1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 14:55:37 +03:00
systemd/units
Maciek Borzecki 0ddd608a6d units/systemd-udevd: allow bpf() syscall
Programs run by udev triggers may need to execute the bpf() syscall. Even more
so, since on a cgroup v2 system, the only way to set up device access filtering
is to install a BPF program on the cgroup in question and one way of passing
data to such program is through BPF maps, which can only be access using the
bpf() syscall. One such use case was identified in RHBZ#2025264 related to
snap-device-helper, and led to RHBZ#2027627 being filed.

Unfortunately there is no finer grained control over what gets passed in the
syscall, so just enable bpf() and leave fine grained mediation to other
security layers (eg. SELinux).

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2027627

Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com>
2021-12-07 07:37:54 +01:00
..
user meson: drop unnecessary listification 2021-05-19 10:24:43 +09:00
user-.slice.d license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
basic.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
blockdev@.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
bluetooth.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
boot-complete.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
console-getty.service.in getty: Pass tty to use by agetty via stdin 2021-11-05 21:32:11 +00:00
container-getty@.service.in getty: Pass tty to use by agetty via stdin 2021-11-05 21:32:11 +00:00
cryptsetup-pre.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
cryptsetup.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
debug-shell.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
dev-hugepages.mount license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
dev-mqueue.mount license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
emergency.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
emergency.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
exit.target logind, units: unit Descriptions should be capitalized 2021-06-30 13:25:16 +02:00
factory-reset.target units: added factory-reset.target 2021-08-10 17:08:00 +02:00
final.target units: correct description of final.target 2021-07-02 18:29:54 +02:00
first-boot-complete.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
getty-pre.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
getty.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
getty@.service.in getty: Pass tty to use by agetty via stdin 2021-11-05 21:32:11 +00:00
graphical.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
halt.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
hibernate.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
hybrid-sleep.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
initrd-cleanup.service license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
initrd-fs.target units: change order of settings to match order in other similar unit 2021-04-20 19:11:07 +02:00
initrd-parse-etc.service license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
initrd-root-device.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
initrd-root-fs.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
initrd-switch-root.service license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
initrd-switch-root.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
initrd-udevadm-cleanup-db.service license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
initrd-usr-fs.target fstab-generator: if usr= is specified, mount it to /sysusr/usr/ first 2021-04-20 18:26:17 +02:00
initrd.target fstab-generator: if usr= is specified, mount it to /sysusr/usr/ first 2021-04-20 18:26:17 +02:00
integritysetup-pre.target Add stand-alone dm-integrity support 2021-10-15 10:19:54 -05:00
integritysetup.target Add stand-alone dm-integrity support 2021-10-15 10:19:54 -05:00
kexec.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
kmod-static-nodes.service.in units: shorten description of kmod-static-nodes.service 2021-06-30 13:25:16 +02:00
ldconfig.service license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
local-fs-pre.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
local-fs.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
machine.slice license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
machines.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
meson-add-wants.sh tools: shellcheck-ify tool scripts 2021-09-30 12:27:06 +02:00
meson.build build: preserve correct mode when generating files via jinja2 2021-11-08 12:06:48 +00:00
modprobe@.service Revert "units: skip modprobe@.service if the unit appears to be already loaded" 2020-11-19 09:49:42 +01:00
multi-user.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
network-online.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
network-pre.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
network.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
nss-lookup.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
nss-user-lookup.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
paths.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
poweroff.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
printer.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
proc-sys-fs-binfmt_misc.automount units: stop automount unit when shutting down 2021-06-07 13:38:28 +02:00
proc-sys-fs-binfmt_misc.mount license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
quotaon.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
rc-local.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
reboot.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
remote-cryptsetup.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
remote-fs-pre.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
remote-fs.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
remote-veritysetup.target dm-verity: Remove usage of integrity 2021-10-14 12:17:02 -05:00
rescue.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
rescue.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
rpcbind.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
serial-getty@.service.in getty: Pass tty to use by agetty via stdin 2021-11-05 21:32:11 +00:00
shutdown.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
sigpwr.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
sleep.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
slices.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
smartcard.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
sockets.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
sound.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
suspend-then-hibernate.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
suspend.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
swap.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
sys-fs-fuse-connections.mount units: restore sysfs conditions in sys-fs-fuse-connections.mount and sys-kernel-config.mount 2020-11-21 01:10:17 +09:00
sys-kernel-config.mount units: restore sysfs conditions in sys-fs-fuse-connections.mount and sys-kernel-config.mount 2020-11-21 01:10:17 +09:00
sys-kernel-debug.mount license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
sys-kernel-tracing.mount license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
sysinit.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
syslog.socket license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
system-systemd\x2dcryptsetup.slice man: document system-systemd\x2dcryptsetup.slice 2021-04-09 10:38:09 +02:00
system-update-cleanup.service license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
system-update-pre.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
system-update.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-ask-password-console.path unit: use alias name of man page 2021-06-15 12:14:26 +01:00
systemd-ask-password-console.service license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-ask-password-wall.path unit: use alias name of man page 2021-06-15 12:14:26 +01:00
systemd-ask-password-wall.service unit: use alias name of man page 2021-06-15 12:14:26 +01:00
systemd-backlight@.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-binfmt.service.in units: delay binfmt processing until after local-fs.target 2021-11-16 09:21:22 +01:00
systemd-bless-boot.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-boot-check-no-failures.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-boot-system-token.service license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-boot-update.service boot: optionally update sd-boot on boot 2021-07-30 17:19:55 +02:00
systemd-coredump.socket systemd-coredump: Add conflict with shutdown.target 2021-04-29 21:45:23 +02:00
systemd-coredump@.service.in coredump: analyze object with libdwelf in forked process 2021-11-30 16:49:58 +00:00
systemd-exit.service license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-firstboot.service Revert "sysusers/firstboot: temporarily disable LoadCredential" 2021-05-03 12:16:35 +09:00
systemd-fsck-root.service.in fsck: no emergency.target on nofail mounts 2021-11-10 11:58:12 +01:00
systemd-fsck@.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-halt.service units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
systemd-hibernate-resume@.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-hibernate.service.in unit: use alias name of man page 2021-06-15 12:14:26 +01:00
systemd-homed-activate.service license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-homed.service.in units: relax sandbox so that uidmap stuff can work 2021-11-16 10:41:36 +09:00
systemd-hostnamed.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-hwdb-update.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-hybrid-sleep.service.in unit: use alias name of man page 2021-06-15 12:14:26 +01:00
systemd-importd.service.in units: make sure importd has CAP_LINUX_IMMUTABLE flag 2021-05-22 16:02:02 +09:00
systemd-initctl.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-initctl.socket unit: use alias name of man page 2021-06-15 12:14:26 +01:00
systemd-journal-catalog-update.service license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-journal-flush.service journal: don't remove the flushed flag when journald is stopped 2021-12-06 11:47:27 +01:00
systemd-journal-gatewayd.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-journal-gatewayd.socket license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-journal-remote.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-journal-remote.socket license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-journal-upload.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-journald-audit.socket license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-journald-dev-log.socket license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-journald-varlink@.socket license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-journald.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-journald.socket license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-journald@.service.in journald: when journald namespace instances log, they can do so safely to the main journald instance 2021-06-09 12:30:22 +09:00
systemd-journald@.socket license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-kexec.service unit: use alias name of man page 2021-06-15 12:14:26 +01:00
systemd-localed.service.in units: generate ReadWritePaths= in the template 2021-05-19 10:25:26 +09:00
systemd-logind.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-machine-id-commit.service license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-machined.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-modules-load.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-network-generator.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-networkd-wait-online.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-networkd.service.in unit: networkd does not require AF_ALG anymore 2021-10-15 09:25:38 +02:00
systemd-networkd.socket systemd-networkd.socket: Add conflict with shutdown.target (#19348) 2021-04-19 11:25:33 +09:00
systemd-nspawn@.service.in units: strip out the developer comment in .service unit again 2021-05-19 10:24:43 +09:00
systemd-oomd.service.in oom: Add support for user unit ManagedOOM property updates 2021-09-20 13:53:11 +01:00
systemd-oomd.socket oom: Add support for user unit ManagedOOM property updates 2021-09-20 13:53:11 +01:00
systemd-portabled.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-poweroff.service units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
systemd-pstore.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-quotacheck.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-random-seed.service.in units: skip some units in the initrd 2021-05-22 15:58:40 +09:00
systemd-reboot.service units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
systemd-remount-fs.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-repart.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-resolved.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-rfkill.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-rfkill.socket license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-suspend-then-hibernate.service.in unit: use alias name of man page 2021-06-15 12:14:26 +01:00
systemd-suspend.service.in units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
systemd-sysctl.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-sysext.service sysext: rework command line interface to be verb-based 2021-01-20 17:50:23 +01:00
systemd-sysusers.service Revert "sysusers/firstboot: temporarily disable LoadCredential" 2021-05-03 12:16:35 +09:00
systemd-time-wait-sync.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-timedated.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-timesyncd.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-tmpfiles-clean.service units: make sure systemd-tmpfiles-{setup,clean} don't survive switch-root 2021-08-06 11:11:14 +01:00
systemd-tmpfiles-clean.timer units: skip some units in the initrd 2021-05-22 15:58:40 +09:00
systemd-tmpfiles-setup-dev.service license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-tmpfiles-setup.service units: make sure systemd-tmpfiles-{setup,clean} don't survive switch-root 2021-08-06 11:11:14 +01:00
systemd-udev-settle.service license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
systemd-udev-trigger.service unit: ignore exit code of "udevadm trigger" 2021-02-21 04:40:23 +09:00
systemd-udevd-control.socket unit: use alias name of man page 2021-06-15 12:14:26 +01:00
systemd-udevd-kernel.socket unit: use alias name of man page 2021-06-15 12:14:26 +01:00
systemd-udevd.service.in units/systemd-udevd: allow bpf() syscall 2021-12-07 07:37:54 +01:00
systemd-update-done.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-update-utmp-runlevel.service.in units: adjust description of systemd-update-utmp.service 2021-06-30 13:25:16 +02:00
systemd-update-utmp.service.in units: adjust description of systemd-update-utmp.service 2021-06-30 13:25:16 +02:00
systemd-user-sessions.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-userdbd.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-userdbd.socket userdbd: also listen on a varlink socket io.systemd.DropIn 2021-05-10 14:58:39 +02:00
systemd-vconsole-setup.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
systemd-volatile-root.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
time-set.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
time-sync.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
timers.target units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
tmp.mount units: adjust Descriptions of various units 2021-06-30 13:25:16 +02:00
umount.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
usb-gadget.target license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
user-runtime-dir@.service.in meson: use jinja2 for unit templates 2021-05-19 10:24:43 +09:00
user.slice license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
user@.service.in units: run user service managers at OOM score adjustment 100 2021-10-04 16:27:10 +02:00
var-lib-machines.mount license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
veritysetup-pre.target dm-verity: Remove usage of integrity 2021-10-14 12:17:02 -05:00
veritysetup.target dm-verity: Remove usage of integrity 2021-10-14 12:17:02 -05:00