mirror of
https://github.com/systemd/systemd.git
synced 2024-12-23 21:35:11 +03:00
31845ef554
Without this change, there are no ordering between udevd and tmpfiles,
and if tmpfiles is invoked later it may discard the permission set by
udevd.
Fixes an issue introduced by b42482af90
.
Fixes #28588 and #28653.
45 lines
1.3 KiB
SYSTEMD
45 lines
1.3 KiB
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Rule-based Manager for Device Events and Files
|
|
Documentation=man:systemd-udevd.service(8) man:udev(7)
|
|
DefaultDependencies=no
|
|
After=systemd-sysusers.service systemd-hwdb-update.service
|
|
After=systemd-tmpfiles-setup-dev.service
|
|
Before=sysinit.target
|
|
ConditionPathIsReadWrite=/sys
|
|
|
|
[Service]
|
|
CapabilityBoundingSet=~CAP_SYS_TIME CAP_WAKE_ALARM
|
|
Delegate=pids
|
|
DelegateSubgroup=udev
|
|
Type=notify-reload
|
|
# Note that udev will reset the value internally for its workers
|
|
OOMScoreAdjust=-1000
|
|
Sockets=systemd-udevd-control.socket systemd-udevd-kernel.socket
|
|
Restart=always
|
|
RestartSec=0
|
|
ExecStart={{LIBEXECDIR}}/systemd-udevd
|
|
KillMode=mixed
|
|
TasksMax=infinity
|
|
PrivateMounts=yes
|
|
ProtectHostname=yes
|
|
MemoryDenyWriteExecute=yes
|
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
SystemCallFilter=@system-service @module @raw-io bpf
|
|
SystemCallFilter=~@clock
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallArchitectures=native
|
|
LockPersonality=yes
|
|
IPAddressDeny=any
|
|
{{SERVICE_WATCHDOG}}
|