systemd/units/systemd-udevd.service.in

#  SPDX-License-Identifier: LGPL-2.1-or-later
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Rule-based Manager for Device Events and Files
Documentation=man:systemd-udevd.service(8) man:udev(7)
DefaultDependencies=no
After=systemd-sysusers.service systemd-hwdb-update.service
Before=sysinit.target
Wants=systemd-udev-load-credentials.service
ConditionPathIsReadWrite=/sys

[Service]
CapabilityBoundingSet=~CAP_SYS_TIME CAP_WAKE_ALARM
Delegate=pids
DelegateSubgroup=udev
Type=notify-reload
# Note that udev will reset the value internally for its workers
OOMScoreAdjust=-1000
Sockets=systemd-udevd-control.socket systemd-udevd-kernel.socket
Restart=always
RestartSec=0
ExecStart={{LIBEXECDIR}}/systemd-udevd
KillMode=mixed
TasksMax=infinity
PrivateMounts=yes
ProtectHostname=yes
MemoryDenyWriteExecute=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallFilter=@system-service @module @raw-io bpf
SystemCallFilter=~@clock
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
LockPersonality=yes
IPAddressDeny=any
{{SERVICE_WATCHDOG}}
license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00			`# SPDX-License-Identifier: LGPL-2.1-or-later`
Add SPDX license headers to unit files 2017-11-18 17:35:03 +01:00			`#`
units: introduce new Documentation= field and make use of it everywhere This should help making the boot process a bit easier to explore and understand for the administrator. The simple idea is that "systemctl status" now shows a link to documentation alongside the other status and decriptionary information of a service. This patch adds the necessary fields to all our shipped units if we have proper documentation for them. 2012-05-21 15:12:18 +02:00			`# This file is part of systemd.`
			`#`
			`# systemd is free software; you can redistribute it and/or modify it`
			`# under the terms of the GNU Lesser General Public License as published by`
			`# the Free Software Foundation; either version 2.1 of the License, or`
			`# (at your option) any later version.`

add systemd service files 2010-06-25 01:31:57 +02:00			`[Unit]`
units: uppercase the description https://github.com/systemd/systemd/pull/15982#pullrequestreview-422536495 2020-06-02 14:14:20 +02:00			`Description=Rule-based Manager for Device Events and Files`
man: properly document .socket units in man page 2012-06-27 01:06:35 +02:00			`Documentation=man:systemd-udevd.service(8) man:udev(7)`
units: order all udev services before sysinit.target, too Not that it would matter much, but let's make things a bit more systematic: early boot services shall order themselves before sysinit.target, and nothing else. 2013-03-25 21:22:52 +01:00			`DefaultDependencies=no`
units: order service(s) before udevd, not udev-trigger (coldplug) Since hotplugs happen as soon as udevd is started, there is not much sense in giving udev-trigger an After= dependency on any service. The device could be hotplugged before coldplug starts. This is intended to avoid the race window where we create the hwdb with the wrong selinux context (then fix it up afterwards). https://github.com/systemd/systemd/issues/3458#issuecomment-322444107 2017-08-15 14:22:44 +01:00			`After=systemd-sysusers.service systemd-hwdb-update.service`
static-nodes: move creation of static nodes from udevd to tmpfiles As of kmod v14, it is possible to export the static node information from /lib/modules/`uname -r`/modules.devname in tmpfiles.d(5) format. Use this functionality to let systemd-tmpfilesd create the static device nodes at boot, and drop the functionality from systemd-udevd. As an effect of this we can move from systemd-udevd to systemd-tmpfiles-setup-dev: * the conditional CAP_MKNOD (replaced by checking if /sys is mounted rw) * ordering before local-fs-pre.target (see 89d09e1b5c65a2d97840f682e0932c8bb499f166) 2013-06-14 22:56:39 +02:00			`Before=sysinit.target`
units: introduce systemd-udev-load-credentials.service 2024-04-05 04:04:31 +09:00			`Wants=systemd-udev-load-credentials.service`
static-nodes: move creation of static nodes from udevd to tmpfiles As of kmod v14, it is possible to export the static node information from /lib/modules/`uname -r`/modules.devname in tmpfiles.d(5) format. Use this functionality to let systemd-tmpfilesd create the static device nodes at boot, and drop the functionality from systemd-udevd. As an effect of this we can move from systemd-udevd to systemd-tmpfiles-setup-dev: * the conditional CAP_MKNOD (replaced by checking if /sys is mounted rw) * ordering before local-fs-pre.target (see 89d09e1b5c65a2d97840f682e0932c8bb499f166) 2013-06-14 22:56:39 +02:00			`ConditionPathIsReadWrite=/sys`
add systemd service files 2010-06-25 01:31:57 +02:00
			`[Service]`
units: udev: partially emulate ProtectClock= Drop CAP_SYS_TIME and CAP_WAKE_ALARM capabilities and block clock-related system calls. Update TODO. 2022-09-25 20:47:53 +03:00			`CapabilityBoundingSet=~CAP_SYS_TIME CAP_WAKE_ALARM`
udev: run the main process, workers, and spawned commands in /udev subcgroup And enable cgroup delegation for udevd. Then, processes invoked through ExecReload= are assigned .control subcgroup, and they are not killed by cg_kill(). Fixes #16867 and #22686. 2022-03-16 20:46:49 +09:00			`Delegate=pids`
udev: port to DelegateSubgroup= 2023-04-21 21:06:22 +02:00			`DelegateSubgroup=udev`
udevd: implement the full Type=notify-reload protocol We are basically already there, just need to add MONOTONIC_USEC= to the RELOADING=1 message, and make sure the message is generated in really all cases. 2023-01-02 17:21:16 +01:00			`Type=notify-reload`
unit: update comment about OOM score Follow-up for 6b2229c6c60d0486f5eb9ed3088f9c780d7c0233. 2020-11-20 17:16:44 +09:00			`# Note that udev will reset the value internally for its workers`
systemd: add OOMScoreAdjust=-1000 2011-04-14 14:44:21 +02:00			`OOMScoreAdjust=-1000`
units: Rename systemd-udev.service to systemd-udevd.service This naming convention is more inline with other systemd daemon unit names (systemd-logind.service, systemd-localed.service etc) The companion .socket units have also been renamed, however the -trigger and -settle units keep their current name as these are not directly related to daemon process itself. 2012-07-02 21:35:14 +02:00			`Sockets=systemd-udevd-control.socket systemd-udevd-kernel.socket`
units: automatically respawn the core services 2012-06-28 12:13:52 +02:00			`Restart=always`
units: don't enforce a holdoff time for journald, logind, udevd These services should be restarted as quickly as possible if they fail, and the extra safety net of the holdoff time is not necessary. 2012-07-18 02:31:52 +02:00			`RestartSec=0`
Drop split-usr and unmerged-usr support As previously announced, execute order 66: https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html The meson options split-usr, rootlibdir and rootprefix become no-ops that print a warning if they are set to anything other than the default values. We can remove them in a future release. 2023-06-12 02:15:19 +01:00			`ExecStart={{LIBEXECDIR}}/systemd-udevd`
units: set KillMode=mixed for our daemons that fork worker processes The daemons should really have the time to kill the workers first, before systemd does it, hence use KillMode=mixed for these daemons. https://bugs.freedesktop.org/show_bug.cgi?id=90051 2015-04-24 16:12:28 +02:00			`KillMode=mixed`
udev: bump TasksMax to inifinity (#3593) udevd already limits its number of workers/children: the max number is actually twice the number of CPUs the system is using. (The limit can also be raised with udev.children-max= kernel command line option BTW). On some servers, this limit can easily exceed the maximum number of tasks that systemd put on all services, which is 512 by default. Since udevd has already its limitation logic, simply disable the static limitation done by TasksMax. 2016-06-23 22:31:01 +02:00			`TasksMax=infinity`
units: switch udev service to use PrivateMounts=yes Given that PrivateMounts=yes is the "successor" to MountFlags=slave in unit files, let's make use of it for udevd. 2018-06-01 11:24:40 +02:00			`PrivateMounts=yes`
units: enable ProtectHostname=yes 2019-02-19 00:30:12 +02:00			`ProtectHostname=yes`
units: further lock down our long-running services Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS. 2016-08-26 13:23:27 +02:00			`MemoryDenyWriteExecute=yes`
units: systemd-udevd: add AF_INET and AF_INET6 to RestrictAddressFamilies= (#4296) The udev builtin command `net_setup_link` requires AF_INET and AF_INET6. Fixes #4293. 2016-10-06 22:40:53 +09:00			`RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6`
units: turn on RestrictSUIDSGID= in most of our long-running daemons 2019-03-20 19:52:20 +01:00			`RestrictRealtime=yes`
			`RestrictSUIDSGID=yes`
units/systemd-udevd: allow bpf() syscall Programs run by udev triggers may need to execute the bpf() syscall. Even more so, since on a cgroup v2 system, the only way to set up device access filtering is to install a BPF program on the cgroup in question and one way of passing data to such program is through BPF maps, which can only be access using the bpf() syscall. One such use case was identified in RHBZ#2025264 related to snap-device-helper, and led to RHBZ#2027627 being filed. Unfortunately there is no finer grained control over what gets passed in the syscall, so just enable bpf() and leave fine grained mediation to other security layers (eg. SELinux). Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2027627 Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com> 2021-11-30 11:07:30 +01:00			`SystemCallFilter=@system-service @module @raw-io bpf`
units: udev: partially emulate ProtectClock= Drop CAP_SYS_TIME and CAP_WAKE_ALARM capabilities and block clock-related system calls. Update TODO. 2022-09-25 20:47:53 +03:00			`SystemCallFilter=~@clock`
units: switch from system call blacklist to whitelist This is generally the safer approach, and is what container managers (including nspawn) do, hence let's move to this too for our own services. This is particularly useful as this this means the new @system-service system call filter group will get serious real-life testing quickly. This also switches from firing SIGSYS on unexpected syscalls to returning EPERM. This would have probably been a better default anyway, but it's hard to change that these days. When whitelisting system calls SIGSYS is highly problematic as system calls that are newly introduced to Linux become minefields for services otherwise. Note that this enables a system call filter for udev for the first time, and will block @clock, @mount and @swap from it. Some downstream distributions might want to revert this locally if they want to permit unsafe operations on udev rules, but in general this shiuld be mostly safe, as we already set MountFlags=shared for udevd, hence at least @mount won't change anything. 2018-04-19 11:04:17 +02:00			`SystemCallErrorNumber=EPERM`
units: set SystemCallArchitectures=native on all our long-running services 2017-02-08 22:32:37 +01:00			`SystemCallArchitectures=native`
units: set LockPersonality= for all our long-running services (#6819) Let's lock things down. Also, using it is the only way how to properly test this to the fullest extent. 2017-09-14 19:45:40 +02:00			`LockPersonality=yes`
units: prohibit all IP traffic on all our long-running services (#6921) Let's lock things down further. 2017-10-04 14:16:28 +02:00			`IPAddressDeny=any`
meson: use jinja2 for unit templates We don't need two (and half) templating systems anymore, yay! I'm keeping the changes minimal, to make the diff manageable. Some enhancements due to a better templating system might be possible in the future. For handling of '## ' — see the next commit. 2021-05-16 11:55:36 +02:00			`{{SERVICE_WATCHDOG}}`