RestrictAddressFamilies (systemd) prevents running host apps

[nedsociety]

Windows Version

Microsoft Windows [Version 10.0.22621.2134]

WSL Version

1.3.14.0

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

5.15.90.3-1

Distro Version

Ubuntu 22.04

Other Software

git (microsoft fork) 2.39.2.vfs.0.0

Repro Steps

1. Enable systemd
2. Install git, both in host and in wsl
3. In ~/.gitconfig (wsl), add these lines to share host's git cred store with WSL:

[credential]
        helper = "/mnt/c/Program\\ Files/Git/mingw64/bin/git-credential-manager.exe"

(that path depends on the host side installation)
4. Run scalar register <some repo>
5. Run systemctl --user start git-maintenance@hourly.service

Expected Behavior

The hourly maintenance job succeeds.

Actual Behavior

it fails with following logs (systemctl --user status git-maintenance@hourly.service):

systemd[437]: Starting Optimize Git repositories data...
git[691018]: WSL (691018) ERROR: UtilBindVsockAnyPort:285: socket failed 97
git[691015]: fatal: could not read Username for 'https://github.com': No such device or address
git[691012]: error: failed to prefetch remotes
git[691012]: error: task 'prefetch' failed
systemd[437]: git-maintenance@hourly.service: Main process exited, code=exited, status=1/FAILURE
systemd[437]: git-maintenance@hourly.service: Failed with result 'exit-code'.
systemd[437]: Failed to start Optimize Git repositories data.

with further investigation I've located the following lines are generated by git-maintenance:
(~/.config/systemd/user/git-maintenance@.service)

[Service]
Type=oneshot
ExecStart="/usr/local/lib/git-core/git" --exec-path="/usr/local/lib/git-core" for-each-repo --config=maintenance.repo maintenance run --schedule=%i
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6        #####  <----- this line causes the UtilBindVsockAnyPort error
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service

and commenting out that specific line workarounds the problem. I have no idea what address families are required for WSL to interop with the host, but it definitely is blocking the cred store executable from running at all.

---

I'm not 100% sure that if it's to be solved from git or WSL. It might be easy for git to add some kind of address family that WSL uses to the line in question. But I believe if you're writing such systemd services (just like git authors) you won't be expected to write some WSL-specific construct onto that configuration, so I'd argue WSL should transparently support it.

X-posting: microsoft/git#604

Diagnostic Logs

No response

[nedsociety]

Note: from microsoft/git#604, the address family in question turned out to be AF_VSOCK.

[OneBlue]

Thank you for reporting this @nedsociety. Unfortunately I think this needs to be fixed on the git side (or whoever owns the systemd unit).

The error you're seeing is "by-design" in the sense that systemd explicitely denies WSL from opening an hvsocket to invoke a Windows binary so this is not something that WSL can "fix".

Let's continue on this issue

[nedsociety]

Unfortunately I think this needs to be fixed on the git side (or whoever owns the systemd unit).

Thanks for clarifying the responsibility here. Still, aside from actual possibility of implementing a fix, I have a deep doubt if it's a good design to shift the responsibility to service writers for this. It mandates that they should be aware of WSL internals yet there's none that mentions such caveats (googled "systemd" "restrictaddressfamilies" "wsl" "af_vsock"). I think it would be great to see them integrated seamlessly in future.