mirror of
https://github.com/systemd/systemd
synced 2024-07-21 10:17:21 +00:00
units: udev: partially emulate ProtectClock=
Drop CAP_SYS_TIME and CAP_WAKE_ALARM capabilities and block clock-related system calls. Update TODO.
This commit is contained in:
parent
eb8817db6e
commit
75723d31a6
3
TODO
3
TODO
|
@ -1996,8 +1996,7 @@ Features:
|
||||||
- kill scsi_id
|
- kill scsi_id
|
||||||
- add trigger --subsystem-match=usb/usb_device device
|
- add trigger --subsystem-match=usb/usb_device device
|
||||||
- reimport udev db after MOVE events for devices without dev_t
|
- reimport udev db after MOVE events for devices without dev_t
|
||||||
- re-enable ProtectClock= or set CapabilityBoundingSet= to drop CAP_SYS_TIME
|
- re-enable ProtectClock= once only cgroupsv2 is supported.
|
||||||
and CAP_WAKE_ALARM (and possibly other unnecessary capabilities?).
|
|
||||||
See f562abe2963bad241d34e0b308e48cf114672c84.
|
See f562abe2963bad241d34e0b308e48cf114672c84.
|
||||||
|
|
||||||
* coredump:
|
* coredump:
|
||||||
|
|
|
@ -16,6 +16,7 @@ Before=sysinit.target
|
||||||
ConditionPathIsReadWrite=/sys
|
ConditionPathIsReadWrite=/sys
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
CapabilityBoundingSet=~CAP_SYS_TIME CAP_WAKE_ALARM
|
||||||
Delegate=pids
|
Delegate=pids
|
||||||
Type=notify
|
Type=notify
|
||||||
# Note that udev will reset the value internally for its workers
|
# Note that udev will reset the value internally for its workers
|
||||||
|
@ -34,6 +35,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictSUIDSGID=yes
|
RestrictSUIDSGID=yes
|
||||||
SystemCallFilter=@system-service @module @raw-io bpf
|
SystemCallFilter=@system-service @module @raw-io bpf
|
||||||
|
SystemCallFilter=~@clock
|
||||||
SystemCallErrorNumber=EPERM
|
SystemCallErrorNumber=EPERM
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
|
|
Loading…
Reference in a new issue