mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 13:45:38 +00:00
systemd: Downgrade read-only/admin sockets to Wants
Only the main socket is actually necessary for the service to be usable. In the past, we've had security issues that could be exploited via access to the read-only socket, so a security-minded administrator might consider disabling all optional sockets. This change makes such a setup possible. Note that the services will still try to activate all their sockets on startup, even if they have been disabled. To make sure that the optional sockets are never started, they will have to be masked. Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Andrea Bolognani
parent
e708f4af97
commit
087a619877
@ -1,7 +1,7 @@
|
||||
[Unit]
|
||||
Description=Virtual machine lock manager
|
||||
BindsTo=virtlockd.socket
|
||||
Requires=virtlockd-admin.socket
|
||||
Wants=virtlockd-admin.socket
|
||||
After=virtlockd.socket
|
||||
Before=libvirtd.service
|
||||
Documentation=man:virtlockd(8)
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
[Unit]
|
||||
Description=Virtual machine log manager
|
||||
BindsTo=virtlogd.socket
|
||||
Requires=virtlogd-admin.socket
|
||||
Wants=virtlogd-admin.socket
|
||||
After=virtlogd.socket
|
||||
Before=libvirtd.service
|
||||
Documentation=man:virtlogd(8)
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
[Unit]
|
||||
Description=@name@ daemon
|
||||
BindsTo=@service@.socket
|
||||
Requires=@service@-ro.socket
|
||||
Requires=@service@-admin.socket
|
||||
Wants=@service@-ro.socket
|
||||
Wants=@service@-admin.socket
|
||||
After=@service@.socket
|
||||
Conflicts=libvirtd.service
|
||||
After=libvirtd.service
|
||||
|
||||
Loading…
Reference in New Issue
Block a user