scope: allow unprivileged delegation on scopes

Previously it was possible to set delegate property for scope, but you were not able to allow unprivileged process to manage the scope's cgroup hierarchy. This is useful when launching manager process that will run unprivileged but is supposed to manage its own (scope) sub-hierarchy. Fixes #21683
author: Michal Sekletar <msekleta@redhat.com> 2022-06-01 10:15:06 +0200
committer: Lennart Poettering <lennart@poettering.net> 2022-08-04 17:01:13 +0200
commit: 03860190fefce8bbea3a6f0e77919b882ade517c (patch)
tree: c7992d39d1969d25a54e0ffa0aaf636b28dca6ed /src/shared/bus-unit-util.c
parent: test: skip the relevant test case if systemd-measure is not present (diff)
download: systemd-03860190fefce8bbea3a6f0e77919b882ade517c.tar.xz
systemd-03860190fefce8bbea3a6f0e77919b882ade517c.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
index a326ca30a9..1c96519b55 100644
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@@ -2134,6 +2134,11 @@ static int bus_append_scope_property(sd_bus_message *m, const char *field, const
         if (streq(field, "TimeoutStopSec"))
                 return bus_append_parse_sec_rename(m, field, eq);
 
+        /* Scope units don't have execution context but we still want to allow setting these two,
+         * so let's handle them separately. */
+        if (STR_IN_SET(field, "User", "Group"))
+                return bus_append_string(m, field, eq);
+
         return 0;
 }
author	Michal Sekletar <msekleta@redhat.com>	2022-06-01 10:15:06 +0200
committer	Lennart Poettering <lennart@poettering.net>	2022-08-04 17:01:13 +0200
commit	03860190fefce8bbea3a6f0e77919b882ade517c (patch)
tree	c7992d39d1969d25a54e0ffa0aaf636b28dca6ed /src/shared/bus-unit-util.c
parent	test: skip the relevant test case if systemd-measure is not present (diff)
download	systemd-03860190fefce8bbea3a6f0e77919b882ade517c.tar.xz systemd-03860190fefce8bbea3a6f0e77919b882ade517c.zip