Skip to content

nspawn: Block AF_VSOCK with seccomp #40181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DaanDeMeyer wants to merge 1 commit into
base: main
Choose a base branch
from
Open

nspawn: Block AF_VSOCK with seccomp #40181

DaanDeMeyer wants to merge 1 commit into from

Conversation

@DaanDeMeyer
Copy link
Collaborator

@DaanDeMeyer DaanDeMeyer commented Dec 22, 2025

AF_VSOCK is not namespaced, so let's be prudent
and block access to it in nspawn until the kernel
adds namespacing for AF_VSOCK sockets.

@DaanDeMeyer
nspawn: Block AF_VSOCK with seccomp
f3efa6f 
AF_VSOCK is not namespaced, so let's be prudent
and block access to it in nspawn until the kernel
adds namespacing for AF_VSOCK sockets.
@github-actions github-actions bot added nspawn please-review PR is ready for (re-)review by a maintainer labels Dec 22, 2025
@bluca
Copy link
Member

bluca commented Dec 22, 2025
edited
Loading

Could you add an option to opt-in (to re-enable it) please? Not being able to run VMs from inside nspawn would be a pain

@poettering
Copy link
Member

poettering commented Dec 22, 2025

hmm, I think this should become opt-out eventually. Hence, maybe turn this off by default, making it opt-in, but please set everything up so that we make it opt-out with systemd 262 or so? i.e. add a NEWS entry, and unless explicity turned off maybe write a brief log message that tells people that the default is going to change in v262

@poettering
Copy link
Member

poettering commented Dec 22, 2025

and please reverse this, i.e. allow AF_INET, AF_INET6, AF_UNIX, disallow everything else.

@poettering poettering added reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks and removed please-review PR is ready for (re-)review by a maintainer labels Dec 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

nspawn reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@DaanDeMeyer @bluca @poettering