625077264b
Devices referred to by `DeviceAllow=` sandboxing are resolved into their corresponding major numbers when the unit is loaded by looking at `/proc/devices`. If a reference is made to a device which is not yet available, the `DeviceAllow` is ignored and the unit's processes cannot access that device. In both logind and nspawn, we have `DeviceAllow=` lines, and `modprobe` in `ExecStartPre=` to load some kernel modules. Those kernel modules cause device nodes to become available when they are loaded: the device nodes may not exist when the unit itself is loaded. This means that the unit's processes will not be able to access the device since the `DeviceAllow=` will have been resolved earlier and denied it. One way to fix this would be to re-evaluate the available devices and re-apply the policy to the cgroup, but this cannot work atomically on cgroupsv1. So we fall back to a second approach: instead of running `modprobe` via `ExecStartPre`, we move this out to a separate unit and order it before the units which want the module. Closes #14322. Fixes: #13943.
63 lines
2 KiB
SYSTEMD
63 lines
2 KiB
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1+
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Login Service
|
|
Documentation=man:systemd-logind.service(8) man:logind.conf(5)
|
|
Documentation=https://www.freedesktop.org/wiki/Software/systemd/logind
|
|
Documentation=https://www.freedesktop.org/wiki/Software/systemd/multiseat
|
|
Wants=user.slice modprobe@drm.service
|
|
After=nss-user-lookup.target user.slice modprobe@drm.service
|
|
|
|
# Ask for the dbus socket.
|
|
Wants=dbus.socket
|
|
After=dbus.socket
|
|
|
|
[Service]
|
|
BusName=org.freedesktop.login1
|
|
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE
|
|
DeviceAllow=block-* r
|
|
DeviceAllow=char-/dev/console rw
|
|
DeviceAllow=char-drm rw
|
|
DeviceAllow=char-input rw
|
|
DeviceAllow=char-tty rw
|
|
DeviceAllow=char-vcs rw
|
|
# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm
|
|
ExecStart=@rootlibexecdir@/systemd-logind
|
|
FileDescriptorStoreMax=512
|
|
IPAddressDeny=any
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
NoNewPrivileges=yes
|
|
PrivateTmp=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHome=yes
|
|
ProtectHostname=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectSystem=strict
|
|
ReadWritePaths=/etc /run
|
|
Restart=always
|
|
RestartSec=0
|
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown
|
|
RuntimeDirectoryPreserve=yes
|
|
StateDirectory=systemd/linger
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallFilter=@system-service
|
|
@SERVICE_WATCHDOG@
|
|
|
|
# Increase the default a bit in order to allow many simultaneous logins since
|
|
# we keep one fd open per session.
|
|
LimitNOFILE=@HIGH_RLIMIT_NOFILE@
|