FS#70127 - [i2pd] Add AF_NETLINK address family permission to service
Attached to Project:
Community Packages
Opened by R4SAS (r4sas) - Monday, 22 March 2021, 14:45 GMT
Last edited by Daniel Bermond (Bermond) - Sunday, 28 March 2021, 12:49 GMT
Opened by R4SAS (r4sas) - Monday, 22 March 2021, 14:45 GMT
Last edited by Daniel Bermond (Bermond) - Sunday, 28 March 2021, 12:49 GMT
|
Details
Description:
Since 2.36.0 i2pd supports usage of Yggdrasil network as transport layer. Yggdrasil creates tun interface which is in AF_NETLINK address family, and current service hardening restricts access to such interfaces. Additional info: * version: 2.36.0 Steps to reproduce: 1. Install Yggdrasil network daemon 2. Set "meshnets.yggdrasil = true" 3. See message in log: "getifaddrs: Address family not supported by protocol" Solution: https://github.com/archlinux/svntogit-community/blob/c886ac95af96f37e71f6d126c3d3c851d90e2a53/trunk/040-i2pd-systemd-service-hardening.patch#L18 Add to RestrictAddressFamilies permission to use AF_NETLINK address family ```diff +MemoryDenyWriteExecute=true +LockPersonality=true +SystemCallFilter=@system-service -+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 ++RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +ProtectHostname=true +ProtectHostname=true +ProtectClock=true +ProtectClock=true +ProtectKernelLogs=true +ProtectKernelLogs=true ``` |
This task depends upon
Closed by Daniel Bermond (Bermond)
Sunday, 28 March 2021, 12:49 GMT
Reason for closing: Fixed
Additional comments about closing: i2pd 2.37.0-2
Sunday, 28 March 2021, 12:49 GMT
Reason for closing: Fixed
Additional comments about closing: i2pd 2.37.0-2
I've applied the change to 2.37.0-2 and pushed it to the [community-testing] repository. Can you please confirm if it's working fine?