So, the main option now, is to write a script that looks for any service without a RestrictAddressFamilies and make a dropin to restrict it, and run the script whenever a new service is added?
Was hoping to avoid that as its complex / potentially error prone. But if thats what it takes, thats what it takes. Thanks! Kevin ________________________________ From: Michal Koutný Sent: Wednesday, January 29, 2025 9:12 AM To: Fox, Kevin M Cc: systemd-devel@lists.freedesktop.org Subject: Re: [systemd-devel] By default, restrict vsock On Fri, Jan 24, 2025 at 05:20:50PM +0000, "Fox, Kevin M" <kevin....@pnnl.gov> wrote: > So, I think there still is a problem here. > > Any ideas? Hm, the latter is clearly generally unadvisable, so stick with the first approach and allow the AF_VSOCK in a higher drop-in, in your case /usr/lib/systemd/system/particular.service.d/20-vsock-enable.conf (Admiteddly, the service config would be broken down to multiple files this way.) HTH, Michal
