[systemd-devel] By default, restrict vsock
Fox, Kevin M
Kevin.Fox at pnnl.gov
Fri Jan 24 17:20:50 UTC 2025
That got me close. Thanks.
But, if I create a file (/usr/lib/systemd/system/service.d/10-vsock-default-disable.conf):
RestrictAddressFamilies=~AF_VSOCK
Then reboot,
The services that set explicitly:
RestrictAddressFamilies=.... AF_VSOCK
Loose their AF_VSOCK property, breaking them (~ seems to have preference)
If I try and do it the other way around, and do something like:
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
Then the service that should have AF_VSOCK added still works, but all the services that have an explicit RestrictAddressFamilies with tighter restrictions get the default ones added, loosening their security.
So, I think there still is a problem here.
Any ideas?
Thanks,
Kevin
________________________________________
From: Michal Koutný
Sent: Tuesday, January 14, 2025 8:29 AM
To: Fox, Kevin M
Cc: systemd-devel at lists.freedesktop.org
Subject: Re: [systemd-devel] By default, restrict vsock
Hello.
On Fri, Jan 10, 2025 at 05:03:27PM +0000, "Fox, Kevin M" <Kevin.Fox at pnnl.gov> wrote:
> Is there a way to set `RestrictAddressFamilies=~AF_VSOCK` globally on
> all units unless they have RestrictAddressFamilies set that allows it?
With a generic service.d/num-restric.conf drop-in, see example with
10-all.conf in systemd.unit(5).
The selected services would need a higher drop-in that would allow it
again.
HTH,
Michal
More information about the systemd-devel
mailing list