[systemd-devel] upower fails with PrivateNetwork=true

Lennart Poettering lennart at poettering.net
Fri Jul 6 11:23:58 UTC 2018


On Do, 05.07.18 14:01, Mantas Mikulėnas (grawity at gmail.com) wrote:

> On Thu, Jul 5, 2018 at 1:13 PM Michael Biebl <mbiebl at gmail.com> wrote:
> 
> > Hi,
> >
> > in the latest upower release 0.99.8, the systemd service file was
> > locked down considerably[1]. Unfortunately, a result of that is, that
> > upower no longer detects any plug/unplug events [2].
> > Through some trial and error I found that it's the addition of
> > PrivateNetworks=true which broke upower.
> > Now I'm a bit puzzled why upower would need network to function properly.
> >
> 
> Plug/unplug events are device uevents sent via AF_NETLINK socket. If you
> have PrivateNetworks=true, upower gets its own network namespace and is
> isolated from anything that udev (re)sends in the main namespace.
> 
> (Looks like namespaces can still receive the original kernel-generated
> uevents, but without the extra information that udev attaches to
> retransmitted ones – that's probably not enough for libudev to work.
> Compare `udevadm monitor -p` vs `unshare --net udevadm monitor -p`.)

Yes, Mantas is right, PrivateNetwork= disconnects the whole of
AF_NETLINK from the rest of the system, which means services that
require libudev device events can't use it. It's a bit of a misdesign
on the kernel side if you ask me, but it is what it is.

The man page briefly mentions the AF_NETLINK situation, but I'll
extend it to make this more clear.

For many cases "RestrictAddressFamilies=AF_UNIX AF_NETLINK" is an
alternative, and on cgroupsv2 IPAddressDeny=any too.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list