Bug 1223071

Summary: earlyoom 1.8-1.1 systemd service hardening incorrect value for IPAddressDeny
Product: [openSUSE] openSUSE Tumbleweed Reporter: David B <db>
Component: OtherAssignee: David B <db>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: R_Nik_C
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description David B 2024-04-18 11:10:58 UTC 
I've noticed earlyoom 1.8-1.1 received new hardening options in it's systemd service configuration but the IPAddressDeny seems to have an incorrect value.

From the logs:
> bal. 18 10:58:40 systemd[1]: /usr/lib/systemd/system/earlyoom.service:41: Invalid address prefix is specified in [Service] IPAddressDeny=, ignoring assignment: true

Right now it's
IPAddressDeny=true

but it's not a boolean, it should be a list of IPv4 and/or IPv6 addresses (or one of the symbolic names) as according to https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IPAddressAllow=ADDRESS%5B/PREFIXLENGTH%5D%E2%80%A6

I believe it should be
IPAddressDeny=any
since I don't think earlyoom needs any network access.
Comment 1 David B 2024-04-18 15:04:55 UTC 
I've found that the service configuration comes from upstream so I created a pull request there https://github.com/rfjakob/earlyoom/pull/312
Comment 2 Chenzi Cao 2024-04-30 08:28:45 UTC 
Hi David, it seems you already submit fix for this bug report, so I assign it to you, please feel free to reassign whenever necessary, thanks.
Comment 3 David B 2024-05-17 13:31:41 UTC 
Fixed in 1.8.2 - already in Tumbleweed.