[systemd-devel] By default, restrict vsock
Fox, Kevin M
Kevin.Fox at pnnl.gov
Wed Jan 29 19:45:27 UTC 2025
So, the main option now, is to write a script that looks for any service without a RestrictAddressFamilies and make a dropin to restrict it, and run the script whenever a new service is added?
Was hoping to avoid that as its complex / potentially error prone. But if thats what it takes, thats what it takes.
Thanks!
Kevin
________________________________
From: Michal Koutný
Sent: Wednesday, January 29, 2025 9:12 AM
To: Fox, Kevin M
Cc: systemd-devel at lists.freedesktop.org
Subject: Re: [systemd-devel] By default, restrict vsock
On Fri, Jan 24, 2025 at 05:20:50PM +0000, "Fox, Kevin M" <Kevin.Fox at pnnl.gov> wrote:
> So, I think there still is a problem here.
>
> Any ideas?
Hm, the latter is clearly generally unadvisable, so stick with the first
approach and allow the AF_VSOCK in a higher drop-in, in your case
/usr/lib/systemd/system/particular.service.d/20-vsock-enable.conf
(Admiteddly, the service config would be broken down to multiple files
this way.)
HTH,
Michal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20250129/e56bcd8e/attachment-0001.htm>
More information about the systemd-devel
mailing list