units: systemd-udevd: add AF_INET and AF_INET6 to RestrictAddressFamilies= (#4296)

The udev builtin command `net_setup_link` requires AF_INET and AF_INET6.

Fixes #4293.

NEWS

@@ -21,20 +21,6 @@ CHANGES WITH 232 in spe
           ProtectKernelTunables=yes, ProtectControlGroups=yes,
           RestrictAddressFamilies=.
 
-          In particular, systemd-udevd.service is now run in a Seccomp-based
-          sandbox that prohibits access to AF_INET and AF_INET6 sockets and
-          thus access to the network. This might break code that runs from udev
-          rules that tries to talk to the network. Doing that is generally a
-          bad idea and unsafe due to a variety of reasons. It's also racy as
-          device management would race against network configuration. It is
-          recommended to rework such rules to use the SYSTEMD_WANTS property on
-          the relevant devices to pull in a proper systemd service (which can
-          be sandboxed differently and ordered correctly after the network
-          having come up). If that's not possible consider reverting this
-          sandboxing feature locally by removing the RestrictAddressFamilies=
-          setting from the systemd-udevd.service unit file, or adding AF_INET
-          and AF_INET6 to it.
-
         * Support for dynamically creating users for the lifetime of a service
           has been added. If DynamicUser=yes is specified, user and group IDs
           will be allocated from the range 61184..65519 for the lifetime of the

units/systemd-udevd.service.in

@@ -27,4 +27,4 @@ TasksMax=infinity
 MountFlags=slave
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
-RestrictAddressFamilies=AF_UNIX AF_NETLINK
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6