page.
Pointers and help appreciated.
Jens
More information about the systemd-devel
mailing list