]> xenbits.xensource.com Git - libvirt.git/commitdiff
projects / libvirt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e708f4a)
systemd: Downgrade read-only/admin sockets to Wants
authorAndrea Bolognani <abologna@redhat.com>
Wed, 27 Sep 2023 13:44:34 +0000 (15:44 +0200)
committerAndrea Bolognani <abologna@redhat.com>
Mon, 2 Oct 2023 08:41:07 +0000 (10:41 +0200)
Only the main socket is actually necessary for the service to be
usable.

In the past, we've had security issues that could be exploited via
access to the read-only socket, so a security-minded administrator
might consider disabling all optional sockets. This change makes
such a setup possible.

Note that the services will still try to activate all their
sockets on startup, even if they have been disabled. To make sure
that the optional sockets are never started, they will have to be
masked.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
src/locking/virtlockd.service.in patch | blob | blame | history
src/logging/virtlogd.service.in patch | blob | blame | history
src/virtd.service.in patch | blob | blame | history

diff --git a/src/locking/virtlockd.service.in b/src/locking/virtlockd.service.in
index 35924a2ad780158fd53dc2bc62458d7aecdf6a4a..fcf479c3c6e055862b698db5a1905ff48e785527 100644 (file)
--- a/src/locking/virtlockd.service.in
+++ b/src/locking/virtlockd.service.in
@@ -1,7 +1,7 @@
 [Unit]
 Description=Virtual machine lock manager
 BindsTo=virtlockd.socket
-Requires=virtlockd-admin.socket
+Wants=virtlockd-admin.socket
 After=virtlockd.socket
 Before=libvirtd.service
 Documentation=man:virtlockd(8)
diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service.in
index 79d34bc73e14940140defe501d5e347e308996b1..3265ecd6afb6bbc767f75ee392398d369a76fc8d 100644 (file)
--- a/src/logging/virtlogd.service.in
+++ b/src/logging/virtlogd.service.in
@@ -1,7 +1,7 @@
 [Unit]
 Description=Virtual machine log manager
 BindsTo=virtlogd.socket
-Requires=virtlogd-admin.socket
+Wants=virtlogd-admin.socket
 After=virtlogd.socket
 Before=libvirtd.service
 Documentation=man:virtlogd(8)
diff --git a/src/virtd.service.in b/src/virtd.service.in
index e7f08b4da906423bcd8899ebebb9a188d5f21907..f4f1bc217dde2598354f531fdc564cbc17429bff 100644 (file)
--- a/src/virtd.service.in
+++ b/src/virtd.service.in
@@ -1,8 +1,8 @@
 [Unit]
 Description=@name@ daemon
 BindsTo=@service@.socket
-Requires=@service@-ro.socket
-Requires=@service@-admin.socket
+Wants=@service@-ro.socket
+Wants=@service@-admin.socket
 After=@service@.socket
 Conflicts=libvirtd.service
 After=libvirtd.service
Unnamed repository; edit this file 'description' to name the repository.