units: enable MaxConnectionsPerSocket= for all our Accept=yes units

Let's make sure that user's cannot DoS services for other users so easily, and enable MaxConnectionsPerSocket= by default for all of them. Note that this is mostly paranoia for systemd-pcrextend.socket and systemd-sysext.socket: the socket is only accessible to root anyway, hence the accounting shouldn#t change anything. But this is just a safety net, in preparation that we open up some functionality of these services sooner or later.
2026-03-06 15:02:31 -08:00 · 2024-02-07 13:19:54 +01:00
parent 48930a5ded
commit 5d1e8cd3e0
4 changed files with 4 additions and 0 deletions
--- a/units/systemd-coredump.socket
+++ b/units/systemd-coredump.socket
@@ -19,3 +19,4 @@ ListenSequentialPacket=/run/systemd/coredump
 SocketMode=0600
 Accept=yes
 MaxConnections=16
+MaxConnectionsPerSource=8
--- a/units/systemd-creds.socket
+++ b/units/systemd-creds.socket
@@ -18,3 +18,4 @@ ListenStream=/run/systemd/io.systemd.Credentials
 FileDescriptorName=varlink
 SocketMode=0666
 Accept=yes
+MaxConnectionsPerSource=16
--- a/units/systemd-pcrextend.socket
+++ b/units/systemd-pcrextend.socket
@@ -20,6 +20,7 @@ ListenStream=/run/systemd/io.systemd.PCRExtend
 FileDescriptorName=varlink
 SocketMode=0600
 Accept=yes
+MaxConnectionsPerSource=16

 [Install]
 WantedBy=sockets.target
--- a/units/systemd-sysext.socket
+++ b/units/systemd-sysext.socket
@@ -20,6 +20,7 @@ ListenStream=/run/systemd/io.systemd.sysext
 FileDescriptorName=varlink
 SocketMode=0600
 Accept=yes
+MaxConnectionsPerSource=16

 [Install]
 WantedBy=sockets.target