1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-05 06:52:22 +03:00
Commit Graph

51 Commits

Author SHA1 Message Date
Lennart Poettering
31b221cf5e logind: add support for booting into the boot menu or a specific boot menu entry
This behaves similar to the "boot into firmware" logic, and also allows
either direct EFI operation (which sd-boot supports and others might
support eventually too) or override through env var.
2019-03-05 16:52:46 +01:00
Topi Miettinen
99894b867f units: enable ProtectHostname=yes 2019-02-20 10:50:44 +02:00
Zbigniew Jędrzejewski-Szmek
28f38a7634 Revert "units: lock down logind with fs namespacing options" 2018-11-15 17:48:01 +03:00
Lennart Poettering
45ae3f6117 units: lock down systemd-logind.service with various fs namespacing options
now that logind doesn't mount $XDG_RUNTIME_DIR anymore we can lock down
the service using fs namespacing (as we don't need the mount to
propagate to the host namespace anymore).
2018-11-12 19:14:33 +01:00
Lennart Poettering
1bded6b28f logind: drop CAP_KILL from caps bounding set
logind doesn't kill any processes anymore, hence let's drop the
capability.
2018-11-12 19:05:36 +01:00
Lennart Poettering
3ca9940cb9 units: set NoNewPrivileges= for all long-running services
Previously, setting this option by default was problematic due to
SELinux (as this would also prohibit the transition from PID1's label to
the service's label). However, this restriction has since been lifted,
hence let's start making use of this universally in our services.

On SELinux system this change should be synchronized with a policy
update that ensures that NNP-ful transitions from init_t to service
labels is permitted.

An while we are at it: sort the settings in the unit files this touches.
This might increase the size of the change in this case, but hopefully
should result in stabler patches later on.

Fixes: #1219
2018-11-12 19:02:55 +01:00
Zbigniew Jędrzejewski-Szmek
c02b6ee496 meson: define @HIGH_RLIMIT_NOFILE@ and use it everywhere 2018-10-17 14:54:48 +02:00
Lennart Poettering
c35ee02c61 units: bump the RLIMIT_NOFILE soft limit for all services that access the journal
This updates the unit files of all our serviecs that deal with journal
stuff to use a higher RLIMIT_NOFILE soft limit by default. The new value
is the same as used for the new HIGH_RLIMIT_NOFILE we just added.

With this we ensure all code that access the journal has higher
RLIMIT_NOFILE. The code that runs as daemon via the unit files, the code
that is run from the user's command line via C code internal to the
relevant tools. In some cases this means we'll redundantly bump the
limits as there are tools run both from the command line and as service.
2018-10-16 16:33:55 +02:00
Lennart Poettering
ee8f26180d units: switch from system call blacklist to whitelist
This is generally the safer approach, and is what container managers
(including nspawn) do, hence let's move to this too for our own
services. This is particularly useful as this this means the new
@system-service system call filter group will get serious real-life
testing quickly.

This also switches from firing SIGSYS on unexpected syscalls to
returning EPERM. This would have probably been a better default anyway,
but it's hard to change that these days. When whitelisting system calls
SIGSYS is highly problematic as system calls that are newly introduced
to Linux become minefields for services otherwise.

Note that this enables a system call filter for udev for the first time,
and will block @clock, @mount and @swap from it. Some downstream
distributions might want to revert this locally if they want to permit
unsafe operations on udev rules, but in general this shiuld be mostly
safe, as we already set MountFlags=shared for udevd, hence at least
@mount won't change anything.
2018-06-14 17:44:20 +02:00
Yu Watanabe
dea6363533 unit: tighten sandboxing for logind 2018-04-27 18:11:29 +09:00
Zbigniew Jędrzejewski-Szmek
a7df2d1e43 Add SPDX license headers to unit files 2017-11-19 19:08:15 +01:00
Lennart Poettering
0a9b166b43 units: prohibit all IP traffic on all our long-running services (#6921)
Let's lock things down further.
2017-10-04 14:16:28 +02:00
Lennart Poettering
bff8f2543b units: set LockPersonality= for all our long-running services (#6819)
Let's lock things down. Also, using it is the only way how to properly
test this to the fullest extent.
2017-09-14 19:45:40 +02:00
Zbigniew Jędrzejewski-Szmek
a132bef023 Drop kdbus bits
Some kdbus_flag and memfd related parts are left behind, because they
are entangled with the "legacy" dbus support.

test-bus-benchmark is switched to "manual". It was already broken before
(in the non-kdbus mode) but apparently nobody noticed. Hopefully it can
be fixed later.
2017-07-23 12:01:54 -04:00
AsciiWolf
16a5d4128f units: use https for the freedesktop url (#6227) 2017-06-28 22:54:12 -04:00
Franck Bui
aed24c4cd7 logind: save/restore session devices and their respective file descriptors
This patch ensures that session devices are saved for each session.

In order to make the revokation logic work when logind is restarted, the
session devices are now saved in the session state files and their respective
file descriptors sent to PID1's fdstore in order to keep them open accross
restart.

This is mandatory in order to keep the revokation logic working. Indeed in case
of input-devices, the same file descriptors must be shared by logind and a
given session controller in order EVIOCREVOKE to work otherwise multiple
sessions can have device access in parallel.

This should be the only remaining and missing piece for making logind fully
restartable.

Fixes: #1163
2017-06-08 16:21:36 +02:00
Lennart Poettering
6489ccfe48 units: make use of @reboot and @swap in our long-running service SystemCallFilter= settings
Tighten security up a bit more.
2017-02-09 16:12:03 +01:00
Lennart Poettering
3c19d0b46b units: restrict namespace for a good number of our own services
Basically, we turn it on for most long-running services, with the
exception of machined (whose child processes need to join containers
here and there), and importd (which sandboxes tar in a CLONE_NEWNET
namespace). machined is left unrestricted, and importd is restricted to
use only "net"
2017-02-09 16:12:03 +01:00
Lennart Poettering
7f396e5f66 units: set SystemCallArchitectures=native on all our long-running services 2017-02-09 16:12:03 +01:00
Lennart Poettering
0c28d51ac8 units: further lock down our long-running services
Let's make this an excercise in dogfooding: let's turn on more security
features for all our long-running services.

Specifically:

- Turn on RestrictRealtime=yes for all of them

- Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of
  them

- Turn on RestrictAddressFamilies= for all of them, but different sets of
  address families for each

Also, always order settings in the unit files, that the various sandboxing
features are close together.

Add a couple of missing, older settings for a numbre of unit files.

Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively
turning of networking from udev rule commands. Since this might break stuff
(that is already broken I'd argue) this is documented in NEWS.
2016-09-25 10:52:57 +02:00
Lennart Poettering
4e069746fe units: tighten system call filters a bit
Take away kernel keyring access, CPU emulation system calls and various debug
system calls from the various daemons we have.
2016-06-13 16:25:54 +02:00
Topi Miettinen
40093ce5dd units: add a basic SystemCallFilter (#3471)
Add a line
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
for daemons shipped by systemd. As an exception, systemd-timesyncd
needs @clock system calls and systemd-localed is not privileged.
ptrace(2) is blocked to prevent seccomp escapes.
2016-06-09 09:32:04 +02:00
Topi Miettinen
40652ca479 units: enable MemoryDenyWriteExecute (#3459)
Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute.

Closes: #3459
2016-06-08 14:23:37 +02:00
Lennart Poettering
c2fc2c2560 units: increase watchdog timeout to 3min for all our services
Apparently, disk IO issues are more frequent than we hope, and 1min
waiting for disk IO happens, so let's increase the watchdog timeout a
bit, for all our services.

See #1353 for an example where this triggers.
2015-09-29 21:55:51 +02:00
Lennart Poettering
a24111cea6 Revert "units: add SecureBits"
This reverts commit 6a716208b3.

Apparently this doesn't work.

http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
2015-02-11 18:28:06 +01:00
Topi Miettinen
6a716208b3 units: add SecureBits
No setuid programs are expected to be executed, so add
SecureBits=noroot noroot-locked
to unit files.
2015-02-11 17:33:36 +01:00
Lennart Poettering
eab459bc06 Revert "systemd-logind.service: set Type=notify"
This reverts commit a4962513c5.

logind.service is a D-Bus service, hence we should use the dbus name as
indication that we are up. Type=dbus is implied if BusName= is
specified, as it is in this case.

This removes a warning that is printed because a BusName= is specified
for a Type=notify unit.
2014-11-21 01:17:52 +01:00
Dave Reisner
a4962513c5 systemd-logind.service: set Type=notify
The code already calls sd_notify("READY=1"), so we may as well take
advantage of the startup behavior in the unit. The same was done for
the journal in a87a38c20.
2014-11-19 08:13:34 -05:00
Lukasz Skalski
374738d55b logind: mount per-user tmpfs with 'smackfsroot=*' for smack enabled systems 2014-10-09 11:38:59 +02:00
Kay Sievers
72543b361d remove ReadOnlySystem and ProtectedHome from udevd and logind
logind needs access to /run/user/, udevd fails during early boot
with these settings
2014-06-04 01:41:15 +02:00
Lennart Poettering
417116f234 core: add new ReadOnlySystem= and ProtectedHome= settings for service units
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.

ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.

This patch also enables these settings for all our long-running services.

Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
2014-06-03 23:57:51 +02:00
Zbigniew Jędrzejewski-Szmek
8f9c6fe5ff units: systemd-logind fails hard without dbus
That is, without --enable-kdbus and kdbus running.

With --enable-kdbus things are more complicated, because dbus might be
necessary, if kdbus is missing at runtime. If it is not necessary,
the socket will be started, which is not imporant, but not the service.
2014-02-14 19:00:32 -05:00
Lennart Poettering
cde93897cd event: hook up sd-event with the service watchdog logic
Adds a new call sd_event_set_watchdog() that can be used to hook up the
event loop with the watchdog supervision logic of systemd. If enabled
and $WATCHDOG_USEC is set the event loop will ping the invoking systemd
daemon right after coming back from epoll_wait() but not more often than
$WATCHDOG_USEC/4. The epoll_wait() will sleep no longer than
$WATCHDOG_USEC/4*3, to make sure the service manager is called in time.

This means that setting WatchdogSec= in a .service file and calling
sd_event_set_watchdog() in your daemon is enough to hook it up with the
watchdog logic.
2013-12-11 18:20:09 +01:00
David Herrmann
11c2f7a813 logind: run with CAP_SYS_ADMIN
DRM Master access requires CAP_SYS_ADMIN, yay! Add it to the capability
bounding set for systemd-logind. As CAP_SYS_ADMIN actually allows a huge
set of actions, this mostly renders the restriction-set useless. Anyway,
patches are already pending to reduce the restriction on the kernel side.
But these won't really make it into any stable-release so for now we're
stuck with CAP_SYS_ADMIN.
2013-10-01 17:59:44 +02:00
Lennart Poettering
085b90af43 units: add references to bus API documentation to logind+machined 2013-07-19 03:49:07 +02:00
Lennart Poettering
1ee306e124 machined: split out machine registration stuff from logind
Embedded folks don't need the machine registration stuff, hence it's
nice to make this optional. Also, I'd expect that machinectl will grow
additional commands quickly, for example to join existing containers and
suchlike, hence it's better keeping that separate from loginctl.
2013-07-02 03:47:23 +02:00
Lennart Poettering
9444b1f20e logind: add infrastructure to keep track of machines, and move to slices
- This changes all logind cgroup objects to use slice objects rather
  than fixed croup locations.

- logind can now collect minimal information about running
  VMs/containers. As fixed cgroup locations can no longer be used we
  need an entity that keeps track of machine cgroups in whatever slice
  they might be located. Since logind already keeps track of users,
  sessions and seats this is a trivial addition.

- nspawn will now register with logind and pass various bits of metadata
  along. A new option "--slice=" has been added to place the container
  in a specific slice.

- loginctl gained commands to list, introspect and terminate machines.

- user.slice and machine.slice will now be pulled in by logind.service,
  since only logind.service requires this slice.
2013-06-20 03:49:59 +02:00
Lennart Poettering
3f612b9123 units: fix section of man page link in systemd-logind.service
https://bugs.freedesktop.org/show_bug.cgi?id=51963
2012-07-19 12:46:55 +02:00
Lennart Poettering
47ec118473 units: don't enforce a holdoff time for journald, logind, udevd
These services should be restarted as quickly as possible if they fail,
and the extra safety net of the holdoff time is not necessary.
2012-07-18 02:31:52 +02:00
Lennart Poettering
454591be36 units: automatically respawn the core services 2012-06-28 12:18:04 +02:00
Lennart Poettering
af3bccd6d8 man: write man page for systemd-logind 2012-06-01 17:27:15 +02:00
Lennart Poettering
49dbfa7b2b units: introduce new Documentation= field and make use of it everywhere
This should help making the boot process a bit easier to explore and
understand for the administrator. The simple idea is that "systemctl
status" now shows a link to documentation alongside the other status and
decriptionary information of a service.

This patch adds the necessary fields to all our shipped units if we have
proper documentation for them.
2012-05-21 15:14:51 +02:00
Lennart Poettering
c374339916 units: explicit Type=dbus is now redundant 2012-05-03 14:48:35 +02:00
Lennart Poettering
5430f7f2bc relicense to LGPLv2.1 (with exceptions)
We finally got the OK from all contributors with non-trivial commits to
relicense systemd from GPL2+ to LGPL2.1+.

Some udev bits continue to be GPL2+ for now, but we are looking into
relicensing them too, to allow free copy/paste of all code within
systemd.

The bits that used to be MIT continue to be MIT.

The big benefit of the relicensing is that closed source code may now
link against libsystemd-login.so and friends.
2012-04-12 00:24:39 +02:00
Lennart Poettering
082694b75f units: introduce nss-user-lookup.target
This separates user/group NSS lookups from host/network NSS lookups.

By default order all network mounts after host/network NSS lookups now,
and logind execution after user/group NSS lookups.
2012-04-11 00:11:18 +02:00
Mike Kazantsev
9c07474c6f logind: add sys_tty_config capability, to let it use VT_ACTIVATE ioctl on "activate" action 2012-01-27 21:14:01 +01:00
Michal Schmidt
c99e42c1db units: drop unnecessary 'StandardOutput=syslog'
DefaultStandardOutput is syslog anyway. There's no reason to assume that
the administrator would want these units to be excluded when he configures
a different DefaultStandardOutput.
2011-11-09 08:48:25 +01:00
Lennart Poettering
f84aea434f units: increase LimitNOFILE a bit
since we need one fd per session (for logind) and one fd per service
(for stdout-syslog-bridge) increase the default rlimit a bit.
2011-10-11 04:43:29 +02:00
Lennart Poettering
3084a7c453 logind: add more necessary caps to the service 2011-06-24 23:52:02 +02:00
Lennart Poettering
094062918c logind: fix set of capabilities 2011-06-24 22:55:51 +02:00