summaryrefslogtreecommitdiffstats
path: root/units
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2018-04-16 21:41:40 +0200
committerLennart Poettering <lennart@poettering.net>2018-05-24 17:01:57 +0200
commit61d0578b07b97cbffebfd350bac481274e310d39 (patch)
treedaa8b07cf96b942ba7be0eab3ce86c1fa9cf029e /units
parentmachined: move bus_reply_pair_array() into generic utilities (diff)
downloadsystemd-61d0578b07b97cbffebfd350bac481274e310d39.tar.xz
systemd-61d0578b07b97cbffebfd350bac481274e310d39.zip
add new portable service framework
This adds a small service "systemd-portabled" and a matching client "portablectl", which implement the "portable service" concept. The daemon implements the actual operations, is PolicyKit-enabled and is activated on demand with exit-on-idle. Both the daemon and the client are an optional build artifact, enabled by default rhough.
Diffstat (limited to 'units')
-rw-r--r--units/meson.build2
-rw-r--r--units/systemd-portabled.service.in26
2 files changed, 28 insertions, 0 deletions
diff --git a/units/meson.build b/units/meson.build
index 799fc5d567..55cfc15825 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -177,6 +177,8 @@ in_units = [
['systemd-networkd-wait-online.service', 'ENABLE_NETWORKD',
join_paths(pkgsysconfdir, 'system/network-online.target.wants/')],
['systemd-nspawn@.service', ''],
+ ['systemd-portabled.service', 'ENABLE_PORTABLED',
+ 'dbus-org.freedesktop.portable1.service'],
['systemd-poweroff.service', ''],
['systemd-quotacheck.service', 'ENABLE_QUOTACHECK'],
['systemd-random-seed.service', 'ENABLE_RANDOMSEED',
diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in
new file mode 100644
index 0000000000..a868f61dba
--- /dev/null
+++ b/units/systemd-portabled.service.in
@@ -0,0 +1,26 @@
+# SPDX-License-Identifier: LGPL-2.1+
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Portable Service Manager
+Documentation=man:systemd-portabled.service(8)
+RequiresMountsFor=/var/lib/portables
+
+[Service]
+ExecStart=@rootlibexecdir@/systemd-portabled
+BusName=org.freedesktop.portable1
+WatchdogSec=3min
+CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
+SystemCallArchitectures=native
+LockPersonality=yes
+IPAddressDeny=any