diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-09-14 23:07:22 +0200 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-09-15 20:41:29 +0200 |
| commit | f562abe2963bad241d34e0b308e48cf114672c84 (patch) | |
| tree | 8aad6c2cb6c190a93b5e7019f4b4dcdd85b2c772 /units | |
| parent | fix typo in log (diff) | |
| download | systemd-f562abe2963bad241d34e0b308e48cf114672c84.tar.xz systemd-f562abe2963bad241d34e0b308e48cf114672c84.zip | |
unit: drop ProtectClock=yes from systemd-udevd.service
This partially reverts cabc1c6d7adae658a2966a4b02a6faabb803e92b.
The setting ProtectClock= implies DeviceAllow=, which is not suitable
for udevd. Although we are slowly removing cgropsv1 support, but
DeviceAllow= with cgroupsv1 is necessarily racy, and reloading PID1
during the early boot process may cause issues like #24668.
Let's disable ProtectClock= for udevd. And, if necessary, let's
explicitly drop CAP_SYS_TIME and CAP_WAKE_ALARM (and possibly others)
by using CapabilityBoundingSet= later.
Fixes #24668.
Diffstat (limited to 'units')
| -rw-r--r-- | units/systemd-udevd.service.in | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index 9901198274..3579de4a68 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -17,8 +17,6 @@ ConditionPathIsReadWrite=/sys [Service] Delegate=pids -DeviceAllow=block-* rwm -DeviceAllow=char-* rwm Type=notify # Note that udev will reset the value internally for its workers OOMScoreAdjust=-1000 @@ -30,7 +28,6 @@ ExecReload=udevadm control --reload --timeout 0 KillMode=mixed TasksMax=infinity PrivateMounts=yes -ProtectClock=yes ProtectHostname=yes MemoryDenyWriteExecute=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 |