networkd: drop CAP_SYS_MODULE
Rely on modules being built-in or autoloaded on-demand. As networkd is a network facing service, we want to limits its capabilities, as much as possible. Also, we may not have CAP_SYS_MODULE in a container, and we want networkd to work the same there. Module autoloading does not always work, but should be fixed by the kernel patch f98f89a0104454f35a: 'net: tunnels - enable module autoloading', which is currently in net-next and which people may consider backporting if they want tunneling support without compiling in the modules. Early adopters may also use a module-load.d snippet and order systemd-modules-load.service before networkd to force the module loading of tunneling modules. This sholud fix the various build issues people have reported.
This commit is contained in:
parent
a613382bbf
commit
bddfc8afd3
13
Makefile.am
13
Makefile.am
|
@ -4253,15 +4253,13 @@ systemd_networkd_SOURCES = \
|
||||||
|
|
||||||
systemd_networkd_LDADD = \
|
systemd_networkd_LDADD = \
|
||||||
libsystemd-networkd-core.la \
|
libsystemd-networkd-core.la \
|
||||||
libsystemd-capability.la \
|
libsystemd-capability.la
|
||||||
$(KMOD_LIBS)
|
|
||||||
|
|
||||||
noinst_LTLIBRARIES += \
|
noinst_LTLIBRARIES += \
|
||||||
libsystemd-networkd-core.la
|
libsystemd-networkd-core.la
|
||||||
|
|
||||||
libsystemd_networkd_core_la_CFLAGS = \
|
libsystemd_networkd_core_la_CFLAGS = \
|
||||||
$(AM_CFLAGS) \
|
$(AM_CFLAGS)
|
||||||
$(KMOD_CFLAGS)
|
|
||||||
|
|
||||||
libsystemd_networkd_core_la_SOURCES = \
|
libsystemd_networkd_core_la_SOURCES = \
|
||||||
src/libsystemd-network/network-internal.h \
|
src/libsystemd-network/network-internal.h \
|
||||||
|
@ -4290,8 +4288,7 @@ rootlibexec_PROGRAMS += \
|
||||||
systemd-networkd-wait-online
|
systemd-networkd-wait-online
|
||||||
|
|
||||||
systemd_networkd_wait_online_CFLAGS = \
|
systemd_networkd_wait_online_CFLAGS = \
|
||||||
$(AM_CFLAGS) \
|
$(AM_CFLAGS)
|
||||||
$(KMOD_CFLAGS)
|
|
||||||
|
|
||||||
systemd_networkd_wait_online_SOURCES = \
|
systemd_networkd_wait_online_SOURCES = \
|
||||||
src/libsystemd-network/network-internal.h \
|
src/libsystemd-network/network-internal.h \
|
||||||
|
@ -4308,12 +4305,10 @@ test_network_SOURCES = \
|
||||||
src/network/test-network.c
|
src/network/test-network.c
|
||||||
|
|
||||||
test_network_CFLAGS = \
|
test_network_CFLAGS = \
|
||||||
$(AM_CFLAGS) \
|
$(AM_CFLAGS)
|
||||||
$(KMOD_CFLAGS)
|
|
||||||
|
|
||||||
test_network_LDADD = \
|
test_network_LDADD = \
|
||||||
libsystemd-networkd-core.la
|
libsystemd-networkd-core.la
|
||||||
$(KMOD_LIBS)
|
|
||||||
|
|
||||||
tests += \
|
tests += \
|
||||||
test-network
|
test-network
|
||||||
|
|
|
@ -327,41 +327,6 @@ int net_parse_inaddr(const char *address, unsigned char *family, void *dst) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int load_module(struct kmod_ctx *ctx, const char *mod_name) {
|
|
||||||
struct kmod_list *modlist = NULL, *l;
|
|
||||||
int r;
|
|
||||||
|
|
||||||
assert(ctx);
|
|
||||||
assert(mod_name);
|
|
||||||
|
|
||||||
r = kmod_module_new_from_lookup(ctx, mod_name, &modlist);
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
if (!modlist) {
|
|
||||||
log_error("Failed to find module '%s'", mod_name);
|
|
||||||
return -ENOENT;
|
|
||||||
}
|
|
||||||
|
|
||||||
kmod_list_foreach(l, modlist) {
|
|
||||||
struct kmod_module *mod = kmod_module_get_module(l);
|
|
||||||
|
|
||||||
r = kmod_module_probe_insert_module(mod, 0, NULL, NULL, NULL, NULL);
|
|
||||||
if (r == 0)
|
|
||||||
log_info("Inserted module '%s'", kmod_module_get_name(mod));
|
|
||||||
else {
|
|
||||||
log_error("Failed to insert '%s': %s", kmod_module_get_name(mod),
|
|
||||||
strerror(-r));
|
|
||||||
}
|
|
||||||
|
|
||||||
kmod_module_unref(mod);
|
|
||||||
}
|
|
||||||
|
|
||||||
kmod_module_unref_list(modlist);
|
|
||||||
|
|
||||||
return r;
|
|
||||||
}
|
|
||||||
|
|
||||||
void serialize_in_addrs(FILE *f, const char *key, struct in_addr *addresses, size_t size) {
|
void serialize_in_addrs(FILE *f, const char *key, struct in_addr *addresses, size_t size) {
|
||||||
unsigned i;
|
unsigned i;
|
||||||
|
|
||||||
|
|
|
@ -24,7 +24,6 @@
|
||||||
#include <netinet/ether.h>
|
#include <netinet/ether.h>
|
||||||
#include <netinet/in.h>
|
#include <netinet/in.h>
|
||||||
#include <stdbool.h>
|
#include <stdbool.h>
|
||||||
#include <libkmod.h>
|
|
||||||
|
|
||||||
#include "udev.h"
|
#include "udev.h"
|
||||||
#include "condition-util.h"
|
#include "condition-util.h"
|
||||||
|
@ -67,8 +66,6 @@ int net_parse_inaddr(const char *address, unsigned char *family, void *dst);
|
||||||
|
|
||||||
int net_get_unique_predictable_data(struct udev_device *device, uint8_t result[8]);
|
int net_get_unique_predictable_data(struct udev_device *device, uint8_t result[8]);
|
||||||
|
|
||||||
int load_module(struct kmod_ctx *ctx, const char *mod_name);
|
|
||||||
|
|
||||||
void serialize_in_addrs(FILE *f, const char *key, struct in_addr *addresses, size_t size);
|
void serialize_in_addrs(FILE *f, const char *key, struct in_addr *addresses, size_t size);
|
||||||
int deserialize_in_addrs(struct in_addr **addresses, size_t *size, const char *string);
|
int deserialize_in_addrs(struct in_addr **addresses, size_t *size, const char *string);
|
||||||
int deserialize_in6_addrs(struct in6_addr **addresses, size_t *size, const char *string);
|
int deserialize_in6_addrs(struct in6_addr **addresses, size_t *size, const char *string);
|
||||||
|
|
|
@ -21,7 +21,6 @@
|
||||||
|
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
#include <linux/if.h>
|
#include <linux/if.h>
|
||||||
#include <libkmod.h>
|
|
||||||
|
|
||||||
#include "conf-parser.h"
|
#include "conf-parser.h"
|
||||||
#include "path-util.h"
|
#include "path-util.h"
|
||||||
|
@ -120,10 +119,6 @@ int manager_new(Manager **ret) {
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
}
|
}
|
||||||
|
|
||||||
m->kmod_ctx = kmod_new(NULL, NULL);
|
|
||||||
if (!m->kmod_ctx)
|
|
||||||
return -ENOMEM;
|
|
||||||
|
|
||||||
m->links = hashmap_new(uint64_hash_func, uint64_compare_func);
|
m->links = hashmap_new(uint64_hash_func, uint64_compare_func);
|
||||||
if (!m->links)
|
if (!m->links)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
@ -150,7 +145,6 @@ void manager_free(Manager *m) {
|
||||||
|
|
||||||
free(m->state_file);
|
free(m->state_file);
|
||||||
|
|
||||||
kmod_unref(m->kmod_ctx);
|
|
||||||
udev_monitor_unref(m->udev_monitor);
|
udev_monitor_unref(m->udev_monitor);
|
||||||
udev_unref(m->udev);
|
udev_unref(m->udev);
|
||||||
sd_bus_unref(m->bus);
|
sd_bus_unref(m->bus);
|
||||||
|
|
|
@ -24,7 +24,6 @@
|
||||||
#include <net/if.h>
|
#include <net/if.h>
|
||||||
#include <linux/ip.h>
|
#include <linux/ip.h>
|
||||||
#include <linux/if_tunnel.h>
|
#include <linux/if_tunnel.h>
|
||||||
#include <libkmod.h>
|
|
||||||
|
|
||||||
#include "sd-rtnl.h"
|
#include "sd-rtnl.h"
|
||||||
#include "networkd.h"
|
#include "networkd.h"
|
||||||
|
@ -443,27 +442,6 @@ int netdev_create_tunnel(Link *link, sd_rtnl_message_handler_t callback) {
|
||||||
assert(netdev->ifname);
|
assert(netdev->ifname);
|
||||||
assert(netdev->manager);
|
assert(netdev->manager);
|
||||||
assert(netdev->manager->rtnl);
|
assert(netdev->manager->rtnl);
|
||||||
assert(netdev->manager->kmod_ctx);
|
|
||||||
|
|
||||||
/* Load kernel module first */
|
|
||||||
switch(netdev->kind) {
|
|
||||||
case NETDEV_KIND_IPIP:
|
|
||||||
case NETDEV_KIND_GRE:
|
|
||||||
case NETDEV_KIND_SIT:
|
|
||||||
r = load_module(netdev->manager->kmod_ctx,
|
|
||||||
netdev_kind_to_string(netdev->kind));
|
|
||||||
if (r < 0) {
|
|
||||||
log_error_netdev(netdev,
|
|
||||||
"Could not load Kernel module: %s . Ignoring",
|
|
||||||
netdev_kind_to_string(netdev->kind));
|
|
||||||
return r;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case NETDEV_KIND_VTI:
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
return -ENOTSUP;
|
|
||||||
}
|
|
||||||
|
|
||||||
r = sd_rtnl_message_new_link(netdev->manager->rtnl, &m, RTM_NEWLINK, 0);
|
r = sd_rtnl_message_new_link(netdev->manager->rtnl, &m, RTM_NEWLINK, 0);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
|
|
|
@ -71,8 +71,7 @@ int main(int argc, char *argv[]) {
|
||||||
(1ULL << CAP_NET_ADMIN) |
|
(1ULL << CAP_NET_ADMIN) |
|
||||||
(1ULL << CAP_NET_BIND_SERVICE) |
|
(1ULL << CAP_NET_BIND_SERVICE) |
|
||||||
(1ULL << CAP_NET_BROADCAST) |
|
(1ULL << CAP_NET_BROADCAST) |
|
||||||
(1ULL << CAP_NET_RAW) |
|
(1ULL << CAP_NET_RAW));
|
||||||
(1ULL << CAP_SYS_MODULE));
|
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
|
|
|
@ -275,7 +275,6 @@ struct Manager {
|
||||||
LIST_HEAD(Network, networks);
|
LIST_HEAD(Network, networks);
|
||||||
|
|
||||||
usec_t network_dirs_ts_usec;
|
usec_t network_dirs_ts_usec;
|
||||||
struct kmod_ctx *kmod_ctx;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
extern const char* const network_dirs[];
|
extern const char* const network_dirs[];
|
||||||
|
|
|
@ -19,7 +19,7 @@ Type=notify
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=0
|
RestartSec=0
|
||||||
ExecStart=@rootlibexecdir@/systemd-networkd
|
ExecStart=@rootlibexecdir@/systemd-networkd
|
||||||
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_MODULE CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
|
||||||
WatchdogSec=1min
|
WatchdogSec=1min
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
|
Loading…
Reference in a new issue