From: Lennart Poettering Date: Wed, 7 Feb 2024 12:19:54 +0000 (+0100) Subject: units: enable MaxConnectionsPerSocket= for all our Accept=yes units X-Git-Tag: v256-rc1~896^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d1e8cd3e057261c6db3fb3d7de39b7ca48efd3b;p=thirdparty%2Fsystemd.git units: enable MaxConnectionsPerSocket= for all our Accept=yes units Let's make sure that user's cannot DoS services for other users so easily, and enable MaxConnectionsPerSocket= by default for all of them. Note that this is mostly paranoia for systemd-pcrextend.socket and systemd-sysext.socket: the socket is only accessible to root anyway, hence the accounting shouldn#t change anything. But this is just a safety net, in preparation that we open up some functionality of these services sooner or later. --- diff --git a/units/systemd-coredump.socket b/units/systemd-coredump.socket index a2d457fc027..c78eacd823d 100644 --- a/units/systemd-coredump.socket +++ b/units/systemd-coredump.socket @@ -19,3 +19,4 @@ ListenSequentialPacket=/run/systemd/coredump SocketMode=0600 Accept=yes MaxConnections=16 +MaxConnectionsPerSource=8 diff --git a/units/systemd-creds.socket b/units/systemd-creds.socket index 65b76bd027b..0f89b39c3e4 100644 --- a/units/systemd-creds.socket +++ b/units/systemd-creds.socket @@ -18,3 +18,4 @@ ListenStream=/run/systemd/io.systemd.Credentials FileDescriptorName=varlink SocketMode=0666 Accept=yes +MaxConnectionsPerSource=16 diff --git a/units/systemd-pcrextend.socket b/units/systemd-pcrextend.socket index 7d156c14483..41db50acd88 100644 --- a/units/systemd-pcrextend.socket +++ b/units/systemd-pcrextend.socket @@ -20,6 +20,7 @@ ListenStream=/run/systemd/io.systemd.PCRExtend FileDescriptorName=varlink SocketMode=0600 Accept=yes +MaxConnectionsPerSource=16 [Install] WantedBy=sockets.target diff --git a/units/systemd-sysext.socket b/units/systemd-sysext.socket index ad870c5bfbb..1a616ca69ca 100644 --- a/units/systemd-sysext.socket +++ b/units/systemd-sysext.socket @@ -20,6 +20,7 @@ ListenStream=/run/systemd/io.systemd.sysext FileDescriptorName=varlink SocketMode=0600 Accept=yes +MaxConnectionsPerSource=16 [Install] WantedBy=sockets.target