summaryrefslogtreecommitdiff
path: root/units/systemd-logind.service.in
Commit message (Collapse)AuthorAgeFilesLines
* logind: implement Type=notify-reload protocol properlyLennart Poettering2023-01-101-0/+1
| | | | | | So close already. Let's add the two missing notifications too. Fixes: #18484
* logind: add a comment with a reminder why we don't use ProtrectProc=Luca Boccassi2021-12-171-0/+1
| | | | Follow-up for https://github.com/systemd/systemd/pull/21785
* logind: allow to read /procLudwig Nussel2021-12-171-1/+0
| | | | | User name and tty are used for wall messages. For that to work logind must be able to poke around in proc entries of other processes.
* meson: use jinja2 for unit templatesZbigniew Jędrzejewski-Szmek2021-05-191-3/+3
| | | | | | | | | We don't need two (and half) templating systems anymore, yay! I'm keeping the changes minimal, to make the diff manageable. Some enhancements due to a better templating system might be possible in the future. For handling of '## ' — see the next commit.
* license: LGPL-2.1+ -> LGPL-2.1-or-laterYu Watanabe2020-11-091-1/+1
|
* tree-wide: update web link to logind descriptionZbigniew Jędrzejewski-Szmek2020-10-191-1/+1
| | | | | https://www.freedesktop.org/wiki/Software/systemd/multiseat/ says that it is obsoleted by sd-login(3), so it doesn't make much sense to link to the former.
* man,units: link to the new dbus-api man pagesZbigniew Jędrzejewski-Szmek2020-09-301-2/+4
|
* units: turn on ProtectProc= wherever suitableLennart Poettering2020-08-241-2/+2
|
* units: change description of systemd-logind.serviceZbigniew Jędrzejewski-Szmek2020-05-051-1/+1
| | | | | | "Login Service" doesn''t explain much, esp. considering that logind is actually is for logins. I think "User Login Management" is better, but not that great either. Suggestions welcome.
* units: add ProtectClock=yesTopi Miettinen2020-04-071-0/+1
| | | | | | Add `ProtectClock=yes` to systemd units. Since it implies certain `DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so they are still able to access other devices. Exclude timesyncd and timedated.
* units: Split modprobing out into a separate service unitIain Lane2020-01-071-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | Devices referred to by `DeviceAllow=` sandboxing are resolved into their corresponding major numbers when the unit is loaded by looking at `/proc/devices`. If a reference is made to a device which is not yet available, the `DeviceAllow` is ignored and the unit's processes cannot access that device. In both logind and nspawn, we have `DeviceAllow=` lines, and `modprobe` in `ExecStartPre=` to load some kernel modules. Those kernel modules cause device nodes to become available when they are loaded: the device nodes may not exist when the unit itself is loaded. This means that the unit's processes will not be able to access the device since the `DeviceAllow=` will have been resolved earlier and denied it. One way to fix this would be to re-evaluate the available devices and re-apply the policy to the cgroup, but this cannot work atomically on cgroupsv1. So we fall back to a second approach: instead of running `modprobe` via `ExecStartPre`, we move this out to a separate unit and order it before the units which want the module. Closes #14322. Fixes: #13943.
* units: set ProtectKernelLogs=yes on relevant unitsKevin Kuehler2019-11-151-0/+1
| | | | | | We set ProtectKernelLogs=yes on all long running services except for udevd, since it accesses /dev/kmsg, and journald, since it calls syslog and accesses /dev/kmsg.
* meson: allow WatchdogSec= in services to be configuredZbigniew Jędrzejewski-Szmek2019-10-251-1/+1
| | | | | | | | | | | | | | | | As discussed on systemd-devel [1], in Fedora we get lots of abrt reports about the watchdog firing [2], but 100% of them seem to be caused by resource starvation in the machine, and never actual deadlocks in the services being monitored. Killing the services not only does not improve anything, but it makes the resource starvation worse, because the service needs cycles to restart, and coredump processing is also fairly expensive. This adds a configuration option to allow the value to be changed. If the setting is not set, there is no change. My plan is to set it to some ridiculusly high value, maybe 1h, to catch cases where a service is actually hanging. [1] https://lists.freedesktop.org/archives/systemd-devel/2019-October/043618.html [2] https://bugzilla.redhat.com/show_bug.cgi?id=1300212
* unit: make logind can access ESPYu Watanabe2019-08-031-0/+1
| | | | | | | Fixes the following error: ``` logind[601]: Failed to open file system "/dev/block/259:1": Operation not permitted ```
* units: make sure logind can properly reference drm char classLennart Poettering2019-07-231-0/+2
| | | | Similar to the previous fix.
* units: deny access to block devicesTopi Miettinen2019-06-201-0/+5
| | | | | | While the need for access to character devices can be tricky to determine for the general case, it's obvious that most of our services have no need to access block devices. For logind and timedated this can be tightened further.
* logind: make sure the service gets access to the linger directoryLennart Poettering2019-05-241-0/+1
| | | | Fixes: #12401
* units: turn on RestrictSUIDSGID= in most of our long-running daemonsLennart Poettering2019-04-021-0/+1
|
* Revert "Revert "units: lock down logind with fs namespacing options""Zbigniew Jędrzejewski-Szmek2019-03-191-1/+9
| | | | | | | This reverts commit 28f38a76345b7548700d2337dd8b9a8c3f5b0643. The revert was done because Ubuntu CI was completely broken with it. Let's see if it fares better now.
* logind: add support for booting into the boot menu or a specific boot menu entryLennart Poettering2019-03-051-1/+1
| | | | | | This behaves similar to the "boot into firmware" logic, and also allows either direct EFI operation (which sd-boot supports and others might support eventually too) or override through env var.
* units: enable ProtectHostname=yesTopi Miettinen2019-02-201-0/+1
|
* Revert "units: lock down logind with fs namespacing options"Zbigniew Jędrzejewski-Szmek2018-11-151-9/+1
|
* units: lock down systemd-logind.service with various fs namespacing optionsLennart Poettering2018-11-121-0/+8
| | | | | | now that logind doesn't mount $XDG_RUNTIME_DIR anymore we can lock down the service using fs namespacing (as we don't need the mount to propagate to the host namespace anymore).
* logind: drop CAP_KILL from caps bounding setLennart Poettering2018-11-121-1/+1
| | | | | logind doesn't kill any processes anymore, hence let's drop the capability.
* units: set NoNewPrivileges= for all long-running servicesLennart Poettering2018-11-121-11/+12
| | | | | | | | | | | | | | | | | Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219
* meson: define @HIGH_RLIMIT_NOFILE@ and use it everywhereZbigniew Jędrzejewski-Szmek2018-10-171-1/+1
|
* units: bump the RLIMIT_NOFILE soft limit for all services that access the ↵Lennart Poettering2018-10-161-3/+3
| | | | | | | | | | | | | | journal This updates the unit files of all our serviecs that deal with journal stuff to use a higher RLIMIT_NOFILE soft limit by default. The new value is the same as used for the new HIGH_RLIMIT_NOFILE we just added. With this we ensure all code that access the journal has higher RLIMIT_NOFILE. The code that runs as daemon via the unit files, the code that is run from the user's command line via C code internal to the relevant tools. In some cases this means we'll redundantly bump the limits as there are tools run both from the command line and as service.
* units: switch from system call blacklist to whitelistLennart Poettering2018-06-141-1/+2
| | | | | | | | | | | | | | | | | | | | | This is generally the safer approach, and is what container managers (including nspawn) do, hence let's move to this too for our own services. This is particularly useful as this this means the new @system-service system call filter group will get serious real-life testing quickly. This also switches from firing SIGSYS on unexpected syscalls to returning EPERM. This would have probably been a better default anyway, but it's hard to change that these days. When whitelisting system calls SIGSYS is highly problematic as system calls that are newly introduced to Linux become minefields for services otherwise. Note that this enables a system call filter for udev for the first time, and will block @clock, @mount and @swap from it. Some downstream distributions might want to revert this locally if they want to permit unsafe operations on udev rules, but in general this shiuld be mostly safe, as we already set MountFlags=shared for udevd, hence at least @mount won't change anything.
* unit: tighten sandboxing for logindYu Watanabe2018-04-271-2/+2
|
* Add SPDX license headers to unit filesZbigniew Jędrzejewski-Szmek2017-11-191-0/+2
|
* units: prohibit all IP traffic on all our long-running services (#6921)Lennart Poettering2017-10-041-0/+1
| | | Let's lock things down further.
* units: set LockPersonality= for all our long-running services (#6819)Lennart Poettering2017-09-141-0/+1
| | | | Let's lock things down. Also, using it is the only way how to properly test this to the fullest extent.
* Drop kdbus bitsZbigniew Jędrzejewski-Szmek2017-07-231-2/+1
| | | | | | | | | Some kdbus_flag and memfd related parts are left behind, because they are entangled with the "legacy" dbus support. test-bus-benchmark is switched to "manual". It was already broken before (in the non-kdbus mode) but apparently nobody noticed. Hopefully it can be fixed later.
* units: use https for the freedesktop url (#6227)AsciiWolf2017-06-281-2/+2
|
* logind: save/restore session devices and their respective file descriptorsFranck Bui2017-06-081-0/+1
| | | | | | | | | | | | | | | | | | | This patch ensures that session devices are saved for each session. In order to make the revokation logic work when logind is restarted, the session devices are now saved in the session state files and their respective file descriptors sent to PID1's fdstore in order to keep them open accross restart. This is mandatory in order to keep the revokation logic working. Indeed in case of input-devices, the same file descriptors must be shared by logind and a given session controller in order EVIOCREVOKE to work otherwise multiple sessions can have device access in parallel. This should be the only remaining and missing piece for making logind fully restartable. Fixes: #1163
* units: make use of @reboot and @swap in our long-running service ↵Lennart Poettering2017-02-091-1/+1
| | | | | | SystemCallFilter= settings Tighten security up a bit more.
* units: restrict namespace for a good number of our own servicesLennart Poettering2017-02-091-0/+1
| | | | | | | | Basically, we turn it on for most long-running services, with the exception of machined (whose child processes need to join containers here and there), and importd (which sandboxes tar in a CLONE_NEWNET namespace). machined is left unrestricted, and importd is restricted to use only "net"
* units: set SystemCallArchitectures=native on all our long-running servicesLennart Poettering2017-02-091-0/+1
|
* units: further lock down our long-running servicesLennart Poettering2016-09-251-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS.
* units: tighten system call filters a bitLennart Poettering2016-06-131-1/+1
| | | | | Take away kernel keyring access, CPU emulation system calls and various debug system calls from the various daemons we have.
* units: add a basic SystemCallFilter (#3471)Topi Miettinen2016-06-091-0/+1
| | | | | | | Add a line SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace for daemons shipped by systemd. As an exception, systemd-timesyncd needs @clock system calls and systemd-localed is not privileged. ptrace(2) is blocked to prevent seccomp escapes.
* units: enable MemoryDenyWriteExecute (#3459)Topi Miettinen2016-06-081-0/+1
| | | | | Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute. Closes: #3459
* units: increase watchdog timeout to 3min for all our servicesLennart Poettering2015-09-291-1/+1
| | | | | | | | Apparently, disk IO issues are more frequent than we hope, and 1min waiting for disk IO happens, so let's increase the watchdog timeout a bit, for all our services. See #1353 for an example where this triggers.
* Revert "units: add SecureBits"Lennart Poettering2015-02-111-1/+0
| | | | | | | | This reverts commit 6a716208b346b742053cfd01e76f76fb27c4ea47. Apparently this doesn't work. http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
* units: add SecureBitsTopi Miettinen2015-02-111-0/+1
| | | | | | No setuid programs are expected to be executed, so add SecureBits=noroot noroot-locked to unit files.
* Revert "systemd-logind.service: set Type=notify"Lennart Poettering2014-11-211-1/+0
| | | | | | | | | | | This reverts commit a4962513c555fe3ac4b5bebf97a71701361a45b0. logind.service is a D-Bus service, hence we should use the dbus name as indication that we are up. Type=dbus is implied if BusName= is specified, as it is in this case. This removes a warning that is printed because a BusName= is specified for a Type=notify unit.
* systemd-logind.service: set Type=notifyDave Reisner2014-11-191-0/+1
| | | | | | The code already calls sd_notify("READY=1"), so we may as well take advantage of the startup behavior in the unit. The same was done for the journal in a87a38c20.
* logind: mount per-user tmpfs with 'smackfsroot=*' for smack enabled systemsLukasz Skalski2014-10-091-1/+1
|
* remove ReadOnlySystem and ProtectedHome from udevd and logindKay Sievers2014-06-041-2/+0
| | | | | logind needs access to /run/user/, udevd fails during early boot with these settings
* core: add new ReadOnlySystem= and ProtectedHome= settings for service unitsLennart Poettering2014-06-031-0/+2
| | | | | | | | | | | | | | ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
View Lorry Controller Status