On Tue, Sep 26, 2023 at 04:09:17AM -0500, Andrea Bolognani wrote:
> On Tue, Sep 26, 2023 at 09:44:52AM +0100, Daniel P. Berrangé wrote:
> > On Mon, Sep 25, 2023 at 08:58:33PM +0200, Andrea Bolognani wrote:
> > > This is the strongest relationship that can be declared between
> > > two units, and causes the service to be terminated immediately
> > > if any of its sockets disappear. This is the behavior we want.
> >
> > IIUC, this prevents running the service with /only/ the main
> > socket, and ro/admin sockets disabled. Running without the
> > ro socket in particular was something we wanted to allow to
> > reduce exposure to unprivileged services (there have been
> > a number of CVEs where the read-only socket was the way in)
>
> This doesn't work today either AFAICT, since the ro/admin sockets are
> marked as Required by the various services.
Doh, yes, I've confirmed. I'm sure it used to work, but we must have
broken it at some point as we tweaked the deps countless times over
to finese the setup.
> If we want to support this configuration, then we need
>
> # foo.service
> [Unit]
> BindsTo=foo.socket
> Wants=foo-ro.socket
> Wants=foo-admin.socket
> After=foo.socket
>
> In the default scenario, things will work just the same as they do
> here, but it will also be possible to mask foo{-ro,-admin}.socket to
> obtain the hardened setup you describe.
Or we just decide to keep life simple, and if people want to harden
things they can change permissions on the socket via a system unit
override locally.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
