units: udev: partially emulate ProtectClock=

Drop CAP_SYS_TIME and CAP_WAKE_ALARM capabilities and block clock-related system calls. Update TODO.
2024-07-08 20:15:55 +00:00 · 2022-09-25 20:47:53 +03:00 · 2022-09-25 20:47:53 +03:00 · 75723d31a6
commit 75723d31a6
parent eb8817db6e
2 changed files with 3 additions and 2 deletions
--- a/3
+++ b/3
@ -1996,8 +1996,7 @@ Features:
  - kill scsi_id
  - add trigger --subsystem-match=usb/usb_device device
  - reimport udev db after MOVE events for devices without dev_t
-  - re-enable ProtectClock= or set CapabilityBoundingSet= to drop CAP_SYS_TIME
-    and CAP_WAKE_ALARM (and possibly other unnecessary capabilities?).
+  - re-enable ProtectClock= once only cgroupsv2 is supported.
    See f562abe2963bad241d34e0b308e48cf114672c84.

 * coredump:
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@ -16,6 +16,7 @@ Before=sysinit.target
 ConditionPathIsReadWrite=/sys

 [Service]
+CapabilityBoundingSet=~CAP_SYS_TIME CAP_WAKE_ALARM
 Delegate=pids
 Type=notify
 # Note that udev will reset the value internally for its workers
@ -34,6 +35,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 SystemCallFilter=@system-service @module @raw-io bpf
+SystemCallFilter=~@clock
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes