From nobody Mon Feb  9 13:21:15 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1695833407; cv=none;
	d=zohomail.com; s=zohoarc;
	b=g457rkd9i1QciEAUcBeMit2Boj+AgFBKaci5ASC2GXzu0qMYspN0BoUKAXtjl+FIWhQJP/DcB1F7UAGUX2/dyUv5NAHneAVbMqG5IqtOewbF31V/sCchXvuqzju6BzZmEJe7QoDTfOY93ueFfHRXjZfmg1kHmH4czv9V0zSrMbk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1695833407;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=PryE0VTul3U5fSWSOc1LQNe5jb+Z/XVI2pibAtQVst0=;
	b=ZEZjseRuHVOt97wrtEL63eStlEzhgPvzKsSDF3RDNeaUItuLW8y7/lPFxzZLpMSFKG7uw/Q+JGTrmn6qVjjD4rf4khYicLD2XKFs6yyIF4sN86mC9sdwlC5BCHS+F3xXlhzpzK9yC4Nrl1XiUWTEszoZV1RL5w3ucweDOyfF1wo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<abologna@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1695833407929928.102185421909;
 Wed, 27 Sep 2023 09:50:07 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-684-VG8A3JEPODGTLbwyrWxmgw-1; Wed, 27 Sep 2023 12:50:03 -0400
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com
 [10.11.54.5])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 20D6B101B040;
	Wed, 27 Sep 2023 16:50:01 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id D0126176E0;
	Wed, 27 Sep 2023 16:50:00 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 9561D194658F;
	Wed, 27 Sep 2023 16:50:00 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com
 [10.11.54.3])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id DF27A19465A4 for <libvir-list@listman.corp.redhat.com>;
 Wed, 27 Sep 2023 16:21:01 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 77DCB1054FD5; Wed, 27 Sep 2023 16:19:55 +0000 (UTC)
Received: from harajuku.usersys.redhat.com (unknown [10.45.226.180])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 0BCF11054FD3
 for <libvir-list@redhat.com>; Wed, 27 Sep 2023 16:19:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1695833407;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=PryE0VTul3U5fSWSOc1LQNe5jb+Z/XVI2pibAtQVst0=;
	b=GaybduZtyxguqQOqOyErPWultbiXx79pnbNtqG4yEug0gdSigXzqLu6RNGlgeHnzr7c3+b
	+MDWvrX/IGZTWwz5xzcBqsYna/5xEcl89BFJ2B4LB1vRwh/5GoEPLRmRsFXfCBAm0AozLn
	xDUrb8bJ9x+bUemyP26ZgE5ewsSlKY0=
X-MC-Unique: VG8A3JEPODGTLbwyrWxmgw-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Andrea Bolognani <abologna@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH v2 26/33] systemd: Downgrade read-only/admin sockets
 to Wants
Date: Wed, 27 Sep 2023 18:19:27 +0200
Message-ID: <20230927161934.181728-27-abologna@redhat.com>
In-Reply-To: <20230927161934.181728-1-abologna@redhat.com>
References: <20230927161934.181728-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1695833409832100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

Only the main socket is actually necessary for the service to be
usable.

In the past, we've had security issues that could be exploited via
access to the read-only socket, so a security-minded administrator
might consider disabling all optional sockets. This change makes
such a setup possible.

Note that the services will still try to activate all their
sockets on startup, even if they have been disabled. To make sure
that the optional sockets are never started, they will have to be
masked.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/locking/virtlockd.service.in | 2 +-
 src/logging/virtlogd.service.in  | 2 +-
 src/virtd.service.in             | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/locking/virtlockd.service.in b/src/locking/virtlockd.servi=
ce.in
index 35924a2ad7..fcf479c3c6 100644
--- a/src/locking/virtlockd.service.in
+++ b/src/locking/virtlockd.service.in
@@ -1,7 +1,7 @@
 [Unit]
 Description=3DVirtual machine lock manager
 BindsTo=3Dvirtlockd.socket
-Requires=3Dvirtlockd-admin.socket
+Wants=3Dvirtlockd-admin.socket
 After=3Dvirtlockd.socket
 Before=3Dlibvirtd.service
 Documentation=3Dman:virtlockd(8)
diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service=
.in
index 79d34bc73e..3265ecd6af 100644
--- a/src/logging/virtlogd.service.in
+++ b/src/logging/virtlogd.service.in
@@ -1,7 +1,7 @@
 [Unit]
 Description=3DVirtual machine log manager
 BindsTo=3Dvirtlogd.socket
-Requires=3Dvirtlogd-admin.socket
+Wants=3Dvirtlogd-admin.socket
 After=3Dvirtlogd.socket
 Before=3Dlibvirtd.service
 Documentation=3Dman:virtlogd(8)
diff --git a/src/virtd.service.in b/src/virtd.service.in
index e7f08b4da9..f4f1bc217d 100644
--- a/src/virtd.service.in
+++ b/src/virtd.service.in
@@ -1,8 +1,8 @@
 [Unit]
 Description=3D@name@ daemon
 BindsTo=3D@service@.socket
-Requires=3D@service@-ro.socket
-Requires=3D@service@-admin.socket
+Wants=3D@service@-ro.socket
+Wants=3D@service@-admin.socket
 After=3D@service@.socket
 Conflicts=3Dlibvirtd.service
 After=3Dlibvirtd.service
--=20
2.41.0