What is the purpose of this change? What does it change?
Improve security of rest-server.service by restricting network access.
This patch improves the overall security assessment score given by systemd-analyze security rest-server.service from "1.3 OK" to "0.6 SAFE" (when using systemd-analyze version 253)
Remove AF_INET AF_INET6 from RestrictAddressFamilies. Sockets originating from socket activation are not affected by the systemd directive RestrictAddressFamilies. See systemd.exec man page.
Add PrivateNetwork=yes as recommended for socket-activated services in the systemd.socket man page.
Add dependency on rest-server.socket
Was the change discussed in an issue or in the forum before?
What is the purpose of this change? What does it change?
Improve security of rest-server.service by restricting network access.
This patch improves the overall security assessment score given by
systemd-analyze security rest-server.servicefrom "1.3 OK" to "0.6 SAFE" (when using systemd-analyze version 253)Remove
AF_INET AF_INET6from RestrictAddressFamilies. Sockets originating from socket activation are not affected by the systemd directive RestrictAddressFamilies. See systemd.exec man page.Add
PrivateNetwork=yesas recommended for socket-activated services in the systemd.socket man page.Add dependency on rest-server.socket
Was the change discussed in an issue or in the forum before?
Yes, in the forum:
https://forum.restic.net/t/using-none-instead-of-af-inet-af-inet6-for-restrictaddressfamilies-in-systemd-unit-rest-server-service/6448
Checklist
changelog/unreleased/that describes the changes for our users (template here)gofmton the code in all commits