Merge pull request #10117 from keszybz/undynamicify
Set DynamicUser=no for networkd, resolved, timesyncd
This commit is contained in:
commit
dacd723620
|
@ -151,7 +151,7 @@ int manager_connect_bus(Manager *m) {
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to add network enumerator: %m");
|
return log_error_errno(r, "Failed to add network enumerator: %m");
|
||||||
|
|
||||||
r = bus_request_name_async_may_reload_dbus(m->bus, NULL, "org.freedesktop.network1", 0, NULL);
|
r = sd_bus_request_name_async(m->bus, NULL, "org.freedesktop.network1", 0, NULL, NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to request name: %m");
|
return log_error_errno(r, "Failed to request name: %m");
|
||||||
|
|
||||||
|
|
|
@ -1920,7 +1920,7 @@ int manager_connect_bus(Manager *m) {
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to register dnssd enumerator: %m");
|
return log_error_errno(r, "Failed to register dnssd enumerator: %m");
|
||||||
|
|
||||||
r = bus_request_name_async_may_reload_dbus(m->bus, NULL, "org.freedesktop.resolve1", 0, NULL);
|
r = sd_bus_request_name_async(m->bus, NULL, "org.freedesktop.resolve1", 0, NULL, NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to request name: %m");
|
return log_error_errno(r, "Failed to request name: %m");
|
||||||
|
|
||||||
|
|
|
@ -1761,168 +1761,6 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
struct request_name_data {
|
|
||||||
unsigned n_ref;
|
|
||||||
|
|
||||||
const char *name;
|
|
||||||
uint64_t flags;
|
|
||||||
void *userdata;
|
|
||||||
};
|
|
||||||
|
|
||||||
static void request_name_destroy_callback(void *userdata) {
|
|
||||||
struct request_name_data *data = userdata;
|
|
||||||
|
|
||||||
assert(data);
|
|
||||||
assert(data->n_ref > 0);
|
|
||||||
|
|
||||||
log_debug("%s n_ref=%u", __func__, data->n_ref);
|
|
||||||
|
|
||||||
data->n_ref--;
|
|
||||||
if (data->n_ref == 0)
|
|
||||||
free(data);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int reload_dbus_handler(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) {
|
|
||||||
struct request_name_data *data = userdata;
|
|
||||||
const sd_bus_error *e;
|
|
||||||
int r;
|
|
||||||
|
|
||||||
assert(data);
|
|
||||||
assert(data->name);
|
|
||||||
assert(data->n_ref > 0);
|
|
||||||
|
|
||||||
e = sd_bus_message_get_error(m);
|
|
||||||
if (e) {
|
|
||||||
log_error_errno(sd_bus_error_get_errno(e), "Failed to reload DBus configuration: %s", e->message);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Here, use the default request name handler to avoid an infinite loop of reloading and requesting. */
|
|
||||||
r = sd_bus_request_name_async(sd_bus_message_get_bus(m), NULL, data->name, data->flags, NULL, data->userdata);
|
|
||||||
if (r < 0)
|
|
||||||
log_error_errno(r, "Failed to request name: %m");
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int request_name_handler_may_reload_dbus(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) {
|
|
||||||
struct request_name_data *data = userdata;
|
|
||||||
uint32_t ret;
|
|
||||||
int r;
|
|
||||||
|
|
||||||
assert(m);
|
|
||||||
assert(data);
|
|
||||||
|
|
||||||
if (sd_bus_message_is_method_error(m, NULL)) {
|
|
||||||
const sd_bus_error *e = sd_bus_message_get_error(m);
|
|
||||||
_cleanup_(sd_bus_slot_unrefp) sd_bus_slot *slot = NULL;
|
|
||||||
|
|
||||||
if (!sd_bus_error_has_name(e, SD_BUS_ERROR_ACCESS_DENIED)) {
|
|
||||||
log_debug_errno(sd_bus_error_get_errno(e),
|
|
||||||
"Unable to request name, failing connection: %s",
|
|
||||||
e->message);
|
|
||||||
|
|
||||||
bus_enter_closing(sd_bus_message_get_bus(m));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
log_debug_errno(sd_bus_error_get_errno(e),
|
|
||||||
"Unable to request name, will retry after reloading DBus configuration: %s",
|
|
||||||
e->message);
|
|
||||||
|
|
||||||
/* If a service enables DynamicUser= and dbus.service started before the dynamic user is realized,
|
|
||||||
* then the DBus policy about the service has not been enabled yet. So, let's try to reload DBus
|
|
||||||
* configuration, and after that request the name again. Note that it seems that no privileges are
|
|
||||||
* necessary to call the following method. */
|
|
||||||
|
|
||||||
r = sd_bus_call_method_async(
|
|
||||||
sd_bus_message_get_bus(m),
|
|
||||||
&slot,
|
|
||||||
"org.freedesktop.DBus",
|
|
||||||
"/org/freedesktop/DBus",
|
|
||||||
"org.freedesktop.DBus",
|
|
||||||
"ReloadConfig",
|
|
||||||
reload_dbus_handler,
|
|
||||||
data, NULL);
|
|
||||||
if (r < 0) {
|
|
||||||
log_error_errno(r, "Failed to reload DBus configuration: %m");
|
|
||||||
bus_enter_closing(sd_bus_message_get_bus(m));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
data->n_ref ++;
|
|
||||||
assert_se(sd_bus_slot_set_destroy_callback(slot, request_name_destroy_callback) >= 0);
|
|
||||||
|
|
||||||
r = sd_bus_slot_set_floating(slot, true);
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
r = sd_bus_message_read(m, "u", &ret);
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
switch (ret) {
|
|
||||||
|
|
||||||
case BUS_NAME_ALREADY_OWNER:
|
|
||||||
log_debug("Already owner of requested service name, ignoring.");
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
case BUS_NAME_IN_QUEUE:
|
|
||||||
log_debug("In queue for requested service name.");
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
case BUS_NAME_PRIMARY_OWNER:
|
|
||||||
log_debug("Successfully acquired requested service name.");
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
case BUS_NAME_EXISTS:
|
|
||||||
log_debug("Requested service name already owned, failing connection.");
|
|
||||||
bus_enter_closing(sd_bus_message_get_bus(m));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
log_debug("Unexpected response from RequestName(), failing connection.");
|
|
||||||
bus_enter_closing(sd_bus_message_get_bus(m));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
int bus_request_name_async_may_reload_dbus(sd_bus *bus, sd_bus_slot **ret_slot, const char *name, uint64_t flags, void *userdata) {
|
|
||||||
_cleanup_free_ struct request_name_data *data = NULL;
|
|
||||||
_cleanup_(sd_bus_slot_unrefp) sd_bus_slot *slot = NULL;
|
|
||||||
int r;
|
|
||||||
|
|
||||||
data = new(struct request_name_data, 1);
|
|
||||||
if (!data)
|
|
||||||
return -ENOMEM;
|
|
||||||
|
|
||||||
*data = (struct request_name_data) {
|
|
||||||
.n_ref = 1,
|
|
||||||
.name = name,
|
|
||||||
.flags = flags,
|
|
||||||
.userdata = userdata,
|
|
||||||
};
|
|
||||||
|
|
||||||
r = sd_bus_request_name_async(bus, &slot, name, flags, request_name_handler_may_reload_dbus, data);
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
assert_se(sd_bus_slot_set_destroy_callback(slot, request_name_destroy_callback) >= 0);
|
|
||||||
TAKE_PTR(data);
|
|
||||||
|
|
||||||
if (ret_slot)
|
|
||||||
*ret_slot = TAKE_PTR(slot);
|
|
||||||
else {
|
|
||||||
r = sd_bus_slot_set_floating(slot, true);
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
int bus_reply_pair_array(sd_bus_message *m, char **l) {
|
int bus_reply_pair_array(sd_bus_message *m, char **l) {
|
||||||
_cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
|
_cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
|
||||||
char **k, **v;
|
char **k, **v;
|
||||||
|
|
|
@ -177,6 +177,4 @@ static inline int bus_open_system_watch_bind(sd_bus **ret) {
|
||||||
return bus_open_system_watch_bind_with_description(ret, NULL);
|
return bus_open_system_watch_bind_with_description(ret, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
int bus_request_name_async_may_reload_dbus(sd_bus *bus, sd_bus_slot **ret_slot, const char *name, uint64_t flags, void *userdata);
|
|
||||||
|
|
||||||
int bus_reply_pair_array(sd_bus_message *m, char **l);
|
int bus_reply_pair_array(sd_bus_message *m, char **l);
|
||||||
|
|
|
@ -4,38 +4,6 @@
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "tests.h"
|
#include "tests.h"
|
||||||
|
|
||||||
static void test_name_async(unsigned n_messages) {
|
|
||||||
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
|
|
||||||
int r;
|
|
||||||
unsigned i;
|
|
||||||
|
|
||||||
log_info("/* %s (%u) */", __func__, n_messages);
|
|
||||||
|
|
||||||
r = bus_open_system_watch_bind_with_description(&bus, "test-bus");
|
|
||||||
if (r < 0) {
|
|
||||||
log_error_errno(r, "Failed to connect to bus: %m");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
r = bus_request_name_async_may_reload_dbus(bus, NULL, "org.freedesktop.systemd.test-bus-util", 0, NULL);
|
|
||||||
if (r < 0) {
|
|
||||||
log_error_errno(r, "Failed to request name: %m");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (i = 0; i < n_messages; i++) {
|
|
||||||
r = sd_bus_process(bus, NULL);
|
|
||||||
log_debug("stage %u: sd_bus_process returned %d", i, r);
|
|
||||||
if (r < 0) {
|
|
||||||
log_notice_errno(r, "Processing failed: %m");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (r > 0 && i + 1 < n_messages)
|
|
||||||
(void) sd_bus_wait(bus, USEC_PER_SEC / 3);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static int callback(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) {
|
static int callback(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) {
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
@ -81,8 +49,6 @@ static void test_destroy_callback(void) {
|
||||||
int main(int argc, char **argv) {
|
int main(int argc, char **argv) {
|
||||||
test_setup_logging(LOG_DEBUG);
|
test_setup_logging(LOG_DEBUG);
|
||||||
|
|
||||||
test_name_async(0);
|
|
||||||
test_name_async(20);
|
|
||||||
test_destroy_callback();
|
test_destroy_callback();
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -185,7 +185,7 @@ int manager_connect_bus(Manager *m) {
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to add manager object vtable: %m");
|
return log_error_errno(r, "Failed to add manager object vtable: %m");
|
||||||
|
|
||||||
r = bus_request_name_async_may_reload_dbus(m->bus, NULL, "org.freedesktop.timesync1", 0, NULL);
|
r = sd_bus_request_name_async(m->bus, NULL, "org.freedesktop.timesync1", 0, NULL, NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to request name: %m");
|
return log_error_errno(r, "Failed to request name: %m");
|
||||||
|
|
||||||
|
|
|
@ -67,6 +67,7 @@ def setUpModule():
|
||||||
tmpmounts.append(d)
|
tmpmounts.append(d)
|
||||||
if os.path.isdir('/run/systemd/resolve'):
|
if os.path.isdir('/run/systemd/resolve'):
|
||||||
os.chmod('/run/systemd/resolve', 0o755)
|
os.chmod('/run/systemd/resolve', 0o755)
|
||||||
|
shutil.chown('/run/systemd/resolve', 'systemd-resolve', 'systemd-resolve')
|
||||||
|
|
||||||
# Avoid "Failed to open /dev/tty" errors in containers.
|
# Avoid "Failed to open /dev/tty" errors in containers.
|
||||||
os.environ['SYSTEMD_LOG_TARGET'] = 'journal'
|
os.environ['SYSTEMD_LOG_TARGET'] = 'journal'
|
||||||
|
|
|
@ -13,7 +13,7 @@ Documentation=man:systemd-networkd.service(8)
|
||||||
ConditionCapability=CAP_NET_ADMIN
|
ConditionCapability=CAP_NET_ADMIN
|
||||||
DefaultDependencies=no
|
DefaultDependencies=no
|
||||||
# systemd-udevd.service can be dropped once tuntap is moved to netlink
|
# systemd-udevd.service can be dropped once tuntap is moved to netlink
|
||||||
After=systemd-udevd.service network-pre.target systemd-sysctl.service
|
After=systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service
|
||||||
Before=network.target multi-user.target shutdown.target
|
Before=network.target multi-user.target shutdown.target
|
||||||
Conflicts=shutdown.target
|
Conflicts=shutdown.target
|
||||||
Wants=network.target
|
Wants=network.target
|
||||||
|
@ -25,9 +25,9 @@ RestartSec=0
|
||||||
ExecStart=!!@rootlibexecdir@/systemd-networkd
|
ExecStart=!!@rootlibexecdir@/systemd-networkd
|
||||||
WatchdogSec=3min
|
WatchdogSec=3min
|
||||||
User=systemd-network
|
User=systemd-network
|
||||||
DynamicUser=yes
|
|
||||||
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
|
||||||
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
|
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
|
||||||
|
ProtectSystem=strict
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
|
|
|
@ -14,7 +14,7 @@ Documentation=https://www.freedesktop.org/wiki/Software/systemd/resolved
|
||||||
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
|
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
|
||||||
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
|
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
|
||||||
DefaultDependencies=no
|
DefaultDependencies=no
|
||||||
After=systemd-networkd.service
|
After=systemd-sysusers.service systemd-networkd.service
|
||||||
Before=network.target nss-lookup.target shutdown.target
|
Before=network.target nss-lookup.target shutdown.target
|
||||||
Conflicts=shutdown.target
|
Conflicts=shutdown.target
|
||||||
Wants=nss-lookup.target
|
Wants=nss-lookup.target
|
||||||
|
@ -26,10 +26,11 @@ RestartSec=0
|
||||||
ExecStart=!!@rootlibexecdir@/systemd-resolved
|
ExecStart=!!@rootlibexecdir@/systemd-resolved
|
||||||
WatchdogSec=3min
|
WatchdogSec=3min
|
||||||
User=systemd-resolve
|
User=systemd-resolve
|
||||||
DynamicUser=yes
|
|
||||||
CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
||||||
AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
||||||
|
PrivateTmp=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
|
ProtectSystem=strict
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes
|
||||||
|
|
|
@ -13,7 +13,7 @@ Documentation=man:systemd-timesyncd.service(8)
|
||||||
ConditionCapability=CAP_SYS_TIME
|
ConditionCapability=CAP_SYS_TIME
|
||||||
ConditionVirtualization=!container
|
ConditionVirtualization=!container
|
||||||
DefaultDependencies=no
|
DefaultDependencies=no
|
||||||
After=systemd-remount-fs.service
|
After=systemd-remount-fs.service systemd-sysusers.service
|
||||||
Before=time-sync.target sysinit.target shutdown.target
|
Before=time-sync.target sysinit.target shutdown.target
|
||||||
Conflicts=shutdown.target
|
Conflicts=shutdown.target
|
||||||
Wants=time-sync.target
|
Wants=time-sync.target
|
||||||
|
@ -25,10 +25,11 @@ RestartSec=0
|
||||||
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
|
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
|
||||||
WatchdogSec=3min
|
WatchdogSec=3min
|
||||||
User=systemd-timesync
|
User=systemd-timesync
|
||||||
DynamicUser=yes
|
|
||||||
CapabilityBoundingSet=CAP_SYS_TIME
|
CapabilityBoundingSet=CAP_SYS_TIME
|
||||||
AmbientCapabilities=CAP_SYS_TIME
|
AmbientCapabilities=CAP_SYS_TIME
|
||||||
|
PrivateTmp=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
|
ProtectSystem=strict
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes
|
||||||
|
|
Loading…
Reference in New Issue