Re: By default, restrict vsock

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

That got me close. Thanks.

But, if I create a file (/usr/lib/systemd/system/service.d/10-vsock-default-disable.conf):
RestrictAddressFamilies=~AF_VSOCK

Then reboot,
The services that set explicitly:
RestrictAddressFamilies=.... AF_VSOCK

Loose their AF_VSOCK property, breaking them (~ seems to have preference)

If I try and do it the other way around, and do something like:
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX

Then the service that should have AF_VSOCK added still works, but all the services that have an explicit RestrictAddressFamilies with tighter restrictions get the default ones added, loosening their security.

So, I think there still is a problem here.

Any ideas?

Thanks,
Kevin

________________________________________
From: Michal Koutný
Sent: Tuesday, January 14, 2025 8:29 AM
To: Fox, Kevin M
Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  By default, restrict vsock


Hello.

On Fri, Jan 10, 2025 at 05:03:27PM +0000, "Fox, Kevin M" <Kevin.Fox@xxxxxxxx> wrote:
> Is there a way to set `RestrictAddressFamilies=~AF_VSOCK` globally on
> all units unless they have RestrictAddressFamilies set that allows it?

With a generic service.d/num-restric.conf drop-in, see example with
10-all.conf in systemd.unit(5).

The selected services would need a higher drop-in that would allow it
again.

HTH,
Michal
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux