From: Lennart Poettering Date: Wed, 3 Jun 2026 06:37:03 +0000 (+0200) Subject: units: tag all .varlink sockets with the right xattrs X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=53fc4c48e7d40293e8f79392e2da91323dd50268;p=thirdparty%2Fsystemd.git units: tag all .varlink sockets with the right xattrs This also relaxes the inode access modes a bit, in case they were set to 0600: we now set the "r" bit too, i.e. use 0644. This is beneficial since it permits unpriv code to read the xattrs of the entrypoints (which require read access). Note that in order to be able to connect() to a socket inode you need write access, hence this shouldn't compromise security in any way. --- diff --git a/units/systemd-ask-password.socket b/units/systemd-ask-password.socket index df5eaffc22b..4251ecabf49 100644 --- a/units/systemd-ask-password.socket +++ b/units/systemd-ask-password.socket @@ -20,3 +20,6 @@ FileDescriptorName=varlink SocketMode=0666 Accept=yes MaxConnectionsPerSource=16 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server diff --git a/units/systemd-bootctl.socket b/units/systemd-bootctl.socket index e720f24f543..64b42e3ce1c 100644 --- a/units/systemd-bootctl.socket +++ b/units/systemd-bootctl.socket @@ -18,6 +18,9 @@ Before=sockets.target ListenStream=/run/systemd/io.systemd.BootControl Symlinks=/run/varlink/registry/io.systemd.BootControl FileDescriptorName=varlink -SocketMode=0600 +SocketMode=0644 Accept=yes MaxConnectionsPerSource=16 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server diff --git a/units/systemd-creds.socket b/units/systemd-creds.socket index 3ea3ca5b053..452c4d2bcb6 100644 --- a/units/systemd-creds.socket +++ b/units/systemd-creds.socket @@ -20,3 +20,6 @@ FileDescriptorName=varlink SocketMode=0666 Accept=yes MaxConnectionsPerSource=16 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server diff --git a/units/systemd-factory-reset.socket b/units/systemd-factory-reset.socket index 467517ec24b..bba00e0fa95 100644 --- a/units/systemd-factory-reset.socket +++ b/units/systemd-factory-reset.socket @@ -20,6 +20,9 @@ FileDescriptorName=varlink SocketMode=0666 Accept=yes MaxConnectionsPerSource=16 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server [Install] WantedBy=sockets.target diff --git a/units/systemd-hostnamed.socket b/units/systemd-hostnamed.socket index f84853ade8a..da938ba0197 100644 --- a/units/systemd-hostnamed.socket +++ b/units/systemd-hostnamed.socket @@ -21,3 +21,5 @@ ListenStream=/run/systemd/io.systemd.Hostname Symlinks=/run/varlink/registry/io.systemd.Hostname FileDescriptorName=varlink SocketMode=0666 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen diff --git a/units/systemd-imds-metrics.socket b/units/systemd-imds-metrics.socket index f71a31e5b9a..e828864010b 100644 --- a/units/systemd-imds-metrics.socket +++ b/units/systemd-imds-metrics.socket @@ -20,3 +20,6 @@ SocketMode=0666 Accept=yes MaxConnectionsPerSource=16 RemoveOnStop=yes +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server diff --git a/units/systemd-imdsd.socket b/units/systemd-imdsd.socket index daeb7840b3e..20d8eb39033 100644 --- a/units/systemd-imdsd.socket +++ b/units/systemd-imdsd.socket @@ -21,6 +21,9 @@ SocketMode=0666 Accept=yes MaxConnectionsPerSource=16 RemoveOnStop=yes +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server # Note that this is typically pulled in automatically by # systemd-imds-generator, but you can also enable it manually if you like. diff --git a/units/systemd-importd.socket b/units/systemd-importd.socket index a538ef0d0e0..0fe7edce66b 100644 --- a/units/systemd-importd.socket +++ b/units/systemd-importd.socket @@ -23,3 +23,5 @@ ListenStream=/run/systemd/io.systemd.Import Symlinks=/run/varlink/registry/io.systemd.Import FileDescriptorName=varlink SocketMode=0666 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen diff --git a/units/systemd-journalctl.socket b/units/systemd-journalctl.socket index 59d0af34495..7284b539aa0 100644 --- a/units/systemd-journalctl.socket +++ b/units/systemd-journalctl.socket @@ -19,6 +19,9 @@ ListenStream=/run/systemd/io.systemd.JournalAccess Symlinks=/run/varlink/registry/io.systemd.JournalAccess FileDescriptorName=varlink SocketGroup=systemd-journal -SocketMode=0660 +SocketMode=0664 Accept=yes MaxConnectionsPerSource=16 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server diff --git a/units/systemd-journald-varlink@.socket b/units/systemd-journald-varlink@.socket index e48a93c202b..c8d09b93d47 100644 --- a/units/systemd-journald-varlink@.socket +++ b/units/systemd-journald-varlink@.socket @@ -16,3 +16,5 @@ StopWhenUnneeded=yes Service=systemd-journald@%i.service ListenStream=/run/systemd/journal.%i/io.systemd.journal SocketMode=0666 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen diff --git a/units/systemd-logind-varlink.socket b/units/systemd-logind-varlink.socket index 377eac7006f..83cd5ece8c5 100644 --- a/units/systemd-logind-varlink.socket +++ b/units/systemd-logind-varlink.socket @@ -17,3 +17,5 @@ Symlinks=/run/varlink/registry/io.systemd.Login /run/varlink/registry/io.systemd FileDescriptorName=varlink SocketMode=0666 Service=systemd-logind.service +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen diff --git a/units/systemd-machined.socket b/units/systemd-machined.socket index 75a91bb0ccc..dbabd9376cd 100644 --- a/units/systemd-machined.socket +++ b/units/systemd-machined.socket @@ -16,3 +16,5 @@ ListenStream=/run/systemd/machine/io.systemd.Machine Symlinks=/run/systemd/machine/io.systemd.MachineImage /run/varlink/registry/io.systemd.Machine /run/varlink/registry/io.systemd.MachineImage FileDescriptorName=varlink SocketMode=0666 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen diff --git a/units/systemd-mountfsd.socket b/units/systemd-mountfsd.socket index a3e19cc418c..46dfb021dd2 100644 --- a/units/systemd-mountfsd.socket +++ b/units/systemd-mountfsd.socket @@ -20,6 +20,8 @@ ListenStream=/run/systemd/io.systemd.MountFileSystem Symlinks=/run/varlink/registry/io.systemd.MountFileSystem FileDescriptorName=varlink SocketMode=0666 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen [Install] WantedBy=sockets.target diff --git a/units/systemd-mute-console.socket b/units/systemd-mute-console.socket index 5eae6d5acd0..1b7ce2bfdb2 100644 --- a/units/systemd-mute-console.socket +++ b/units/systemd-mute-console.socket @@ -19,6 +19,9 @@ Before=shutdown.target ListenStream=/run/systemd/io.systemd.MuteConsole Symlinks=/run/varlink/registry/io.systemd.MuteConsole FileDescriptorName=varlink -SocketMode=0600 +SocketMode=0644 Accept=yes MaxConnectionsPerSource=16 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server diff --git a/units/systemd-networkd-resolve-hook.socket b/units/systemd-networkd-resolve-hook.socket index 07b596319b4..e56697e77f6 100644 --- a/units/systemd-networkd-resolve-hook.socket +++ b/units/systemd-networkd-resolve-hook.socket @@ -22,6 +22,8 @@ FileDescriptorName=resolve-hook SocketMode=0666 Service=systemd-networkd.service RemoveOnStop=yes +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen [Install] WantedBy=sockets.target diff --git a/units/systemd-networkd-varlink-metrics.socket b/units/systemd-networkd-varlink-metrics.socket index 562cc6b7f2b..3ae15c13bc6 100644 --- a/units/systemd-networkd-varlink-metrics.socket +++ b/units/systemd-networkd-varlink-metrics.socket @@ -20,6 +20,8 @@ ListenStream=/run/systemd/report/io.systemd.Network FileDescriptorName=varlink-metrics SocketMode=0666 Service=systemd-networkd.service +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen [Install] WantedBy=sockets.target diff --git a/units/systemd-networkd-varlink.socket b/units/systemd-networkd-varlink.socket index 1f4db858bc6..264e81f602d 100644 --- a/units/systemd-networkd-varlink.socket +++ b/units/systemd-networkd-varlink.socket @@ -21,6 +21,8 @@ Symlinks=/run/varlink/registry/io.systemd.Network FileDescriptorName=varlink SocketMode=0666 Service=systemd-networkd.service +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen [Install] WantedBy=sockets.target diff --git a/units/systemd-nsresourced.socket b/units/systemd-nsresourced.socket index 6b4a883df30..2840be43e20 100644 --- a/units/systemd-nsresourced.socket +++ b/units/systemd-nsresourced.socket @@ -20,6 +20,8 @@ ListenStream=/run/systemd/io.systemd.NamespaceResource Symlinks=/run/systemd/userdb/io.systemd.NamespaceResource /run/varlink/registry/io.systemd.NamespaceResource FileDescriptorName=varlink SocketMode=0666 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen [Install] WantedBy=sockets.target diff --git a/units/systemd-oomd.socket b/units/systemd-oomd.socket index 4e24342f581..9b0f822d9e5 100644 --- a/units/systemd-oomd.socket +++ b/units/systemd-oomd.socket @@ -22,6 +22,8 @@ ConditionPathExists=/proc/pressure/memory ListenStream=/run/systemd/oom/io.systemd.ManagedOOM SocketMode=0666 RemoveOnStop=yes +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen [Install] WantedBy=sockets.target diff --git a/units/systemd-pcrextend.socket b/units/systemd-pcrextend.socket index 0f4ab11e2fd..2be4e51a253 100644 --- a/units/systemd-pcrextend.socket +++ b/units/systemd-pcrextend.socket @@ -19,9 +19,12 @@ ConditionSecurity=measured-os ListenStream=/run/systemd/io.systemd.PCRExtend Symlinks=/run/varlink/registry/io.systemd.PCRExtend FileDescriptorName=varlink -SocketMode=0600 +SocketMode=0644 Accept=yes MaxConnectionsPerSource=16 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server [Install] WantedBy=sockets.target diff --git a/units/systemd-pcrlock.socket b/units/systemd-pcrlock.socket index efb68186832..637462bb412 100644 --- a/units/systemd-pcrlock.socket +++ b/units/systemd-pcrlock.socket @@ -19,6 +19,9 @@ ConditionSecurity=measured-uki ListenStream=/run/systemd/io.systemd.PCRLock Symlinks=/run/varlink/registry/io.systemd.PCRLock FileDescriptorName=varlink -SocketMode=0600 +SocketMode=0644 Accept=yes MaxConnectionsPerSource=16 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server diff --git a/units/systemd-repart.socket b/units/systemd-repart.socket index ecd275414d5..b79505fe079 100644 --- a/units/systemd-repart.socket +++ b/units/systemd-repart.socket @@ -19,6 +19,9 @@ Before=shutdown.target ListenStream=/run/systemd/io.systemd.Repart Symlinks=/run/varlink/registry/io.systemd.Repart FileDescriptorName=varlink -SocketMode=0600 +SocketMode=0644 Accept=yes MaxConnectionsPerSource=16 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server diff --git a/units/systemd-report-basic.socket b/units/systemd-report-basic.socket index ba5d88c8e7e..f31dab50e25 100644 --- a/units/systemd-report-basic.socket +++ b/units/systemd-report-basic.socket @@ -18,6 +18,9 @@ SocketMode=0666 Accept=yes MaxConnectionsPerSource=16 RemoveOnStop=yes +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server [Install] WantedBy=sockets.target diff --git a/units/systemd-report-cgroup.socket b/units/systemd-report-cgroup.socket index 39a867cd40c..2168129a7af 100644 --- a/units/systemd-report-cgroup.socket +++ b/units/systemd-report-cgroup.socket @@ -20,6 +20,9 @@ SocketMode=0666 Accept=yes MaxConnectionsPerSource=16 RemoveOnStop=yes +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server [Install] WantedBy=sockets.target diff --git a/units/systemd-report-files.socket b/units/systemd-report-files.socket index f37c508cf6b..b5e6491a10a 100644 --- a/units/systemd-report-files.socket +++ b/units/systemd-report-files.socket @@ -21,6 +21,9 @@ SocketMode=0666 Accept=yes MaxConnectionsPerSource=16 RemoveOnStop=yes +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server [Install] WantedBy=sockets.target diff --git a/units/systemd-report-sign-plain.socket b/units/systemd-report-sign-plain.socket index 4a6dea580d6..7c3c5017091 100644 --- a/units/systemd-report-sign-plain.socket +++ b/units/systemd-report-sign-plain.socket @@ -28,6 +28,9 @@ SocketMode=0666 Accept=yes MaxConnectionsPerSource=16 RemoveOnStop=yes +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server [Install] WantedBy=sockets.target diff --git a/units/systemd-report-sign-tsm.socket b/units/systemd-report-sign-tsm.socket index 1756dde8cfb..5817075fa75 100644 --- a/units/systemd-report-sign-tsm.socket +++ b/units/systemd-report-sign-tsm.socket @@ -22,6 +22,9 @@ SocketMode=0600 Accept=yes MaxConnectionsPerSource=16 RemoveOnStop=yes +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server [Install] WantedBy=sockets.target diff --git a/units/systemd-resolved-monitor.socket b/units/systemd-resolved-monitor.socket index 3674a1f876e..9bb4dd646fe 100644 --- a/units/systemd-resolved-monitor.socket +++ b/units/systemd-resolved-monitor.socket @@ -20,6 +20,8 @@ ListenStream=/run/systemd/resolve/io.systemd.Resolve.Monitor Symlinks=/run/varlink/registry/io.systemd.Resolve.Monitor FileDescriptorName=varlink-monitor SocketMode=0666 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen [Install] WantedBy=sockets.target diff --git a/units/systemd-resolved-varlink.socket b/units/systemd-resolved-varlink.socket index a5701683732..65593df1d01 100644 --- a/units/systemd-resolved-varlink.socket +++ b/units/systemd-resolved-varlink.socket @@ -20,6 +20,8 @@ ListenStream=/run/systemd/resolve/io.systemd.Resolve Symlinks=/run/varlink/registry/io.systemd.Resolve FileDescriptorName=varlink SocketMode=0666 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen [Install] WantedBy=sockets.target diff --git a/units/systemd-storage-block.socket b/units/systemd-storage-block.socket index 1d18b481a37..c8097e705b8 100644 --- a/units/systemd-storage-block.socket +++ b/units/systemd-storage-block.socket @@ -19,6 +19,9 @@ FileDescriptorName=varlink SocketMode=0666 Accept=yes MaxConnectionsPerSource=16 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server [Install] WantedBy=sockets.target diff --git a/units/systemd-storage-fs.socket b/units/systemd-storage-fs.socket index c83cf0a11fd..d34e39d0593 100644 --- a/units/systemd-storage-fs.socket +++ b/units/systemd-storage-fs.socket @@ -20,6 +20,9 @@ FileDescriptorName=varlink SocketMode=0666 Accept=yes MaxConnectionsPerSource=16 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server [Install] WantedBy=sockets.target diff --git a/units/systemd-sysext.socket b/units/systemd-sysext.socket index 61d7268f377..209592134b3 100644 --- a/units/systemd-sysext.socket +++ b/units/systemd-sysext.socket @@ -22,6 +22,9 @@ FileDescriptorName=varlink SocketMode=0666 Accept=yes MaxConnectionsPerSource=16 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server [Install] WantedBy=sockets.target diff --git a/units/systemd-udevd-varlink.socket b/units/systemd-udevd-varlink.socket index c2b7652e5ea..b1094b9c9b7 100644 --- a/units/systemd-udevd-varlink.socket +++ b/units/systemd-udevd-varlink.socket @@ -19,6 +19,8 @@ Service=systemd-udevd.service ListenStream=/run/udev/io.systemd.Udev Symlinks=/run/varlink/registry/io.systemd.Udev FileDescriptorName=varlink -SocketMode=0600 +SocketMode=0644 RemoveOnStop=yes DeferTrigger=yes +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen diff --git a/units/systemd-userdbd.socket b/units/systemd-userdbd.socket index 6793d1b41df..83f3d7e5607 100644 --- a/units/systemd-userdbd.socket +++ b/units/systemd-userdbd.socket @@ -19,6 +19,8 @@ Symlinks=/run/systemd/userdb/io.systemd.NameServiceSwitch /run/systemd/userdb/io FileDescriptorName=varlink SocketMode=0666 RemoveOnStop=yes +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen [Install] WantedBy=sockets.target diff --git a/units/user/systemd-ask-password.socket b/units/user/systemd-ask-password.socket index 56492fae54d..13a23795578 100644 --- a/units/user/systemd-ask-password.socket +++ b/units/user/systemd-ask-password.socket @@ -19,3 +19,6 @@ Symlinks=%t/varlink/registry/io.systemd.AskPassword FileDescriptorName=varlink SocketMode=0600 Accept=yes +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server diff --git a/units/user/systemd-importd.socket b/units/user/systemd-importd.socket index 67ea62bdb0a..35108341f50 100644 --- a/units/user/systemd-importd.socket +++ b/units/user/systemd-importd.socket @@ -17,3 +17,5 @@ ListenStream=%t/systemd/io.systemd.Import Symlinks=%t/varlink/registry/io.systemd.Import FileDescriptorName=varlink SocketMode=0600 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen diff --git a/units/user/systemd-journalctl.socket b/units/user/systemd-journalctl.socket index b8a504f0f30..a711ca2127e 100644 --- a/units/user/systemd-journalctl.socket +++ b/units/user/systemd-journalctl.socket @@ -17,3 +17,6 @@ Symlinks=%t/varlink/registry/io.systemd.JournalAccess FileDescriptorName=varlink SocketMode=0600 Accept=yes +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server diff --git a/units/user/systemd-machined.socket b/units/user/systemd-machined.socket index 17e552a7dcb..ffb4ff1ce32 100644 --- a/units/user/systemd-machined.socket +++ b/units/user/systemd-machined.socket @@ -16,3 +16,5 @@ ListenStream=%t/systemd/machine/io.systemd.Machine Symlinks=%t/systemd/machine/io.systemd.MachineImage %t/varlink/registry/io.systemd.Machine %t/varlink/registry/io.systemd.MachineImage FileDescriptorName=varlink SocketMode=0600 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen diff --git a/units/user/systemd-storage-fs.socket b/units/user/systemd-storage-fs.socket index fa8018b2e85..23af4d79e6b 100644 --- a/units/user/systemd-storage-fs.socket +++ b/units/user/systemd-storage-fs.socket @@ -18,6 +18,9 @@ FileDescriptorName=varlink SocketMode=0600 Accept=yes MaxConnectionsPerSource=16 +XAttrEntryPoint=user.varlink=entrypoint +XAttrListen=user.varlink=listen +XAttrAccept=user.varlink=server [Install] WantedBy=sockets.target