Merge pull request #4185 from endocode/djalal-sandbox-first-protection-v1

core:sandbox: Add new ProtectKernelTunables=, ProtectControlGroups=, ProtectSystem=strict and fixes

1 files changed, 14 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 178ccf9b04..5f3f76df4f 100644
--- a/NEWS
+++ b/NEWS
@@ -137,6 +137,20 @@ CHANGES WITH 232 in spe
           $SYSTEMD_NSPAWN_SHARE_NS_UTS may be used to control the unsharing of
           individual namespaces.
 
+        * systemd-udevd.service is now run in a Seccomp-based sandbox that
+          prohibits access to AF_INET and AF_INET6 sockets and thus access to
+          the network. This might break code that runs from udev rules that
+          tries to talk to the network. Doing that is generally a bad idea and
+          unsafe due to a variety of reasons. It's also racy as device
+          management would race against network configuration. It is
+          recommended to rework such rules to use the SYSTEMD_WANTS property on
+          the relevant devices to pull in a proper systemd service (which can
+          be sandboxed differently and ordered correctly after the network
+          having come up). If that's not possible consider reverting this
+          sandboxing feature locally by removing the RestrictAddressFamilies=
+          setting from the systemd-udevd.service unit file, or adding AF_INET
+          and AF_INET6 to it.
+
 CHANGES WITH 231:
 
         * In service units the various ExecXYZ= settings have been extended