[systemd-devel] [PATCH] Drop ConditionCapability=CAP_MKNOD from *udev* units

[Lennart Poettering]

On Wed, 24.07.13 18:41, Gerardo Exequiel Pozzi (vmlinuz386 at yahoo.com.ar) wrote:

We generally try to make conditions specific to a feature rather than an
execution environment. Containers should run without CAP_MKMNOD, and as
udev originally was in the business of creating device nodes we hence
bound it to this capability.

Now, since very recently udev doesn'#t create a single device node
anymore (it's all done by the kernel in devtmpfs/container manager and
tmpfiles now), so it probably would make sense to change the capability
check, but certainly not remove it. (I'd vote by replacing it by
ConditionPathIsReadWrite=/sys since sane container managers mount that
read-only.)

Anyway, I don't get what you are trying to achieve by your patch please
elaborate.

> Signed-off-by: Gerardo Exequiel Pozzi <vmlinuz386 at yahoo.com.ar>
> ---
>  units/systemd-udev-settle.service.in  | 1 -
>  units/systemd-udev-trigger.service.in | 1 -
>  units/systemd-udevd-control.socket    | 1 -
>  units/systemd-udevd-kernel.socket     | 1 -
>  4 files changed, 4 deletions(-)
> 
> diff --git a/units/systemd-udev-settle.service.in b/units/systemd-udev-settle.service.in
> index 037dd9a..148aa9d 100644
> --- a/units/systemd-udev-settle.service.in
> +++ b/units/systemd-udev-settle.service.in
> @@ -16,7 +16,6 @@ DefaultDependencies=no
>  Wants=systemd-udevd.service
>  After=systemd-udev-trigger.service
>  Before=sysinit.target
> -ConditionCapability=CAP_MKNOD
>  
>  [Service]
>  Type=oneshot
> diff --git a/units/systemd-udev-trigger.service.in b/units/systemd-udev-trigger.service.in
> index 604c369..ea3cb62 100644
> --- a/units/systemd-udev-trigger.service.in
> +++ b/units/systemd-udev-trigger.service.in
> @@ -12,7 +12,6 @@ DefaultDependencies=no
>  Wants=systemd-udevd.service
>  After=systemd-udevd-kernel.socket systemd-udevd-control.socket
>  Before=sysinit.target
> -ConditionCapability=CAP_MKNOD
>  
>  [Service]
>  Type=oneshot
> diff --git a/units/systemd-udevd-control.socket b/units/systemd-udevd-control.socket
> index ca17102..12a66d2 100644
> --- a/units/systemd-udevd-control.socket
> +++ b/units/systemd-udevd-control.socket
> @@ -10,7 +10,6 @@ Description=udev Control Socket
>  Documentation=man:systemd-udevd.service(8) man:udev(7)
>  DefaultDependencies=no
>  Before=sockets.target
> -ConditionCapability=CAP_MKNOD
>  
>  [Socket]
>  Service=systemd-udevd.service
> diff --git a/units/systemd-udevd-kernel.socket b/units/systemd-udevd-kernel.socket
> index 4b8a5b0..64e6f63 100644
> --- a/units/systemd-udevd-kernel.socket
> +++ b/units/systemd-udevd-kernel.socket
> @@ -10,7 +10,6 @@ Description=udev Kernel Socket
>  Documentation=man:systemd-udevd.service(8) man:udev(7)
>  DefaultDependencies=no
>  Before=sockets.target
> -ConditionCapability=CAP_MKNOD
>  
>  [Socket]
>  Service=systemd-udevd.service


Lennart

-- 
Lennart Poettering - Red Hat, Inc.