shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-02 19:21:53 +03:00
Code
e3afaf6b8e
systemd/units/systemd-bus-proxyd@.service.in

23 lines
988 B
SYSTEMD
Raw Normal View History

bus: install systemd-bus-proxyd unit files for compatibility with dbus1
2013-12-13 23:29:35 +04:00
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
bus: fix typo in systemd-bus-proxyd
2013-12-17 02:25:32 +04:00
[Unit]
bus: install systemd-bus-proxyd unit files for compatibility with dbus1
2013-12-13 23:29:35 +04:00
Description=Legacy D-Bus Protocol Compatibility Daemon
[Service]
bus: send status message from proxyd to systemd about client we are working for
2013-12-21 07:19:51 +04:00
# The first argument will be replaced by the service by information on
# the process requesting the proxy, we need a placeholder to keep the
# space available for this.
sd-bus: sync with kdbus upstream (ABI break) kdbus has seen a larger update than expected lately, most notably with kdbusfs, a file system to expose the kdbus control files: * Each time a file system of this type is mounted, a new kdbus domain is created. * The layout inside each mount point is the same as before, except that domains are not hierarchically nested anymore. * Domains are therefore also unnamed now. * Unmounting a kdbusfs will automatically also detroy the associated domain. * Hence, the action of creating a kdbus domain is now as privileged as mounting a filesystem. * This way, we can get around creating dev nodes for everything, which is last but not least something that is not limited by 20-bit minor numbers. The kdbus specific bits in nspawn have all been dropped now, as nspawn can rely on the container OS to set up its own kdbus domain, simply by mounting a new instance. A new set of mounts has been added to mount things *after* the kernel modules have been loaded. For now, only kdbus is in this set, which is invoked with mount_setup_late().
2014-11-13 22:33:03 +03:00
ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges --address=kernel:path=/sys/fs/kdbus/0-system/bus --configuration=/etc/dbus-1/system.conf --configuration=/etc/dbus-1/system-local.conf --configuration=/etc/dbus-1/system.d/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
bus: send status message from proxyd to systemd about client we are working for
2013-12-21 07:19:51 +04:00
NotifyAccess=main
bus-proxy: drop priviliges if we can Either become uid/gid of the client we have been forked for, or become the "systemd-bus-proxy" user if the client was root. We retain CAP_IPC_OWNER so that we can tell kdbus we are actually our own client.
2014-06-04 11:55:40 +04:00
CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP
units: make use of PrivateTmp=yes and PrivateDevices=yes for all our long-running daemons
2014-03-19 19:45:28 +04:00
PrivateTmp=yes
PrivateDevices=yes
core: enable PrivateNetwork= for a number of our long running services where this is useful
2014-03-20 02:08:39 +04:00
PrivateNetwork=yes
core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
2014-06-04 20:07:55 +04:00
ProtectSystem=full
ProtectHome=yes
Copy Permalink