1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-02 02:21:44 +03:00
systemd/units
Przemyslaw Kedzierski dd5ae4c36c bus-proxy: cloning smack label
When dbus client connects to systemd-bus-proxyd through
Unix domain socket proxy takes client's smack label and sets for itself.

It is done before and independent of dropping privileges.

The reason of such soluton is fact that tests of access rights
performed by lsm may take place inside kernel, not only
in userspace of recipient of message.

The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label.

In case of systemd running in system mode, CAP_MAC_ADMIN
should be added to CapabilityBoundingSet in service file of bus-proxyd.

In case of systemd running in user mode ('systemd --user')
it can be achieved by addition
Capabilities=cap_mac_admin=i and SecureBits=keep-caps
to user@.service file
and setting cap_mac_admin+ei on bus-proxyd binary.
2014-12-09 18:23:24 +01:00
..
user bus-proxy: automatically detect scope of bus and derive which XML snippets to load from that 2014-11-28 16:18:17 +01:00
.gitignore gitignore: ignore generated systemd-bootchart.service 2014-12-04 20:43:28 +01:00
basic.target units: disable job timeouts 2014-11-05 20:45:10 -05:00
bluetooth.target
busnames.target units: install busnames.target by default 2013-12-03 01:18:26 +01:00
console-getty.service.m4.in units: when spawning a getty configure TERM explicitly 2013-12-18 18:21:28 +01:00
console-shell.service.m4.in core: optionally send SIGHUP in addition to the configured kill signal 2013-07-30 01:54:59 +02:00
container-getty@.service.m4.in units: make sure container-getty@.service stops restarting when the pts device it is bound to is gone 2014-12-09 02:12:11 +01:00
cryptsetup-pre.target cryptsetup: introduce new cryptsetup-pre.traget unit so that services can make sure they are started before and stopped after any LUKS setup 2014-06-18 00:09:46 +02:00
cryptsetup.target units: introduce new Documentation= field and make use of it everywhere 2012-05-21 15:14:51 +02:00
debug-shell.service.in debug-shell: add condition for tty device to run on 2014-06-12 22:26:43 +02:00
dev-hugepages.mount units: skip mounting /dev/hugepages if we don't have CAP_SYS_ADMIN 2014-12-04 02:43:02 +01:00
dev-mqueue.mount units: add reference to new wiki page to all api mount units 2013-01-15 18:14:13 +01:00
emergency.service.in units: update rescue.service and emergency.service 2014-08-31 00:04:44 -04:00
emergency.target units: introduce new Documentation= field and make use of it everywhere 2012-05-21 15:14:51 +02:00
final.target units: introduce new Documentation= field and make use of it everywhere 2012-05-21 15:14:51 +02:00
getty.target unit: link up getty configuration from man page and unit files 2012-11-20 20:10:30 +01:00
getty@.service.m4 install: introduce new DefaultInstance= field for [Install] sections 2014-06-17 02:43:43 +02:00
graphical.target units: drop [Install] section from multi-user.target and graphical.target 2014-01-17 20:27:35 +01:00
halt-local.service.in
halt.target
hibernate.target unit: rename BindTo= to BindsTo= 2012-07-13 23:34:40 +02:00
hybrid-sleep.target logind: support for hybrid sleep (i.e. suspend+hibernate at the same time) 2012-10-28 00:50:35 +02:00
initrd-cleanup.service.in core: replace OnFailureIsolate= setting by a more generic OnFailureJobMode= setting and make use of it where applicable 2013-11-26 02:26:31 +01:00
initrd-fs.target core: replace OnFailureIsolate= setting by a more generic OnFailureJobMode= setting and make use of it where applicable 2013-11-26 02:26:31 +01:00
initrd-parse-etc.service.in initrd-parse-etc.service: ignore return code of daemon-reload 2014-09-03 13:28:31 +02:00
initrd-root-fs.target core: replace OnFailureIsolate= setting by a more generic OnFailureJobMode= setting and make use of it where applicable 2013-11-26 02:26:31 +01:00
initrd-switch-root.service.in core: replace OnFailureIsolate= setting by a more generic OnFailureJobMode= setting and make use of it where applicable 2013-11-26 02:26:31 +01:00
initrd-switch-root.target
initrd-udevadm-cleanup-db.service.in Move udevadm to rootbindir 2013-03-11 07:18:33 +01:00
initrd.target core: replace OnFailureIsolate= setting by a more generic OnFailureJobMode= setting and make use of it where applicable 2013-11-26 02:26:31 +01:00
kexec.target units: rename halt/hibernate/kexec/poweroff/reboot/suspend to systed-xxx 2012-06-25 14:28:50 +02:00
kmod-static-nodes.service.in units: conditionalize static device node logic on CAP_SYS_MODULES instead of CAP_MKNOD 2014-07-04 03:24:41 +02:00
ldconfig.service readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
local-fs-pre.target units: disallow manual starting of passive units 2013-03-26 15:15:39 +01:00
local-fs.target units: local-fs.target - don't pull in default dependencies 2014-06-29 16:20:33 +02:00
machine.slice
Makefile build-sys: add small redirecting Makefiles to simplify compilation from within emacs 2010-05-17 01:44:03 +02:00
multi-user.target units: drop [Install] section from multi-user.target and graphical.target 2014-01-17 20:27:35 +01:00
network-online.target units: order network-online.target after network.target 2014-06-11 15:00:45 +02:00
network-pre.target units: introduce network-pre.target as place to hook in firewalls 2014-06-11 12:14:55 +02:00
network.target units: introduce network-pre.target as place to hook in firewalls 2014-06-11 12:14:55 +02:00
nss-lookup.target
nss-user-lookup.target units: disallow manual starting of passive units 2013-03-26 15:15:39 +01:00
org.freedesktop.hostname1.busname units: remove "AllowUser=root own", the bus owner can always own names 2014-03-08 19:38:06 +01:00
org.freedesktop.locale1.busname units: remove "AllowUser=root own", the bus owner can always own names 2014-03-08 19:38:06 +01:00
org.freedesktop.login1.busname units: remove "AllowUser=root own", the bus owner can always own names 2014-03-08 19:38:06 +01:00
org.freedesktop.machine1.busname units: remove "AllowUser=root own", the bus owner can always own names 2014-03-08 19:38:06 +01:00
org.freedesktop.resolve1.busname resolved: add busname unit file 2014-07-16 04:12:03 +02:00
org.freedesktop.systemd1.busname bus: provide org.freedesktop.systemd1.busname for systemd --user 2014-03-26 03:38:48 +01:00
org.freedesktop.timedate1.busname units: remove "AllowUser=root own", the bus owner can always own names 2014-03-08 19:38:06 +01:00
paths.target
poweroff.target units: restore job timeouts for poweroff and reboot 2014-11-06 08:17:45 -05:00
printer.target
proc-sys-fs-binfmt_misc.automount
proc-sys-fs-binfmt_misc.mount units: add reference to new wiki page to all api mount units 2013-01-15 18:14:13 +01:00
quotaon.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
rc-local.service.in rc-local: drop SysVStartPriority= field which is now obsolete 2014-12-02 13:23:04 +01:00
reboot.target units: restore job timeouts for poweroff and reboot 2014-11-06 08:17:45 -05:00
remote-fs-pre.target units: disallow manual starting of passive units 2013-03-26 15:15:39 +01:00
remote-fs.target filesystem targets: disable default dependencies 2013-09-11 14:40:58 +02:00
rescue.service.in units: update rescue.service and emergency.service 2014-08-31 00:04:44 -04:00
rescue.target rescue: don't pull in sockets 2012-05-22 16:12:25 +02:00
rpcbind.target
serial-getty@.service.m4 units/serial-getty@.service: use the default RestartSec 2014-07-15 23:51:10 -04:00
shutdown.target units: introduce new Documentation= field and make use of it everywhere 2012-05-21 15:14:51 +02:00
sigpwr.target units: introduce new Documentation= field and make use of it everywhere 2012-05-21 15:14:51 +02:00
sleep.target
slices.target
smartcard.target
sockets.target
sound.target
suspend.target
swap.target units: introduce new Documentation= field and make use of it everywhere 2012-05-21 15:14:51 +02:00
sys-fs-fuse-connections.mount units: add reference to new wiki page to all api mount units 2013-01-15 18:14:13 +01:00
sys-kernel-config.mount units: conditionalize configfs and debugfs with CAP_SYS_RAWIO 2014-07-04 03:24:42 +02:00
sys-kernel-debug.mount units: conditionalize configfs and debugfs with CAP_SYS_RAWIO 2014-07-04 03:24:42 +02:00
sysinit.target units: remove RefuseManualStart from units which are always around 2014-06-28 00:06:30 -04:00
syslog.socket service: ignore dependencies on $syslog and $local_fs in LSB scripts 2013-01-16 21:34:09 +01:00
system-update.target readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
system.slice core: general cgroup rework 2013-06-27 04:17:34 +02:00
systemd-ask-password-console.path
systemd-ask-password-console.service.in
systemd-ask-password-wall.path units: introduce new timers.target and paths.target to hook timer/path units into for boot 2013-03-25 21:28:30 +01:00
systemd-ask-password-wall.service.in
systemd-backlight@.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-binfmt.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-bootchart.service.in bootchart: add standalone bootchart service 2014-12-04 01:55:01 +01:00
systemd-bus-proxyd.socket Use /var/run/dbus/system_bus_socket for the D-Bus socket 2014-02-25 21:26:42 -05:00
systemd-bus-proxyd@.service.m4.in bus-proxy: cloning smack label 2014-12-09 18:23:24 +01:00
systemd-firstboot.service.in units: run firstboot before sysusers, so that firstboot can initialize the root password 2014-10-23 01:24:59 +02:00
systemd-fsck-root.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-fsck@.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-halt.service.in man: document systemd-halt.service and friends 2012-06-26 17:50:29 +02:00
systemd-hibernate-resume@.service.in systemd-hibernate-resume@.service: remove unnecessary ordering 2014-10-09 23:53:15 -04:00
systemd-hibernate.service.in man: document systemd-suspend.service 2012-06-26 17:33:11 +02:00
systemd-hostnamed.service.in core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only 2014-06-04 18:12:55 +02:00
systemd-hybrid-sleep.service.in logind: support for hybrid sleep (i.e. suspend+hibernate at the same time) 2012-10-28 00:50:35 +02:00
systemd-initctl.service.in man: document systemd-initctl 2012-06-26 00:15:59 +02:00
systemd-initctl.socket initctl: move /dev/initctl fifo into /run, replace it by symlink 2014-06-04 16:53:58 +02:00
systemd-journal-catalog-update.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-journal-flush.service.in units: order sd-journal-flush after sd-remount-fs 2014-11-02 21:52:56 -05:00
systemd-journal-gatewayd.service.in core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only 2014-06-04 18:12:55 +02:00
systemd-journal-gatewayd.socket
systemd-journal-remote.service.in journal-remote: add units and read certs from default locations 2014-07-15 22:23:49 -04:00
systemd-journal-remote.socket journal-remote: add units and read certs from default locations 2014-07-15 22:23:49 -04:00
systemd-journal-upload.service.in systemd-journal-upload: fix invalid After= 2014-08-28 18:06:02 -04:00
systemd-journald-audit.socket core: introduce ConditionSecurity=audit 2014-11-03 21:51:28 +01:00
systemd-journald-dev-log.socket journald: also increase the SendBuffer of /dev/log to 8M 2014-08-13 18:53:05 +02:00
systemd-journald.service.in units: make systemd-journald.service Type=notify 2014-11-04 20:32:42 +01:00
systemd-journald.socket journald: move /dev/log socket to /run 2014-06-04 16:53:58 +02:00
systemd-kexec.service.in
systemd-localed.service.in core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only 2014-06-04 18:12:55 +02:00
systemd-logind.service.in Revert "systemd-logind.service: set Type=notify" 2014-11-21 01:17:52 +01:00
systemd-machine-id-commit.service.in machine-id-commit: add unit file 2014-12-03 03:41:19 +01:00
systemd-machined.service.in machinectl: show /etc/os-release information of container in status output 2014-07-03 17:54:24 +02:00
systemd-modules-load.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-networkd-wait-online.service.in units: networkd - don't order wait-online.service before network.target 2014-06-30 13:06:33 +02:00
systemd-networkd.service.in units: networkd - order after udev 2014-09-08 15:07:51 +02:00
systemd-nspawn@.service.in nspawn: Add try-{host,guest} journal link modes 2014-11-21 14:27:26 +01:00
systemd-poweroff.service.in
systemd-quotacheck.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-random-seed.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-reboot.service.in man: document systemd-halt.service and friends 2012-06-26 17:50:29 +02:00
systemd-remount-fs.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-resolved.service.in core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only 2014-06-04 18:12:55 +02:00
systemd-rfkill@.service.in units: make sure rfkill service is bount to the actual hardware 2014-11-21 01:20:57 +01:00
systemd-shutdownd.service.in man: properly document .socket units in man page 2012-06-27 01:06:35 +02:00
systemd-shutdownd.socket man: properly document .socket units in man page 2012-06-27 01:06:35 +02:00
systemd-suspend.service.in man: document systemd-suspend.service 2012-06-26 17:33:11 +02:00
systemd-sysctl.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-sysusers.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-timedated.service.in core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only 2014-06-04 18:12:55 +02:00
systemd-timesyncd.service.in timesyncd: do not start in virtualized environments 2014-06-17 03:34:09 +02:00
systemd-tmpfiles-clean.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-tmpfiles-clean.timer man: link systemd-tmpfiles-setup-dev.service 2013-04-23 12:55:44 +02:00
systemd-tmpfiles-setup-dev.service.in units: tmpfiles-setup-dev - allow unsafe file creation to happen in /dev at boot 2014-10-27 17:40:24 +01:00
systemd-tmpfiles-setup.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-udev-hwdb-update.service.in udev hwdb: Support shipping pre-compiled database in system images 2014-10-28 14:28:18 +01:00
systemd-udev-settle.service.in
systemd-udev-trigger.service.in
systemd-udevd-control.socket udev: replace CAP_MKNOD by writable /sys condition 2013-08-17 19:07:42 +02:00
systemd-udevd-kernel.socket units: make ReceiveBuffer= line more readable by using M suffix 2014-11-03 21:51:28 +01:00
systemd-udevd.service.in units: rebuild /etc/passwd, the udev hwdb and the journal catalog files on boot 2014-06-13 13:26:32 +02:00
systemd-update-done.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-update-utmp-runlevel.service.in utmp: turn systemd-update-utmp-shutdown.service into a normal runtime service 2013-05-16 00:19:03 +02:00
systemd-update-utmp.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
systemd-user-sessions.service.in man: document systemd-user-sessions.service 2012-06-25 17:34:50 +02:00
systemd-vconsole-setup.service.in readahead: wipe out readahead 2014-09-25 16:39:18 +02:00
time-sync.target units: time-sync.target probably makes sense, is not just sysv compat 2014-06-11 12:14:55 +02:00
timers.target unit: do not order timers.target before basic.target 2014-11-02 12:33:54 -05:00
tmp.mount units: skip mounting /tmp if it is a symlink 2014-06-30 22:49:10 +02:00
umount.target
user.slice logind: add infrastructure to keep track of machines, and move to slices 2013-06-20 03:49:59 +02:00
user@.service.m4.in bus-proxy: cloning smack label 2014-12-09 18:23:24 +01:00
x-.slice