1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-05 06:52:22 +03:00
Commit Graph

61 Commits

Author SHA1 Message Date
Topi Miettinen
cabc1c6d7a units: add ProtectClock=yes
Add `ProtectClock=yes` to systemd units. Since it implies certain
`DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so
they are still able to access other devices. Exclude timesyncd and timedated.
2020-04-07 15:37:14 +02:00
Iain Lane
625077264b units: Split modprobing out into a separate service unit
Devices referred to by `DeviceAllow=` sandboxing are resolved into their
corresponding major numbers when the unit is loaded by looking at
`/proc/devices`. If a reference is made to a device which is not yet
available, the `DeviceAllow` is ignored and the unit's processes cannot
access that device.

In both logind and nspawn, we have `DeviceAllow=` lines, and `modprobe`
in `ExecStartPre=` to load some kernel modules. Those kernel modules
cause device nodes to become available when they are loaded: the device
nodes may not exist when the unit itself is loaded. This means that the
unit's processes will not be able to access the device since the
`DeviceAllow=` will have been resolved earlier and denied it.

One way to fix this would be to re-evaluate the available devices and
re-apply the policy to the cgroup, but this cannot work atomically on
cgroupsv1. So we fall back to a second approach: instead of running
`modprobe` via `ExecStartPre`, we move this out to a separate unit and
order it before the units which want the module.

Closes #14322.
Fixes: #13943.
2020-01-07 18:37:30 +01:00
Kevin Kuehler
6168ae5840 units: set ProtectKernelLogs=yes on relevant units
We set ProtectKernelLogs=yes on all long running services except for
udevd, since it accesses /dev/kmsg, and journald, since it calls syslog
and accesses /dev/kmsg.
2019-11-15 00:59:54 -08:00
Zbigniew Jędrzejewski-Szmek
21d0dd5a89 meson: allow WatchdogSec= in services to be configured
As discussed on systemd-devel [1], in Fedora we get lots of abrt reports
about the watchdog firing [2], but 100% of them seem to be caused by resource
starvation in the machine, and never actual deadlocks in the services being
monitored. Killing the services not only does not improve anything, but it
makes the resource starvation worse, because the service needs cycles to restart,
and coredump processing is also fairly expensive. This adds a configuration option
to allow the value to be changed. If the setting is not set, there is no change.

My plan is to set it to some ridiculusly high value, maybe 1h, to catch cases
where a service is actually hanging.

[1] https://lists.freedesktop.org/archives/systemd-devel/2019-October/043618.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1300212
2019-10-25 17:20:24 +02:00
Yu Watanabe
10b1d42e57 unit: make logind can access ESP
Fixes the following error:
```
logind[601]: Failed to open file system "/dev/block/259:1": Operation not permitted
```
2019-08-03 14:16:29 +02:00
Lennart Poettering
11aa16bb35 units: make sure logind can properly reference drm char class
Similar to the previous fix.
2019-07-23 13:30:56 +02:00
Topi Miettinen
9af2820694 units: deny access to block devices
While the need for access to character devices can be tricky to determine for
the general case, it's obvious that most of our services have no need to access
block devices. For logind and timedated this can be tightened further.
2019-06-20 14:03:57 +02:00
Lennart Poettering
19483c60bb logind: make sure the service gets access to the linger directory
Fixes: #12401
2019-05-24 15:05:27 +02:00
Lennart Poettering
62aa29247c units: turn on RestrictSUIDSGID= in most of our long-running daemons 2019-04-02 16:56:48 +02:00
Zbigniew Jędrzejewski-Szmek
11dce8e29b Revert "Revert "units: lock down logind with fs namespacing options""
This reverts commit 28f38a7634.

The revert was done because Ubuntu CI was completely broken with it. Let's see
if it fares better now.
2019-03-19 10:58:49 +01:00
Lennart Poettering
31b221cf5e logind: add support for booting into the boot menu or a specific boot menu entry
This behaves similar to the "boot into firmware" logic, and also allows
either direct EFI operation (which sd-boot supports and others might
support eventually too) or override through env var.
2019-03-05 16:52:46 +01:00
Topi Miettinen
99894b867f units: enable ProtectHostname=yes 2019-02-20 10:50:44 +02:00
Zbigniew Jędrzejewski-Szmek
28f38a7634 Revert "units: lock down logind with fs namespacing options" 2018-11-15 17:48:01 +03:00
Lennart Poettering
45ae3f6117 units: lock down systemd-logind.service with various fs namespacing options
now that logind doesn't mount $XDG_RUNTIME_DIR anymore we can lock down
the service using fs namespacing (as we don't need the mount to
propagate to the host namespace anymore).
2018-11-12 19:14:33 +01:00
Lennart Poettering
1bded6b28f logind: drop CAP_KILL from caps bounding set
logind doesn't kill any processes anymore, hence let's drop the
capability.
2018-11-12 19:05:36 +01:00
Lennart Poettering
3ca9940cb9 units: set NoNewPrivileges= for all long-running services
Previously, setting this option by default was problematic due to
SELinux (as this would also prohibit the transition from PID1's label to
the service's label). However, this restriction has since been lifted,
hence let's start making use of this universally in our services.

On SELinux system this change should be synchronized with a policy
update that ensures that NNP-ful transitions from init_t to service
labels is permitted.

An while we are at it: sort the settings in the unit files this touches.
This might increase the size of the change in this case, but hopefully
should result in stabler patches later on.

Fixes: #1219
2018-11-12 19:02:55 +01:00
Zbigniew Jędrzejewski-Szmek
c02b6ee496 meson: define @HIGH_RLIMIT_NOFILE@ and use it everywhere 2018-10-17 14:54:48 +02:00
Lennart Poettering
c35ee02c61 units: bump the RLIMIT_NOFILE soft limit for all services that access the journal
This updates the unit files of all our serviecs that deal with journal
stuff to use a higher RLIMIT_NOFILE soft limit by default. The new value
is the same as used for the new HIGH_RLIMIT_NOFILE we just added.

With this we ensure all code that access the journal has higher
RLIMIT_NOFILE. The code that runs as daemon via the unit files, the code
that is run from the user's command line via C code internal to the
relevant tools. In some cases this means we'll redundantly bump the
limits as there are tools run both from the command line and as service.
2018-10-16 16:33:55 +02:00
Lennart Poettering
ee8f26180d units: switch from system call blacklist to whitelist
This is generally the safer approach, and is what container managers
(including nspawn) do, hence let's move to this too for our own
services. This is particularly useful as this this means the new
@system-service system call filter group will get serious real-life
testing quickly.

This also switches from firing SIGSYS on unexpected syscalls to
returning EPERM. This would have probably been a better default anyway,
but it's hard to change that these days. When whitelisting system calls
SIGSYS is highly problematic as system calls that are newly introduced
to Linux become minefields for services otherwise.

Note that this enables a system call filter for udev for the first time,
and will block @clock, @mount and @swap from it. Some downstream
distributions might want to revert this locally if they want to permit
unsafe operations on udev rules, but in general this shiuld be mostly
safe, as we already set MountFlags=shared for udevd, hence at least
@mount won't change anything.
2018-06-14 17:44:20 +02:00
Yu Watanabe
dea6363533 unit: tighten sandboxing for logind 2018-04-27 18:11:29 +09:00
Zbigniew Jędrzejewski-Szmek
a7df2d1e43 Add SPDX license headers to unit files 2017-11-19 19:08:15 +01:00
Lennart Poettering
0a9b166b43 units: prohibit all IP traffic on all our long-running services (#6921)
Let's lock things down further.
2017-10-04 14:16:28 +02:00
Lennart Poettering
bff8f2543b units: set LockPersonality= for all our long-running services (#6819)
Let's lock things down. Also, using it is the only way how to properly
test this to the fullest extent.
2017-09-14 19:45:40 +02:00
Zbigniew Jędrzejewski-Szmek
a132bef023 Drop kdbus bits
Some kdbus_flag and memfd related parts are left behind, because they
are entangled with the "legacy" dbus support.

test-bus-benchmark is switched to "manual". It was already broken before
(in the non-kdbus mode) but apparently nobody noticed. Hopefully it can
be fixed later.
2017-07-23 12:01:54 -04:00
AsciiWolf
16a5d4128f units: use https for the freedesktop url (#6227) 2017-06-28 22:54:12 -04:00
Franck Bui
aed24c4cd7 logind: save/restore session devices and their respective file descriptors
This patch ensures that session devices are saved for each session.

In order to make the revokation logic work when logind is restarted, the
session devices are now saved in the session state files and their respective
file descriptors sent to PID1's fdstore in order to keep them open accross
restart.

This is mandatory in order to keep the revokation logic working. Indeed in case
of input-devices, the same file descriptors must be shared by logind and a
given session controller in order EVIOCREVOKE to work otherwise multiple
sessions can have device access in parallel.

This should be the only remaining and missing piece for making logind fully
restartable.

Fixes: #1163
2017-06-08 16:21:36 +02:00
Lennart Poettering
6489ccfe48 units: make use of @reboot and @swap in our long-running service SystemCallFilter= settings
Tighten security up a bit more.
2017-02-09 16:12:03 +01:00
Lennart Poettering
3c19d0b46b units: restrict namespace for a good number of our own services
Basically, we turn it on for most long-running services, with the
exception of machined (whose child processes need to join containers
here and there), and importd (which sandboxes tar in a CLONE_NEWNET
namespace). machined is left unrestricted, and importd is restricted to
use only "net"
2017-02-09 16:12:03 +01:00
Lennart Poettering
7f396e5f66 units: set SystemCallArchitectures=native on all our long-running services 2017-02-09 16:12:03 +01:00
Lennart Poettering
0c28d51ac8 units: further lock down our long-running services
Let's make this an excercise in dogfooding: let's turn on more security
features for all our long-running services.

Specifically:

- Turn on RestrictRealtime=yes for all of them

- Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of
  them

- Turn on RestrictAddressFamilies= for all of them, but different sets of
  address families for each

Also, always order settings in the unit files, that the various sandboxing
features are close together.

Add a couple of missing, older settings for a numbre of unit files.

Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively
turning of networking from udev rule commands. Since this might break stuff
(that is already broken I'd argue) this is documented in NEWS.
2016-09-25 10:52:57 +02:00
Lennart Poettering
4e069746fe units: tighten system call filters a bit
Take away kernel keyring access, CPU emulation system calls and various debug
system calls from the various daemons we have.
2016-06-13 16:25:54 +02:00
Topi Miettinen
40093ce5dd units: add a basic SystemCallFilter (#3471)
Add a line
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
for daemons shipped by systemd. As an exception, systemd-timesyncd
needs @clock system calls and systemd-localed is not privileged.
ptrace(2) is blocked to prevent seccomp escapes.
2016-06-09 09:32:04 +02:00
Topi Miettinen
40652ca479 units: enable MemoryDenyWriteExecute (#3459)
Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute.

Closes: #3459
2016-06-08 14:23:37 +02:00
Lennart Poettering
c2fc2c2560 units: increase watchdog timeout to 3min for all our services
Apparently, disk IO issues are more frequent than we hope, and 1min
waiting for disk IO happens, so let's increase the watchdog timeout a
bit, for all our services.

See #1353 for an example where this triggers.
2015-09-29 21:55:51 +02:00
Lennart Poettering
a24111cea6 Revert "units: add SecureBits"
This reverts commit 6a716208b3.

Apparently this doesn't work.

http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
2015-02-11 18:28:06 +01:00
Topi Miettinen
6a716208b3 units: add SecureBits
No setuid programs are expected to be executed, so add
SecureBits=noroot noroot-locked
to unit files.
2015-02-11 17:33:36 +01:00
Lennart Poettering
eab459bc06 Revert "systemd-logind.service: set Type=notify"
This reverts commit a4962513c5.

logind.service is a D-Bus service, hence we should use the dbus name as
indication that we are up. Type=dbus is implied if BusName= is
specified, as it is in this case.

This removes a warning that is printed because a BusName= is specified
for a Type=notify unit.
2014-11-21 01:17:52 +01:00
Dave Reisner
a4962513c5 systemd-logind.service: set Type=notify
The code already calls sd_notify("READY=1"), so we may as well take
advantage of the startup behavior in the unit. The same was done for
the journal in a87a38c20.
2014-11-19 08:13:34 -05:00
Lukasz Skalski
374738d55b logind: mount per-user tmpfs with 'smackfsroot=*' for smack enabled systems 2014-10-09 11:38:59 +02:00
Kay Sievers
72543b361d remove ReadOnlySystem and ProtectedHome from udevd and logind
logind needs access to /run/user/, udevd fails during early boot
with these settings
2014-06-04 01:41:15 +02:00
Lennart Poettering
417116f234 core: add new ReadOnlySystem= and ProtectedHome= settings for service units
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.

ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.

This patch also enables these settings for all our long-running services.

Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
2014-06-03 23:57:51 +02:00
Zbigniew Jędrzejewski-Szmek
8f9c6fe5ff units: systemd-logind fails hard without dbus
That is, without --enable-kdbus and kdbus running.

With --enable-kdbus things are more complicated, because dbus might be
necessary, if kdbus is missing at runtime. If it is not necessary,
the socket will be started, which is not imporant, but not the service.
2014-02-14 19:00:32 -05:00
Lennart Poettering
cde93897cd event: hook up sd-event with the service watchdog logic
Adds a new call sd_event_set_watchdog() that can be used to hook up the
event loop with the watchdog supervision logic of systemd. If enabled
and $WATCHDOG_USEC is set the event loop will ping the invoking systemd
daemon right after coming back from epoll_wait() but not more often than
$WATCHDOG_USEC/4. The epoll_wait() will sleep no longer than
$WATCHDOG_USEC/4*3, to make sure the service manager is called in time.

This means that setting WatchdogSec= in a .service file and calling
sd_event_set_watchdog() in your daemon is enough to hook it up with the
watchdog logic.
2013-12-11 18:20:09 +01:00
David Herrmann
11c2f7a813 logind: run with CAP_SYS_ADMIN
DRM Master access requires CAP_SYS_ADMIN, yay! Add it to the capability
bounding set for systemd-logind. As CAP_SYS_ADMIN actually allows a huge
set of actions, this mostly renders the restriction-set useless. Anyway,
patches are already pending to reduce the restriction on the kernel side.
But these won't really make it into any stable-release so for now we're
stuck with CAP_SYS_ADMIN.
2013-10-01 17:59:44 +02:00
Lennart Poettering
085b90af43 units: add references to bus API documentation to logind+machined 2013-07-19 03:49:07 +02:00
Lennart Poettering
1ee306e124 machined: split out machine registration stuff from logind
Embedded folks don't need the machine registration stuff, hence it's
nice to make this optional. Also, I'd expect that machinectl will grow
additional commands quickly, for example to join existing containers and
suchlike, hence it's better keeping that separate from loginctl.
2013-07-02 03:47:23 +02:00
Lennart Poettering
9444b1f20e logind: add infrastructure to keep track of machines, and move to slices
- This changes all logind cgroup objects to use slice objects rather
  than fixed croup locations.

- logind can now collect minimal information about running
  VMs/containers. As fixed cgroup locations can no longer be used we
  need an entity that keeps track of machine cgroups in whatever slice
  they might be located. Since logind already keeps track of users,
  sessions and seats this is a trivial addition.

- nspawn will now register with logind and pass various bits of metadata
  along. A new option "--slice=" has been added to place the container
  in a specific slice.

- loginctl gained commands to list, introspect and terminate machines.

- user.slice and machine.slice will now be pulled in by logind.service,
  since only logind.service requires this slice.
2013-06-20 03:49:59 +02:00
Lennart Poettering
3f612b9123 units: fix section of man page link in systemd-logind.service
https://bugs.freedesktop.org/show_bug.cgi?id=51963
2012-07-19 12:46:55 +02:00
Lennart Poettering
47ec118473 units: don't enforce a holdoff time for journald, logind, udevd
These services should be restarted as quickly as possible if they fail,
and the extra safety net of the holdoff time is not necessary.
2012-07-18 02:31:52 +02:00
Lennart Poettering
454591be36 units: automatically respawn the core services 2012-06-28 12:18:04 +02:00