On Tue, Sep 26, 2023 at 09:44:52AM +0100, Daniel P. Berrangé wrote:
> On Mon, Sep 25, 2023 at 08:58:33PM +0200, Andrea Bolognani wrote:
> > This is the strongest relationship that can be declared between
> > two units, and causes the service to be terminated immediately
> > if any of its sockets disappear. This is the behavior we want.
>
> IIUC, this prevents running the service with /only/ the main
> socket, and ro/admin sockets disabled. Running without the
> ro socket in particular was something we wanted to allow to
> reduce exposure to unprivileged services (there have been
> a number of CVEs where the read-only socket was the way in)
This doesn't work today either AFAICT, since the ro/admin sockets are
marked as Required by the various services.
If we want to support this configuration, then we need
# foo.service
[Unit]
BindsTo=foo.socket
Wants=foo-ro.socket
Wants=foo-admin.socket
After=foo.socket
In the default scenario, things will work just the same as they do
here, but it will also be possible to mask foo{-ro,-admin}.socket to
obtain the hardened setup you describe.
--
Andrea Bolognani / Red Hat / Virtualization
