summaryrefslogtreecommitdiffstats
path: root/units/systemd-udevd.service.in (follow)
Commit message (Collapse)AuthorAgeFilesLines
* units: introduce systemd-udev-load-credentials.serviceYu Watanabe2024-04-161-0/+1
|
* Revert "unit: make udev rules take precesence over tmpfiles"Yu Watanabe2023-08-091-1/+0
| | | | | | | This reverts commit 31845ef554877525dc4ff4f25ad11ad805ebf81c. systemd-tmpfiles-setup-dev.service has Before=systemd-udevd.service. So the commit does not change anything.
* unit: make udev rules take precesence over tmpfilesYu Watanabe2023-08-041-0/+1
| | | | | | | | | | Without this change, there are no ordering between udevd and tmpfiles, and if tmpfiles is invoked later it may discard the permission set by udevd. Fixes an issue introduced by b42482af904ae0b94a6e4501ec595448f0ba1c06. Fixes #28588 and #28653.
* Drop split-usr and unmerged-usr supportLuca Boccassi2023-07-281-1/+1
| | | | | | | | | | As previously announced, execute order 66: https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html The meson options split-usr, rootlibdir and rootprefix become no-ops that print a warning if they are set to anything other than the default values. We can remove them in a future release.
* udev: port to DelegateSubgroup=Lennart Poettering2023-04-271-0/+1
|
* udevd: implement the full Type=notify-reload protocolLennart Poettering2023-01-101-2/+1
| | | | | | We are basically already there, just need to add MONOTONIC_USEC= to the RELOADING=1 message, and make sure the message is generated in really all cases.
* units: udev: partially emulate ProtectClock=Topi Miettinen2022-09-261-0/+2
| | | | | Drop CAP_SYS_TIME and CAP_WAKE_ALARM capabilities and block clock-related system calls. Update TODO.
* unit: drop ProtectClock=yes from systemd-udevd.serviceYu Watanabe2022-09-151-3/+0
| | | | | | | | | | | | | | | This partially reverts cabc1c6d7adae658a2966a4b02a6faabb803e92b. The setting ProtectClock= implies DeviceAllow=, which is not suitable for udevd. Although we are slowly removing cgropsv1 support, but DeviceAllow= with cgroupsv1 is necessarily racy, and reloading PID1 during the early boot process may cause issues like #24668. Let's disable ProtectClock= for udevd. And, if necessary, let's explicitly drop CAP_SYS_TIME and CAP_WAKE_ALARM (and possibly others) by using CapabilityBoundingSet= later. Fixes #24668.
* udev: run the main process, workers, and spawned commands in /udev subcgroupYu Watanabe2022-03-171-0/+1
| | | | | | | | And enable cgroup delegation for udevd. Then, processes invoked through ExecReload= are assigned .control subcgroup, and they are not killed by cg_kill(). Fixes #16867 and #22686.
* units/systemd-udevd: allow bpf() syscallMaciek Borzecki2021-12-071-1/+1
| | | | | | | | | | | | | | | | | Programs run by udev triggers may need to execute the bpf() syscall. Even more so, since on a cgroup v2 system, the only way to set up device access filtering is to install a BPF program on the cgroup in question and one way of passing data to such program is through BPF maps, which can only be access using the bpf() syscall. One such use case was identified in RHBZ#2025264 related to snap-device-helper, and led to RHBZ#2027627 being filed. Unfortunately there is no finer grained control over what gets passed in the syscall, so just enable bpf() and leave fine grained mediation to other security layers (eg. SELinux). Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2027627 Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com>
* meson: use jinja2 for unit templatesZbigniew Jędrzejewski-Szmek2021-05-191-2/+2
| | | | | | | | | We don't need two (and half) templating systems anymore, yay! I'm keeping the changes minimal, to make the diff manageable. Some enhancements due to a better templating system might be possible in the future. For handling of '## ' — see the next commit.
* unit: update comment about OOM scoreYu Watanabe2020-11-231-1/+1
| | | | Follow-up for 6b2229c6c60d0486f5eb9ed3088f9c780d7c0233.
* license: LGPL-2.1+ -> LGPL-2.1-or-laterYu Watanabe2020-11-091-1/+1
|
* units: uppercase the descriptionZbigniew Jędrzejewski-Szmek2020-06-021-1/+1
| | | | https://github.com/systemd/systemd/pull/15982#pullrequestreview-422536495
* udevd: update snippet stringZbigniew Jędrzejewski-Szmek2020-05-301-1/+1
| | | | | Repeating the unit name in the description is not useful, and "manages devices" is too cryptic.
* units: add ProtectClock=yesTopi Miettinen2020-04-071-0/+3
| | | | | | Add `ProtectClock=yes` to systemd units. Since it implies certain `DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so they are still able to access other devices. Exclude timesyncd and timedated.
* units: drop full paths for utilities in $PATHZbigniew Jędrzejewski-Szmek2020-01-201-1/+1
| | | | | | | This makes things a bit simpler and the build a bit faster, because we don't have to rewrite files to do the trivial substitution. @rootbindir@ is always in our internal $PATH that we use for non-absolute paths, so there should be no functional change.
* meson: allow WatchdogSec= in services to be configuredZbigniew Jędrzejewski-Szmek2019-10-251-1/+1
| | | | | | | | | | | | | | | | As discussed on systemd-devel [1], in Fedora we get lots of abrt reports about the watchdog firing [2], but 100% of them seem to be caused by resource starvation in the machine, and never actual deadlocks in the services being monitored. Killing the services not only does not improve anything, but it makes the resource starvation worse, because the service needs cycles to restart, and coredump processing is also fairly expensive. This adds a configuration option to allow the value to be changed. If the setting is not set, there is no change. My plan is to set it to some ridiculusly high value, maybe 1h, to catch cases where a service is actually hanging. [1] https://lists.freedesktop.org/archives/systemd-devel/2019-October/043618.html [2] https://bugzilla.redhat.com/show_bug.cgi?id=1300212
* unit: add ExecReload= in systemd-udevd.serviceYu Watanabe2019-09-171-0/+1
|
* journald: slightly bump OOM adjust for journald (#13366)Lennart Poettering2019-08-221-0/+1
| | | | | | | | | | | | | | If logging disappears issues are hard to debug, hence let's give journald a slight edge over other services when the OOM killer hits. Here are the special adjustments we now make: systemd-coredump@.service.in OOMScoreAdjust=500 systemd-journald.service.in OOMScoreAdjust=-250 systemd-udevd.service.in OOMScoreAdjust=-1000 (i.e. the coredump processing is made more likely to be killed on OOM, and udevd and journald are less likely to be killed)
* units: turn on RestrictSUIDSGID= in most of our long-running daemonsLennart Poettering2019-04-021-1/+2
|
* units: enable ProtectHostname=yesTopi Miettinen2019-02-201-0/+1
|
* units: switch from system call blacklist to whitelistLennart Poettering2018-06-141-0/+2
| | | | | | | | | | | | | | | | | | | | | This is generally the safer approach, and is what container managers (including nspawn) do, hence let's move to this too for our own services. This is particularly useful as this this means the new @system-service system call filter group will get serious real-life testing quickly. This also switches from firing SIGSYS on unexpected syscalls to returning EPERM. This would have probably been a better default anyway, but it's hard to change that these days. When whitelisting system calls SIGSYS is highly problematic as system calls that are newly introduced to Linux become minefields for services otherwise. Note that this enables a system call filter for udev for the first time, and will block @clock, @mount and @swap from it. Some downstream distributions might want to revert this locally if they want to permit unsafe operations on udev rules, but in general this shiuld be mostly safe, as we already set MountFlags=shared for udevd, hence at least @mount won't change anything.
* units: switch udev service to use PrivateMounts=yesLennart Poettering2018-06-121-1/+1
| | | | | Given that PrivateMounts=yes is the "successor" to MountFlags=slave in unit files, let's make use of it for udevd.
* Add SPDX license headers to unit filesZbigniew Jędrzejewski-Szmek2017-11-191-0/+2
|
* units: prohibit all IP traffic on all our long-running services (#6921)Lennart Poettering2017-10-041-0/+1
| | | Let's lock things down further.
* units: set LockPersonality= for all our long-running services (#6819)Lennart Poettering2017-09-141-0/+1
| | | | Let's lock things down. Also, using it is the only way how to properly test this to the fullest extent.
* units: order service(s) before udevd, not udev-trigger (coldplug)Alan Jenkins2017-08-151-1/+1
| | | | | | | | | | Since hotplugs happen as soon as udevd is started, there is not much sense in giving udev-trigger an After= dependency on any service. The device could be hotplugged before coldplug starts. This is intended to avoid the race window where we create the hwdb with the wrong selinux context (then fix it up afterwards). https://github.com/systemd/systemd/issues/3458#issuecomment-322444107
* units: Sockets= already implies Wants= and After= (systemd-udevd.service)Alan Jenkins2017-08-151-2/+1
| | | | | I grepped for other `After=` on a socket unit as well. This was the only instance.
* units: set SystemCallArchitectures=native on all our long-running servicesLennart Poettering2017-02-091-0/+1
|
* units: systemd-udevd: add AF_INET and AF_INET6 to RestrictAddressFamilies= ↵Yu Watanabe2016-10-061-1/+1
| | | | | | | (#4296) The udev builtin command `net_setup_link` requires AF_INET and AF_INET6. Fixes #4293.
* units: further lock down our long-running servicesLennart Poettering2016-09-251-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS.
* udev: bump TasksMax to inifinity (#3593)Franck Bui2016-06-231-0/+1
| | | | | | | | | | | | | udevd already limits its number of workers/children: the max number is actually twice the number of CPUs the system is using. (The limit can also be raised with udev.children-max= kernel command line option BTW). On some servers, this limit can easily exceed the maximum number of tasks that systemd put on all services, which is 512 by default. Since udevd has already its limitation logic, simply disable the static limitation done by TasksMax.
* units: increase watchdog timeout to 3min for all our servicesLennart Poettering2015-09-291-1/+1
| | | | | | | | Apparently, disk IO issues are more frequent than we hope, and 1min waiting for disk IO happens, so let's increase the watchdog timeout a bit, for all our services. See #1353 for an example where this triggers.
* udevd: hook up watchdog supportTom Gundersen2015-05-291-0/+1
| | | | | We are already sending watchdog notification, this tells PID1 to actually listen for them and restart udevd in case it gets stuck.
* units: set KillMode=mixed for our daemons that fork worker processesLennart Poettering2015-04-241-0/+1
| | | | | | | The daemons should really have the time to kill the workers first, before systemd does it, hence use KillMode=mixed for these daemons. https://bugs.freedesktop.org/show_bug.cgi?id=90051
* units: move After=systemd-hwdb-update.service dependency from udev to ↵Lennart Poettering2015-04-031-1/+1
| | | | | | | | | | udev-trigger Let's move the hwdb regeneration a bit later. Given that hwdb is non-essential it should be OK to allow udev to run without it until we do the full trigger. http://lists.freedesktop.org/archives/systemd-devel/2015-April/030074.html
* units: there is no systemd-udev-hwdb-update.serviceZbigniew Jędrzejewski-Szmek2015-03-151-1/+1
|
* units: rebuild /etc/passwd, the udev hwdb and the journal catalog files on bootLennart Poettering2014-06-131-1/+1
| | | | | Only when necessary of course, nicely guarded with the new ConditionNeedsUpdate= condition we added.
* remove ReadOnlySystem and ProtectedHome from udevd and logindKay Sievers2014-06-041-2/+0
| | | | | logind needs access to /run/user/, udevd fails during early boot with these settings
* core: add new ReadOnlySystem= and ProtectedHome= settings for service unitsLennart Poettering2014-06-031-0/+2
| | | | | | | | | | | | | | ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
* unit: turn off mount propagation for udevdLennart Poettering2014-03-201-0/+1
| | | | | Keep mounts done by udev rules private to udevd. Also, document how MountFlags= may be used for this.
* static-nodes: move creation of static nodes from udevd to tmpfilesTom Gundersen2013-07-081-2/+2
| | | | | | | | | | | | | As of kmod v14, it is possible to export the static node information from /lib/modules/`uname -r`/modules.devname in tmpfiles.d(5) format. Use this functionality to let systemd-tmpfilesd create the static device nodes at boot, and drop the functionality from systemd-udevd. As an effect of this we can move from systemd-udevd to systemd-tmpfiles-setup-dev: * the conditional CAP_MKNOD (replaced by checking if /sys is mounted rw) * ordering before local-fs-pre.target (see 89d09e1b5c65a2d97840f682e0932c8bb499f166)
* units: order all udev services before sysinit.target, tooLennart Poettering2013-03-251-1/+1
| | | | | | Not that it would matter much, but let's make things a bit more systematic: early boot services shall order themselves before sysinit.target, and nothing else.
* udevd: ensure static nodes are created before local-fs mountFrederic Crozat2013-03-231-1/+1
| | | | | | | static nodes (like /dev/loop-control) are created when systemd-udevd is started and needed to mount loopback devices. Therefore, local-fs-pre.target should be only started after systemd-udevd is started.
* udevd: sort into sysinit instead of basic targetKay Sievers2013-03-121-1/+1
|
* units: don't enforce a holdoff time for journald, logind, udevdLennart Poettering2012-07-181-0/+1
| | | | | These services should be restarted as quickly as possible if they fail, and the extra safety net of the holdoff time is not necessary.
* units: Rename systemd-udev.service to systemd-udevd.serviceColin Guthrie2012-07-021-0/+22
This naming convention is more inline with other systemd daemon unit names (systemd-logind.service, systemd-localed.service etc) The companion .socket units have also been renamed, however the -trigger and -settle units keep their current name as these are not directly related to daemon process itself.