On Tue, Dec 13, 2016 at 05:54:54PM +0100, Florian Weimer wrote: > On 12/13/2016 12:17 PM, Lennart Poettering wrote: > > On Mon, 12.12.16 21:22, Paul Wouters (paul@xxxxxxxxx) wrote: > > > For us (libreswan) it probably makes less sense to restrict address > > > family in the daemon. Our daemon just listens to UDP 500/4500, so it > > > would never be affected by any other kind of address families. > > > > Well, if it creates that UDP socket itself then it needs access to > > AF_INET, and AF_INET6 at least. And things like syslog() usually imply > > AF_UNIX, hence it would probably be a good idea to add > > "RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX" if your service > > really needs nothing else. That way the service will lose access to > > AF_PACKET, AF_NETLINK, AF_BLUETOOTH, … and everything else. > > Proper IPv6 support requires AF_NETLINK, too. IPsec requires AF_NETLINK (NETLINK_XFRM) to manage the security associations & security policies. libreswan probably also needs to be able to manage the routing for IPsec tunnels (NETLINK_ROUTE[6]). The original RFCs for IPv6 mandated support for IPsec, but that's no longer required as of RFC 6434. Nothing else popped out at me as necessary for IPv6, but it's probably a moot point given XFRM. So "RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK" is probably enough? :)
<<attachment: smime.p7s>>
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
