On Tue, Sep 26, 2023 at 01:36:39PM +0100, Daniel P. Berrangé wrote:
> On Tue, Sep 26, 2023 at 04:09:17AM -0500, Andrea Bolognani wrote:
> > On Tue, Sep 26, 2023 at 09:44:52AM +0100, Daniel P. Berrangé wrote:
> > > On Mon, Sep 25, 2023 at 08:58:33PM +0200, Andrea Bolognani wrote:
> > > > This is the strongest relationship that can be declared between
> > > > two units, and causes the service to be terminated immediately
> > > > if any of its sockets disappear. This is the behavior we want.
> > >
> > > IIUC, this prevents running the service with /only/ the main
> > > socket, and ro/admin sockets disabled. Running without the
> > > ro socket in particular was something we wanted to allow to
> > > reduce exposure to unprivileged services (there have been
> > > a number of CVEs where the read-only socket was the way in)
> >
> > This doesn't work today either AFAICT, since the ro/admin sockets are
> > marked as Required by the various services.
>
> Doh, yes, I've confirmed. I'm sure it used to work, but we must have
> broken it at some point as we tweaked the deps countless times over
> to finese the setup.
>
> > If we want to support this configuration, then we need
> >
> > # foo.service
> > [Unit]
> > BindsTo=foo.socket
> > Wants=foo-ro.socket
> > Wants=foo-admin.socket
> > After=foo.socket
> >
> > In the default scenario, things will work just the same as they do
> > here, but it will also be possible to mask foo{-ro,-admin}.socket to
> > obtain the hardened setup you describe.
>
> Or we just decide to keep life simple, and if people want to harden
> things they can change permissions on the socket via a system unit
> override locally.
I don't think this is any more complicated than the version that uses
BindsTo/After for all sockets, and it shouldn't make things any worse
for people who stick with the defaults, so I don't mind trying to
integrate this requirement into v2.
--
Andrea Bolognani / Red Hat / Virtualization
