Re: CVE-2016-8655, systemd, and Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/13/2016 12:17 PM, Lennart Poettering wrote:
On Mon, 12.12.16 21:22, Paul Wouters (paul@xxxxxxxxx) wrote:

that's totally possible, and can be functionality-wise entirely
equivalent. The only difference is: systemd makes all of this
trivially easy to use, by making this a single-line change in a unit
file without involving C hacking.

For us (libreswan) it probably makes less sense to restrict address
family in the daemon. Our daemon just listens to UDP 500/4500, so it
would never be affected by any other kind of address families.

Well, if it creates that UDP socket itself then it needs access to
AF_INET, and AF_INET6 at least. And things like syslog() usually imply
AF_UNIX, hence it would probably be a good idea to add
"RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX" if your service
really needs nothing else. That way the service will lose access to
AF_PACKET, AF_NETLINK, AF_BLUETOOTH, … and everything else.

Proper IPv6 support requires AF_NETLINK, too.

Thanks,
Florian
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux