From 087a6198778764bdc9bcc1f43d488be5c39e6d1e Mon Sep 17 00:00:00 2001 From: Andrea Bolognani Date: Wed, 27 Sep 2023 15:44:34 +0200 Subject: [PATCH] systemd: Downgrade read-only/admin sockets to Wants MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Only the main socket is actually necessary for the service to be usable. In the past, we've had security issues that could be exploited via access to the read-only socket, so a security-minded administrator might consider disabling all optional sockets. This change makes such a setup possible. Note that the services will still try to activate all their sockets on startup, even if they have been disabled. To make sure that the optional sockets are never started, they will have to be masked. Signed-off-by: Andrea Bolognani Reviewed-by: Daniel P. Berrangé --- src/locking/virtlockd.service.in | 2 +- src/logging/virtlogd.service.in | 2 +- src/virtd.service.in | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/locking/virtlockd.service.in b/src/locking/virtlockd.service.in index 35924a2ad7..fcf479c3c6 100644 --- a/src/locking/virtlockd.service.in +++ b/src/locking/virtlockd.service.in @@ -1,7 +1,7 @@ [Unit] Description=Virtual machine lock manager BindsTo=virtlockd.socket -Requires=virtlockd-admin.socket +Wants=virtlockd-admin.socket After=virtlockd.socket Before=libvirtd.service Documentation=man:virtlockd(8) diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service.in index 79d34bc73e..3265ecd6af 100644 --- a/src/logging/virtlogd.service.in +++ b/src/logging/virtlogd.service.in @@ -1,7 +1,7 @@ [Unit] Description=Virtual machine log manager BindsTo=virtlogd.socket -Requires=virtlogd-admin.socket +Wants=virtlogd-admin.socket After=virtlogd.socket Before=libvirtd.service Documentation=man:virtlogd(8) diff --git a/src/virtd.service.in b/src/virtd.service.in index e7f08b4da9..f4f1bc217d 100644 --- a/src/virtd.service.in +++ b/src/virtd.service.in @@ -1,8 +1,8 @@ [Unit] Description=@name@ daemon BindsTo=@service@.socket -Requires=@service@-ro.socket -Requires=@service@-admin.socket +Wants=@service@-ro.socket +Wants=@service@-admin.socket After=@service@.socket Conflicts=libvirtd.service After=libvirtd.service -- 2.47.2