1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-27 07:22:31 +03:00
Commit Graph

42 Commits

Author SHA1 Message Date
Topi Miettinen
9af2820694 units: deny access to block devices
While the need for access to character devices can be tricky to determine for
the general case, it's obvious that most of our services have no need to access
block devices. For logind and timedated this can be tightened further.
2019-06-20 14:03:57 +02:00
Lennart Poettering
62aa29247c units: turn on RestrictSUIDSGID= in most of our long-running daemons 2019-04-02 16:56:48 +02:00
Lennart Poettering
a18449b5bd units: turn of ProtectHostname= again for services hat need to know about system hostname changes
ProtectHostname= turns off hostname change propagation from host to
service. This means for services that care about the hostname and need
to be able to notice changes to it it's not suitable (though it is
useful for most other cases still).

Let's turn it off hence for journald (which logs the current hostname)
for networkd (which optionally sends the current hostname to dhcp
servers) and resolved (which announces the current hostname via
llmnr/mdns).
2019-03-08 15:49:10 +01:00
Topi Miettinen
99894b867f units: enable ProtectHostname=yes 2019-02-20 10:50:44 +02:00
Lennart Poettering
3ca9940cb9 units: set NoNewPrivileges= for all long-running services
Previously, setting this option by default was problematic due to
SELinux (as this would also prohibit the transition from PID1's label to
the service's label). However, this restriction has since been lifted,
hence let's start making use of this universally in our services.

On SELinux system this change should be synchronized with a policy
update that ensures that NNP-ful transitions from init_t to service
labels is permitted.

An while we are at it: sort the settings in the unit files this touches.
This might increase the size of the change in this case, but hopefully
should result in stabler patches later on.

Fixes: #1219
2018-11-12 19:02:55 +01:00
Zbigniew Jędrzejewski-Szmek
696fc8360d Revert "network: set DynamicUser= to systemd-networkd.service"
This reverts commit d4e9e574ea.
(systemd.conf.m4 part was already reverted in 5b5d82615011b9827466b7cd5756da35627a1608.)

Together those reverts should "fix" #10025 and #10011. ("fix" is in quotes
because this doesn't really fix the underlying issue, which is combining
DynamicUser= with strict container sandbox, but it avoids the problem by not
using that feature in our default installation.)

Dynamic users don't work well if the service requires matching configuration in
other places, for example dbus policy. This is true for those three services.
In effect, distros create the user statically [1, 2]. Dynamic users make more
sense for "add-on" services where not creating the user, or more precisely,
creating the user lazily, can save resources. For "basic" services, if we are
going to create the user on package installation anyway, setting DynamicUser=
just creates unneeded confusion. The only case where it is actually used is
when somebody forgets to do system configuration. But it's better to have the
service fail cleanly in this case too. If we want to turn on some side-effect
of DynamicUser=yes for those services, we should just do that directly through
fine-grained options. By not using DynamicUser= we also avoid the need to
restart dbus.

[1] bd9bf30727
[2] 48ac1cebde/f/systemd.spec (_473)
(Fedora does not create systemd-timesync user.)
2018-09-20 16:52:02 +02:00
Lennart Poettering
ee8f26180d units: switch from system call blacklist to whitelist
This is generally the safer approach, and is what container managers
(including nspawn) do, hence let's move to this too for our own
services. This is particularly useful as this this means the new
@system-service system call filter group will get serious real-life
testing quickly.

This also switches from firing SIGSYS on unexpected syscalls to
returning EPERM. This would have probably been a better default anyway,
but it's hard to change that these days. When whitelisting system calls
SIGSYS is highly problematic as system calls that are newly introduced
to Linux become minefields for services otherwise.

Note that this enables a system call filter for udev for the first time,
and will block @clock, @mount and @swap from it. Some downstream
distributions might want to revert this locally if they want to permit
unsafe operations on udev rules, but in general this shiuld be mostly
safe, as we already set MountFlags=shared for udevd, hence at least
@mount won't change anything.
2018-06-14 17:44:20 +02:00
Yu Watanabe
d4e9e574ea network: set DynamicUser= to systemd-networkd.service 2018-05-22 22:37:34 +09:00
Yu Watanabe
46657f637c units: set RestrictNamespaces=yes to networkd and resolved
Closes #8949.
2018-05-10 22:50:31 -07:00
Zbigniew Jędrzejewski-Szmek
a7df2d1e43 Add SPDX license headers to unit files 2017-11-19 19:08:15 +01:00
Lennart Poettering
bff8f2543b units: set LockPersonality= for all our long-running services (#6819)
Let's lock things down. Also, using it is the only way how to properly
test this to the fullest extent.
2017-09-14 19:45:40 +02:00
Yu Watanabe
c61f302d3c units: make use of !! ExecStart= prefix in systemd-networkd.service
Let's make use of !! to run networkd with ambient capabilities on
systems supporting them.
2017-08-27 01:40:47 +09:00
Yu Watanabe
4429c69f8d units: do not perform m4 if not necessary (#6575) 2017-08-09 09:13:41 -04:00
Tom Gundersen
b5acb956d1 units: make networkd pull in its own .busname unit
The daemon requires the busname unit to operate (on kdbus systems),
since it contains the policy that allows it to acquire its service
name.

This fixes https://bugs.freedesktop.org/show_bug.cgi?id=90287
2015-05-15 22:59:43 +02:00
Lennart Poettering
a24111cea6 Revert "units: add SecureBits"
This reverts commit 6a716208b3.

Apparently this doesn't work.

http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
2015-02-11 18:28:06 +01:00
Topi Miettinen
6a716208b3 units: add SecureBits
No setuid programs are expected to be executed, so add
SecureBits=noroot noroot-locked
to unit files.
2015-02-11 17:33:36 +01:00
Tom Gundersen
a97dcc12e4 networkd: exit on idle
We will be woken up on rtnl or dbus activity, so let's just quit if some time has passed and that is the only thing that can happen.

Note that we will always stay around if we expect network activity (e.g. DHCP is enabled), as we are not restarted on that.
2015-02-05 12:04:19 +01:00
Tom Gundersen
5544ee8516 networkd: support socket activation
Still keep the non-socket activation code around for starting from the commandline, but
will likely drop that too in the future.
2015-02-02 11:57:52 +01:00
Tom Gundersen
4bd5ace3e7 units: networkd - order after udev
This way we are sure that /dev/net/tun has been given the right permissions before we try to connect to it.
Ideally, we should create tun/tap devices over netlink, and then this whole issue would go away.
2014-09-08 15:07:51 +02:00
Lennart Poettering
689d781b87 units: minor cleanups 2014-06-17 02:43:44 +02:00
Lennart Poettering
324d7a53b9 networkd: don't pull in systemd-networkd-wait-online service from systemd-networkd when enabling
networkd-wait-online should never exist in the default transaction,
unless explicitly enable or pulled in via things like NFS. However, just
enabling networkd shouldn't enable networkd-wait-online, since it's
common to use the former without the latter.
2014-06-17 02:43:44 +02:00
Lennart Poettering
ecde7065f7 units: rebuild /etc/passwd, the udev hwdb and the journal catalog files on boot
Only when necessary of course, nicely guarded with the new
ConditionNeedsUpdate= condition we added.
2014-06-13 13:26:32 +02:00
Lennart Poettering
a4a878d040 units: introduce network-pre.target as place to hook in firewalls
network-pre.target is a passive target that should be pulled in by
services that want to be executed before any network is configured (for
example: firewall scrips).

network-pre.target should be ordered before all network managemet
services (but not be pulled in by them).

network-pre.target should be order after all services that want to be
executed before any network is configured (and be pulled in by them).
2014-06-11 12:14:55 +02:00
Lennart Poettering
1b8689f949 core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.

With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
2014-06-04 18:12:55 +02:00
Lennart Poettering
417116f234 core: add new ReadOnlySystem= and ProtectedHome= settings for service units
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.

ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.

This patch also enables these settings for all our long-running services.

Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
2014-06-03 23:57:51 +02:00
Tom Gundersen
bddfc8afd3 networkd: drop CAP_SYS_MODULE
Rely on modules being built-in or autoloaded on-demand.

As networkd is a network facing service, we want to limits its capabilities,
as much as possible. Also, we may not have CAP_SYS_MODULE in a container,
and we want networkd to work the same there.

Module autoloading does not always work, but should be fixed by the kernel
patch f98f89a0104454f35a: 'net: tunnels - enable module autoloading', which
is currently in net-next and which people may consider backporting if they
want tunneling support without compiling in the modules.

Early adopters may also use a module-load.d snippet and order
systemd-modules-load.service before networkd to force the module
loading of tunneling modules.

This sholud fix the various build issues people have reported.
2014-06-03 00:40:23 +02:00
Lennart Poettering
d3cf48f4bd networkd: run as unpriviliged "systemd-network" user
This allows us to run networkd mostly unpriviliged with the exception of
CAP_NET_* and CAP_SYS_MODULE. I'd really like to get rid of the latter
though...
2014-06-01 09:12:00 +02:00
Lennart Poettering
40393d5247 units: remove CAP_SYS_PTRACE capability from hostnamed/networkd
The ptrace capability was only necessary to detect virtualizations
environments. Since we changed the logic to determine this to not
require priviliges, there's no need to carry the CAP_SYS_PTRACE
capability anymore.
2014-06-01 08:54:09 +02:00
Tom Gundersen
7da489e630 Revert "networkd: order after udev kernel socket"
This reverts commit a555350d47.

This did not fix the problem, just made it harder to hit.
2014-05-16 14:52:02 +02:00
Tom Gundersen
7c8ec321e7 networkd: unit - add cap to load modules
Remember to drop this when the kernel gains autoloading for all netdev kinds.
2014-05-12 17:37:52 +02:00
Tom Gundersen
3a67e927e3 networkd-wait-online: improve interoptability and enable by default
To make sure we don't delay boot on systems where (some) network links are managed by someone else
we don't block if something else has successfully brought up a link.

We will still block until all links we are aware of that are  managed by networkd have been
configured, but if no such links exist, and someone else have configured a link sufficiently
that it has a carrier, it may be that the link is ready so we should no longer block.

Note that in all likelyhood the link is not ready (no addresses/routes configured),
so whatever network managment daemon configured it should provide a similar wait-online
service to block network-online.target until it is ready.

The aim is to block as long as we know networking is not fully configured, but no longer. This
will allow systemd-networkd-wait-online.service to be enabled on any system, even if we don't
know whether networkd is the main/only network manager.

Even in the case networking is fully configured by networkd, the default behavior may not be
sufficient: if two links need to be configured, but the first is fully configured before the
second one appears we will assume the network is up. To work around that, we allow specifying
specific devices to wait for before considering the network up.

This unit is enabled by default, just like systemd-networkd, but will only be pulled in if
anyone pulls in network-online.target.
2014-04-24 00:23:07 +02:00
Tom Gundersen
a555350d47 networkd: order after udev kernel socket
Otherwise we will not be able to queuery whether devices are initialized on kdbus enabled systems.
2014-04-19 22:13:49 +02:00
Tom Gundersen
6c7c89dfc6 networkd: add CapabilityBoundingSet 2014-03-24 17:13:24 +01:00
Lennart Poettering
48791a98be units: networkd shouldn't have PrivateTmp= set, since it runs in early-boot
/tmp is only available in later boot, and we shouldn't create private
subdirs in it hence, while we are still in early boot.
2014-03-24 16:48:39 +01:00
Lennart Poettering
f21a71a907 core: enable PrivateNetwork= for a number of our long running services where this is useful 2014-03-19 23:25:28 +01:00
Jason A. Donenfeld
c4a0b20c7a install: do not statically enable systemd-networkd
[tomegun: pruned the commit message as not to contradict the follow-up commit]
2014-02-21 14:37:53 +01:00
Tom Gundersen
bcbca8291f networkd: don't hard depend on system bus
We may not have a dbus daemon in the initrd (until we can rely on kdbus). In
this case, simply ignore any attempts at using the bus. There is only one user
for now, but surely more to come.

In order to work reliably in the real root without kdbus, but at the same time
don't delay boot when kdbus is in use, order ourselves after dbus.service.
2014-01-18 01:56:41 +01:00
Tom Gundersen
1346b1f038 sd-dhcp-client/networkd: add transient hostname support 2014-01-16 20:32:08 +01:00
Lennart Poettering
74f9e0f203 units: run systemd-networkd.service only if CAP_NET_ADMIN capability is around
This has the effect that systemd-networkd won't run in containers
without network namespacing wher CAP_NET_ADMIN is (usually) not
available. It will still run in containers with network namespacing on
(where CAP_NET_ADMIN is usually avilable).

We might remove this condition check again if networkd provides services
to apps that also are useful in containers lacking network namespacing,
however, as long as it doesn't it should be handled like udevd and be
excluded in such containers.
2013-12-18 18:21:27 +01:00
Lennart Poettering
cde93897cd event: hook up sd-event with the service watchdog logic
Adds a new call sd_event_set_watchdog() that can be used to hook up the
event loop with the watchdog supervision logic of systemd. If enabled
and $WATCHDOG_USEC is set the event loop will ping the invoking systemd
daemon right after coming back from epoll_wait() but not more often than
$WATCHDOG_USEC/4. The epoll_wait() will sleep no longer than
$WATCHDOG_USEC/4*3, to make sure the service manager is called in time.

This means that setting WatchdogSec= in a .service file and calling
sd_event_set_watchdog() in your daemon is enough to hook it up with the
watchdog logic.
2013-12-11 18:20:09 +01:00
Tom Gundersen
4b6141c424 networkd: use Type=notify
Also start earlier during boot.
2013-11-23 02:07:08 +01:00
Tom Gundersen
f579559b3a networkd: add a basic network daemon
This daemon listens for and configures network devices tagged with
'systemd-networkd'. By default, no devices are tagged so this daemon
can safely run in parallel with existing network daemons/scripts.

Networks are configured in /etc/systemd/network/*.network. The first .network
file that matches a given link is applied. The matching logic is similar to
the one for .link files, but additionally supports matching on interface name.

The mid-term aim is to provide an alternative to ad-hoc scripts currently used
in initrd's and for wired setups that don't change much (e.g., as seen on
servers/and some embedded systems).

Currently, static addresses and a gateway can be configured.

Example .network file:

[Match]
Name=wlp2s0

[Network]
Description=My Network
Gateway=192.168.1.1
Address=192.168.1.23/24
Address=fe80::9aee:94ff:fe3f:c618/64
2013-11-09 23:41:17 +01:00