[systemd-devel] upower fails with PrivateNetwork=true
Lennart Poettering
lennart at poettering.net
Fri Jul 6 11:23:58 UTC 2018
On Do, 05.07.18 14:01, Mantas Mikulėnas (grawity at gmail.com) wrote:
> On Thu, Jul 5, 2018 at 1:13 PM Michael Biebl <mbiebl at gmail.com> wrote:
>
> > Hi,
> >
> > in the latest upower release 0.99.8, the systemd service file was
> > locked down considerably[1]. Unfortunately, a result of that is, that
> > upower no longer detects any plug/unplug events [2].
> > Through some trial and error I found that it's the addition of
> > PrivateNetworks=true which broke upower.
> > Now I'm a bit puzzled why upower would need network to function properly.
> >
>
> Plug/unplug events are device uevents sent via AF_NETLINK socket. If you
> have PrivateNetworks=true, upower gets its own network namespace and is
> isolated from anything that udev (re)sends in the main namespace.
>
> (Looks like namespaces can still receive the original kernel-generated
> uevents, but without the extra information that udev attaches to
> retransmitted ones – that's probably not enough for libudev to work.
> Compare `udevadm monitor -p` vs `unshare --net udevadm monitor -p`.)
Yes, Mantas is right, PrivateNetwork= disconnects the whole of
AF_NETLINK from the rest of the system, which means services that
require libudev device events can't use it. It's a bit of a misdesign
on the kernel side if you ask me, but it is what it is.
The man page briefly mentions the AF_NETLINK situation, but I'll
extend it to make this more clear.
For many cases "RestrictAddressFamilies=AF_UNIX AF_NETLINK" is an
alternative, and on cgroupsv2 IPAddressDeny=any too.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list