diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2022-09-25 20:47:53 +0300 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2022-09-26 11:40:28 +0200 |
commit | 75723d31a678bdd6b9d0160834e54dc09e3dedd1 (patch) | |
tree | 794bfad1d990e14a62a20a7658774189928ed4d7 | |
parent | eb8817db6e69d30fd881ffd95ba173722ebe771d (diff) | |
download | systemd-75723d31a678bdd6b9d0160834e54dc09e3dedd1.tar.gz |
units: udev: partially emulate ProtectClock=
Drop CAP_SYS_TIME and CAP_WAKE_ALARM capabilities and block clock-related
system calls. Update TODO.
-rw-r--r-- | TODO | 3 | ||||
-rw-r--r-- | units/systemd-udevd.service.in | 2 |
2 files changed, 3 insertions, 2 deletions
@@ -1996,8 +1996,7 @@ Features: - kill scsi_id - add trigger --subsystem-match=usb/usb_device device - reimport udev db after MOVE events for devices without dev_t - - re-enable ProtectClock= or set CapabilityBoundingSet= to drop CAP_SYS_TIME - and CAP_WAKE_ALARM (and possibly other unnecessary capabilities?). + - re-enable ProtectClock= once only cgroupsv2 is supported. See f562abe2963bad241d34e0b308e48cf114672c84. * coredump: diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index 3579de4a68..e9dbe85ef4 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -16,6 +16,7 @@ Before=sysinit.target ConditionPathIsReadWrite=/sys [Service] +CapabilityBoundingSet=~CAP_SYS_TIME CAP_WAKE_ALARM Delegate=pids Type=notify # Note that udev will reset the value internally for its workers @@ -34,6 +35,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallFilter=@system-service @module @raw-io bpf +SystemCallFilter=~@clock SystemCallErrorNumber=EPERM SystemCallArchitectures=native LockPersonality=yes |