[libvirt PATCH v2 26/33] systemd: Downgrade read-only/admin sockets to Wants
Daniel P. Berrangé
berrange at redhat.com
Thu Sep 28 10:42:42 UTC 2023
On Wed, Sep 27, 2023 at 06:19:27PM +0200, Andrea Bolognani wrote:
> Only the main socket is actually necessary for the service to be
> usable.
>
> In the past, we've had security issues that could be exploited via
> access to the read-only socket, so a security-minded administrator
> might consider disabling all optional sockets. This change makes
> such a setup possible.
>
> Note that the services will still try to activate all their
> sockets on startup, even if they have been disabled. To make sure
> that the optional sockets are never started, they will have to be
> masked.
>
> Signed-off-by: Andrea Bolognani <abologna at redhat.com>
> ---
> src/locking/virtlockd.service.in | 2 +-
> src/logging/virtlogd.service.in | 2 +-
> src/virtd.service.in | 4 ++--
> 3 files changed, 4 insertions(+), 4 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list