unit: drop ProtectClock=yes from systemd-udevd.service

This partially reverts cabc1c6d7a. The setting ProtectClock= implies DeviceAllow=, which is not suitable for udevd. Although we are slowly removing cgropsv1 support, but DeviceAllow= with cgroupsv1 is necessarily racy, and reloading PID1 during the early boot process may cause issues like #24668. Let's disable ProtectClock= for udevd. And, if necessary, let's explicitly drop CAP_SYS_TIME and CAP_WAKE_ALARM (and possibly others) by using CapabilityBoundingSet= later. Fixes #24668.
2024-07-22 02:34:54 +00:00 · 2022-09-15 06:07:22 +09:00 · 2022-09-15 06:07:22 +09:00 · f562abe296
parent 365c2885f0
commit f562abe296
1 changed files with 0 additions and 3 deletions
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@ -17,8 +17,6 @@ ConditionPathIsReadWrite=/sys

 [Service]
 Delegate=pids
-DeviceAllow=block-* rwm
-DeviceAllow=char-* rwm
 Type=notify
 # Note that udev will reset the value internally for its workers
 OOMScoreAdjust=-1000
@ -30,7 +28,6 @@ ExecReload=udevadm control --reload --timeout 0
 KillMode=mixed
 TasksMax=infinity
 PrivateMounts=yes
-ProtectClock=yes
 ProtectHostname=yes
 MemoryDenyWriteExecute=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6