[libvirt PATCH v2 26/33] systemd: Downgrade read-only/admin sockets to Wants
Only the main socket is actually necessary for the service to be
usable.
In the past, we've had security issues that could be exploited via
access to the read-only socket, so a security-minded administrator
might consider disabling all optional sockets. This change makes
such a setup possible.
Note that the services will still try to activate all their
sockets on startup, even if they have been disabled. To make sure
that the optional sockets are never started, they will have to be
masked.
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
---
src/locking/virtlockd.service.in | 2 +-
src/logging/virtlogd.service.in | 2 +-
src/virtd.service.in | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/locking/virtlockd.service.in b/src/locking/virtlockd.service.in
index 35924a2ad7..fcf479c3c6 100644
--- a/src/locking/virtlockd.service.in
+++ b/src/locking/virtlockd.service.in
@@ -1,7 +1,7 @@
[Unit]
Description=Virtual machine lock manager
BindsTo=virtlockd.socket
-Requires=virtlockd-admin.socket
+Wants=virtlockd-admin.socket
After=virtlockd.socket
Before=libvirtd.service
Documentation=man:virtlockd(8)
diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service.in
index 79d34bc73e..3265ecd6af 100644
--- a/src/logging/virtlogd.service.in
+++ b/src/logging/virtlogd.service.in
@@ -1,7 +1,7 @@
[Unit]
Description=Virtual machine log manager
BindsTo=virtlogd.socket
-Requires=virtlogd-admin.socket
+Wants=virtlogd-admin.socket
After=virtlogd.socket
Before=libvirtd.service
Documentation=man:virtlogd(8)
diff --git a/src/virtd.service.in b/src/virtd.service.in
index e7f08b4da9..f4f1bc217d 100644
--- a/src/virtd.service.in
+++ b/src/virtd.service.in
@@ -1,8 +1,8 @@
[Unit]
Description=@name@ daemon
BindsTo=@service@.socket
-Requires=@service(a)-ro.socket
-Requires=@service(a)-admin.socket
+Wants=@service(a)-ro.socket
+Wants=@service(a)-admin.socket
After=@service@.socket
Conflicts=libvirtd.service
After=libvirtd.service
--
2.41.0