6592b9759c
This adds a new bus call to service and scope units called AttachProcesses() that moves arbitrary processes into the cgroup of the unit. The primary user for this new API is systemd itself: the systemd --user instance uses this call of the systemd --system instance to migrate processes if itself gets the request to migrate processes and the kernel refuses this due to access restrictions. The primary use-case of this is to make "systemd-run --scope --user …" invoked from user session scopes work correctly on pure cgroupsv2 environments. There, the kernel refuses to migrate processes between two unprivileged-owned cgroups unless the requestor as well as the ownership of the closest parent cgroup all match. This however is not the case between the session-XYZ.scope unit of a login session and the user@ABC.service of the systemd --user instance. The new logic always tries to move the processes on its own, but if that doesn't work when being the user manager, then the system manager is asked to do it instead. The new operation is relatively restrictive: it will only allow to move the processes like this if the caller is root, or the UID of the target unit, caller and process all match. Note that this means that unprivileged users cannot attach processes to scope units, as those do not have "owning" users (i.e. they have now User= field). Fixes: #3388
389 lines
18 KiB
XML
389 lines
18 KiB
XML
<?xml version="1.0"?> <!--*-nxml-*-->
|
|
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
|
|
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
|
|
|
<!--
|
|
SPDX-License-Identifier: LGPL-2.1+
|
|
|
|
This file is part of systemd.
|
|
|
|
systemd is free software; you can redistribute it and/or modify it
|
|
under the terms of the GNU Lesser General Public License as published by
|
|
the Free Software Foundation; either version 2.1 of the License, or
|
|
(at your option) any later version.
|
|
-->
|
|
|
|
<busconfig>
|
|
|
|
<policy user="root">
|
|
<allow own="org.freedesktop.systemd1"/>
|
|
|
|
<!-- Root clients can do everything -->
|
|
<allow send_destination="org.freedesktop.systemd1"/>
|
|
<allow receive_sender="org.freedesktop.systemd1"/>
|
|
|
|
<!-- systemd may receive activator requests -->
|
|
<allow receive_interface="org.freedesktop.systemd1.Activator"
|
|
receive_member="ActivationRequest"/>
|
|
</policy>
|
|
|
|
<policy context="default">
|
|
<deny send_destination="org.freedesktop.systemd1"/>
|
|
|
|
<!-- Completely open to anyone: org.freedesktop.DBus.* interfaces -->
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.DBus.Introspectable"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.DBus.Peer"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.DBus.Properties"
|
|
send_member="Get"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.DBus.Properties"
|
|
send_member="GetAll"/>
|
|
|
|
<!-- Completely open to anyone: org.freedesktop.systemd1.Manager interface -->
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="GetUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="GetUnitByPID"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="GetUnitByInvocationID"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="LoadUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="GetUnitProcesses"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="GetJob"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="GetJobAfter"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="GetJobBefore"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="ListUnits"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="ListUnitsFiltered"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="ListUnitsByPatterns"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="ListUnitsByNames"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="ListJobs"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="Subscribe"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="Unsubscribe"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="Dump"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="ListUnitFiles"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="ListUnitFilesByPatterns"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="GetUnitFileState"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="GetDefaultTarget"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="GetUnitFileLinks"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="LookupDynamicUserByName"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="LookupDynamicUserByUID"/>
|
|
|
|
<!-- Completely open to anyone: org.freedesktop.systemd1.Unit interface -->
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Service"
|
|
send_member="GetProcesses"/>
|
|
|
|
<!-- Completely open to anyone: org.freedesktop.systemd1.Slice interface -->
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Slice"
|
|
send_member="GetProcesses"/>
|
|
|
|
<!-- Completely open to anyone: org.freedesktop.systemd1.Scope interface -->
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Scope"
|
|
send_member="GetProcesses"/>
|
|
|
|
<!-- Completely open to anyone: org.freedesktop.systemd1.Socket interface -->
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Socket"
|
|
send_member="GetProcesses"/>
|
|
|
|
<!-- Completely open to anyone: org.freedesktop.systemd1.Mount interface -->
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Mount"
|
|
send_member="GetProcesses"/>
|
|
|
|
<!-- Completely open to anyone: org.freedesktop.systemd1.Swap interface -->
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Swap"
|
|
send_member="GetProcesses"/>
|
|
|
|
<!-- Managed via polkit or other criteria: org.freedesktop.systemd1.Manager interface -->
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="StartUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="StartUnitReplace"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="StopUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="ReloadUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="RestartUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="TryRestartUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="ReloadOrRestartUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="ReloadOrTryRestartUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="KillUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="ResetFailedUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="SetUnitProperties"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="RefUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="UnrefUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="StartTransientUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="AttachProcessesToUnit"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="CancelJob"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="ClearJobs"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="ResetFailed"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="Reload"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="Reexecute"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="EnableUnitFiles"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="DisableUnitFiles"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="ReenableUnitFiles"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="LinkUnitFiles"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="PresetUnitFiles"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="PresetUnitFilesWithMode"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="MaskUnitFiles"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="UnmaskUnitFiles"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="RevertUnitFiles"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="SetDefaultTarget"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="PresetAllUnitFiles"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="AddDependencyUnitFiles"/>
|
|
|
|
<!-- Managed via polkit or other criteria: org.freedesktop.systemd1.Job interface -->
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Job"
|
|
send_member="Cancel"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Job"
|
|
send_member="GetAfter"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Job"
|
|
send_member="GetBefore"/>
|
|
|
|
<!-- Managed via polkit or other criteria: org.freedesktop.systemd1.Unit interface -->
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Unit"
|
|
send_member="Start"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Unit"
|
|
send_member="Stop"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Unit"
|
|
send_member="Reload"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Unit"
|
|
send_member="Restart"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Unit"
|
|
send_member="TryRestart"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Unit"
|
|
send_member="ReloadOrRestart"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Unit"
|
|
send_member="ReloadOrTryRestart"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Unit"
|
|
send_member="Kill"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Unit"
|
|
send_member="ResetFailed"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Unit"
|
|
send_member="SetProperties"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Unit"
|
|
send_member="Ref"/>
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Unit"
|
|
send_member="Unref"/>
|
|
|
|
<!-- Managed via polkit or other criteria: org.freedesktop.systemd1.Service interface -->
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Service"
|
|
send_member="AttachProcesses"/>
|
|
|
|
<!-- Managed via polkit or other criteria: org.freedesktop.systemd1.Scope interface -->
|
|
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Scope"
|
|
send_member="AttachProcesses"/>
|
|
|
|
<allow receive_sender="org.freedesktop.systemd1"/>
|
|
</policy>
|
|
|
|
</busconfig>
|