[systemd-devel] graphical sessions inherits display-maanger only partly

Reindl Harald h.reindl at thelounge.net
Tue Jan 22 01:46:26 UTC 2019 

"ProtectSystem=full" with the setup below just works, "su -" in a
konsole within the graphical session don't gain write permissions

Tasks: 4
why?

shouldn't everything started after the graphical login interherit any
settings from teh display-manager service and run under it's cgroup?

--------------------------------

[root at srv-rhsoft:~]$ systemctl status display-manager.service
● sddm.service - Simple Desktop Display Manager
   Loaded: loaded (/usr/lib/systemd/system/sddm.service; enabled; vendor
preset: disabled)
  Drop-In: /etc/systemd/system/display-manager.service.d
           └─security.conf, start-before.conf, tsx.conf
   Active: active (running) since Tue 2019-01-22 02:11:52 CET; 29min ago
     Docs: man:sddm(1)
           man:sddm.conf(5)
 Main PID: 1113 (sddm)
    Tasks: 4 (limit: 768)
   Memory: 236.2M
   CGroup: /system.slice/sddm.service
           ├─1113 /usr/bin/sddm
           └─1214 /usr/libexec/Xorg -nolisten tcp -auth
/var/run/sddm/{77ca2b81-d15c-4cbb-abed-6435e093a1aa} -background none
-noreset -displayfd 16 -seat seat0 vt1

--------------------------------

[root at srv-rhsoft:~]$ cat
/etc/systemd/system/display-manager.service.d/security.conf
[Service]
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_WRITE CAP_SYS_BOOT
CAP_SYS_PTRACE
RestrictAddressFamilies=AF_INET AF_INET6 AF_LOCAL AF_UNIX AF_NETLINK
SystemCallFilter=~@clock @cpu-emulation @obsolete @reboot @swap

PrivateTmp=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
TasksMax=768

ProtectSystem=full

--------------------------------
[root at srv-rhsoft:~]$ pstree
systemd─┬─alsactl
        ├─apcupsd───2*[{apcupsd}]
        ├─colord───2*[{colord}]
        ├─crond
        ├─cupsd───dbus
        ├─dbmail-imapd───11*[{dbmail-imapd}]
        ├─dbmail-lmtpd───{dbmail-lmtpd}
        ├─dbmail-timsieve───{dbmail-timsieve}
        ├─dbus-daemon
        ├─dhclient
        ├─3*[dhcpd]
        ├─dovecot─┬─anvil
        │         ├─config
        │         ├─imap-login
        │         ├─ipc
        │         ├─log
        │         └─ssl-params
        ├─gmenudbusmenupr───2*[{gmenudbusmenupr}]
        ├─gpg-agent
        ├─haveged
        ├─2*[hostapd]
        ├─httpd───10*[httpd]
        ├─irqbalance───{irqbalance}
        ├─kdeconnectd───3*[{kdeconnectd}]
        ├─kdeinit5─┬─file.so
        │          ├─kaccess───2*[{kaccess}]
        │          ├─kded5───5*[{kded5}]
        │          ├─klauncher───2*[{klauncher}]
        │          └─ksmserver─┬─kwin_x11───4*[{kwin_x11}]
        │                      └─2*[{ksmserver}]
        ├─kopete───5*[{kopete}]
        ├─krunner───3*[{krunner}]
        ├─master─┬─pickup
        │        ├─proxymap
        │        ├─qmgr
        │        └─tlsmgr
        ├─mdadm
        ├─mpd───7*[{mpd}]
        ├─mysqld───53*[{mysqld}]
        ├─mysqld───28*[{mysqld}]
        ├─named───10*[{named}]
        ├─ntpd───{ntpd}
        ├─2*[openvpn]
        ├─php
        ├─plasmashell─┬─firefox─┬─Web Content───30*[{Web Content}]
        │             │         ├─4*[Web Content───29*[{Web Content}]]
        │             │         ├─Web Content───28*[{Web Content}]
        │             │         ├─2*[Web Content───33*[{Web Content}]]
        │             │         ├─WebExtensions───27*[{WebExtensions}]
        │             │         └─69*[{firefox}]
        │             ├─konsole─┬─7*[bash───ssh]
        │             │         └─2*[{konsole}]
        │             ├─ksysguardd
        │             ├─ksystraycmd─┬─cantata───5*[{cantata}]
        │             │             └─{ksystraycmd}
        │             ├─ksystraycmd─┬─ZendStudio───java───40*[{java}]
        │             │             └─{ksystraycmd}
        │             ├─ksystraycmd─┬─vnc.sh───vncviewer───4*[{vncviewer}]
        │             │             └─{ksystraycmd}
        │             ├─ksystraycmd─┬─thunderbird───145*[{thunderbird}]
        │             │             └─{ksystraycmd}
        │             └─6*[{plasmashell}]
        ├─polkitd───15*[{polkitd}]
        ├─pulseaudio───2*[{pulseaudio}]
        ├─pure-ftpd
        ├─rngd
        ├─rsyslogd───2*[{rsyslogd}]
        ├─rtkit-daemon───2*[{rtkit-daemon}]
        ├─sddm─┬─Xorg───{Xorg}
        │      ├─sddm-helper───startkde─┬─kwrapper5
        │      │                        └─ssh-agent
        │      └─{sddm}
        ├─smartd
        ├─smbd─┬─cleanupd
        │      ├─lpqd
        │      └─smbd-notifyd
        ├─smokeping─┬─/usr/sbin/smoke
        │           └─/usr/sbin/smoke───fping
        ├─ssh
        ├─sshd───sshd───bash
        ├─sshd───sshd───bash───pstree
        ├─start_kdeinit
        ├─5*[systemd───(sd-pam)]
        ├─systemd─┬─(sd-pam)
        │         ├─at-spi-bus-laun───3*[{at-spi-bus-laun}]
        │         ├─dbus-daemon
        │         ├─dconf-service───2*[{dconf-service}]
        │         ├─gconfd-2
        │         ├─gvfsd─┬─gvfsd-http───2*[{gvfsd-http}]
        │         │       └─2*[{gvfsd}]
        │         ├─kactivitymanage───5*[{kactivitymanage}]
        │         ├─kglobalaccel5───2*[{kglobalaccel5}]
        │         ├─kuiserver5───2*[{kuiserver5}]
        │         └─kwalletd5───2*[{kwalletd5}]
        ├─systemd-journal
        ├─systemd-logind
        ├─systemd-udevd
        ├─udisksd───4*[{udisksd}]
        ├─2*[vmnet-netifup]
        ├─vmware-authdlau
        ├─vmware-usbarbit
        ├─vmware-vmx───35*[{vmware-vmx}]
        ├─vmware-vmx───22*[{vmware-vmx}]
        ├─vmware-vmx───43*[{vmware-vmx}]
        ├─vnstatd
        └─xembedsniproxy───2*[{xembedsniproxy}]

More information about the systemd-devel mailing list