units: make use of !! ExecStart= prefix in systemd-networkd.service

Let's make use of !! to run networkd with ambient capabilities on systems supporting them.
2017-08-27 01:40:47 +09:00 · 2017-08-27 01:40:47 +09:00 · c61f302d3c
parent 2e681921c9
commit c61f302d3c
2 changed files with 17 additions and 10 deletions
--- a/src/network/networkd.c
+++ b/src/network/networkd.c
@ -70,13 +70,17 @@ int main(int argc, char *argv[]) {
        if (r < 0)
                log_warning_errno(r, "Could not create runtime directory 'lldp': %m");

-        r = drop_privileges(uid, gid,
-                            (1ULL << CAP_NET_ADMIN) |
-                            (1ULL << CAP_NET_BIND_SERVICE) |
-                            (1ULL << CAP_NET_BROADCAST) |
-                            (1ULL << CAP_NET_RAW));
-        if (r < 0)
-                goto out;
+        /* Drop privileges, but only if we have been started as root. If we are not running as root we assume all
+         * privileges are already dropped. */
+        if (geteuid() == 0) {
+                r = drop_privileges(uid, gid,
+                                    (1ULL << CAP_NET_ADMIN) |
+                                    (1ULL << CAP_NET_BIND_SERVICE) |
+                                    (1ULL << CAP_NET_BROADCAST) |
+                                    (1ULL << CAP_NET_RAW));
+                if (r < 0)
+                        goto out;
+        }

        assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, -1) >= 0);

--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@ -20,9 +20,11 @@ Wants=network.target
 Type=notify
 Restart=on-failure
 RestartSec=0
-ExecStart=@rootlibexecdir@/systemd-networkd
+ExecStart=!!@rootlibexecdir@/systemd-networkd
 WatchdogSec=3min
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+User=systemd-network
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
 ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
@ -32,7 +34,8 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
-ReadWritePaths=/run/systemd
+RuntimeDirectory=systemd/netif
+RuntimeDirectoryPreserve=yes

 [Install]
 WantedBy=multi-user.target