Re: By default, restrict vsock

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

So, the main option now, is to write a script that looks for any service without a RestrictAddressFamilies and make a dropin to restrict it, and run the script whenever a new service is added?

Was hoping to avoid that as its complex / potentially error prone. But if thats what it takes, thats what it takes.

Thanks!

Kevin

From: Michal Koutný
Sent: Wednesday, January 29, 2025 9:12 AM
To: Fox, Kevin M
Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: By default, restrict vsock

On Fri, Jan 24, 2025 at 05:20:50PM +0000, "Fox, Kevin M" <Kevin.Fox@xxxxxxxx> wrote:
> So, I think there still is a problem here.
>
> Any ideas?

Hm, the latter is clearly generally unadvisable, so stick with the first
approach and allow the AF_VSOCK in a higher drop-in, in your case

/usr/lib/systemd/system/particular.service.d/20-vsock-enable.conf

(Admiteddly, the service config would be broken down to multiple files
this way.)

HTH,
Michal
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux