units: enable MaxConnectionsPerSocket= for all our Accept=yes units

Let's make sure that user's cannot DoS services for other users so
easily, and enable MaxConnectionsPerSocket= by default for all of them.

Note that this is mostly paranoia for systemd-pcrextend.socket and
systemd-sysext.socket: the socket is only accessible to root anyway,
hence the accounting shouldn#t change anything. But this is just a
safety net, in preparation that we open up some functionality of these
services sooner or later.

4 files changed, 4 insertions, 0 deletions

diff --git a/units/systemd-coredump.socket b/units/systemd-coredump.socket
index a2d457fc02..c78eacd823 100644
--- a/units/systemd-coredump.socket
+++ b/units/systemd-coredump.socket
@@ -19,3 +19,4 @@ ListenSequentialPacket=/run/systemd/coredump
 SocketMode=0600
 Accept=yes
 MaxConnections=16
+MaxConnectionsPerSource=8
diff --git a/units/systemd-creds.socket b/units/systemd-creds.socket
index 65b76bd027..0f89b39c3e 100644
--- a/units/systemd-creds.socket
+++ b/units/systemd-creds.socket
@@ -18,3 +18,4 @@ ListenStream=/run/systemd/io.systemd.Credentials
 FileDescriptorName=varlink
 SocketMode=0666
 Accept=yes
+MaxConnectionsPerSource=16
diff --git a/units/systemd-pcrextend.socket b/units/systemd-pcrextend.socket
index 7d156c1448..41db50acd8 100644
--- a/units/systemd-pcrextend.socket
+++ b/units/systemd-pcrextend.socket
@@ -20,6 +20,7 @@ ListenStream=/run/systemd/io.systemd.PCRExtend
 FileDescriptorName=varlink
 SocketMode=0600
 Accept=yes
+MaxConnectionsPerSource=16
 
 [Install]
 WantedBy=sockets.target
diff --git a/units/systemd-sysext.socket b/units/systemd-sysext.socket
index ad870c5bfb..1a616ca69c 100644
--- a/units/systemd-sysext.socket
+++ b/units/systemd-sysext.socket
@@ -20,6 +20,7 @@ ListenStream=/run/systemd/io.systemd.sysext
 FileDescriptorName=varlink
 SocketMode=0600
 Accept=yes
+MaxConnectionsPerSource=16
 
 [Install]
 WantedBy=sockets.target