NEWS: update news about systemd-udevd.service

2016-09-19 21:29:06 +02:00 · 2016-09-19 21:29:06 +02:00 · 1ecdba149b
parent 0c28d51ac8
commit 1ecdba149b
1 changed files with 14 additions and 0 deletions
--- a/14
+++ b/14
@ -137,6 +137,20 @@ CHANGES WITH 232 in spe
          $SYSTEMD_NSPAWN_SHARE_NS_UTS may be used to control the unsharing of
          individual namespaces.

+        * systemd-udevd.service is now run in a Seccomp-based sandbox that
+          prohibits access to AF_INET and AF_INET6 sockets and thus access to
+          the network. This might break code that runs from udev rules that
+          tries to talk to the network. Doing that is generally a bad idea and
+          unsafe due to a variety of reasons. It's also racy as device
+          management would race against network configuration. It is
+          recommended to rework such rules to use the SYSTEMD_WANTS property on
+          the relevant devices to pull in a proper systemd service (which can
+          be sandboxed differently and ordered correctly after the network
+          having come up). If that's not possible consider reverting this
+          sandboxing feature locally by removing the RestrictAddressFamilies=
+          setting from the systemd-udevd.service unit file, or adding AF_INET
+          and AF_INET6 to it.
+
 CHANGES WITH 231:

        * In service units the various ExecXYZ= settings have been extended