Lennart Poettering on Nostr: …typically IMDS information is somewhat security sensitive, since it (sometimes at ...

…typically IMDS information is somewhat security sensitive, since it (sometimes at least) carries cryptographic material and other sensitive and identifying information that should not be accessible to unprivileged payload code, but traditionally is. To remedy this, the new logic in systemd supports locking down direct access to IMDS. For that we can install a "prohibit" route into the IP stack, which ensures all regular programs trying to access IMDS will get EPERM from the socket layer. In…