[systemd-devel] capabilities for systemd --user
Lukasz Stelmach
l.stelmach at samsung.com
Wed Jul 13 07:35:53 UTC 2022
It was <2022-07-04 pon 11:00>, when Lennart Poettering wrote:
> On Mo, 27.06.22 23:36, Lukasz Stelmach (l.stelmach at samsung.com) wrote:
>
>> Hi,
>>
>> I need an apparently exotic configuration and I don't know how to
>> approach the problem. Here are the requirements:
>>
>> - user at 1234.service (systemd --user)
>> + runs with Priv SMACK label (SmackProcessLabel in user at .service)
>> + has cap_mac_admin (and a few other capabilities) to assign SMACK
>> labels to its children (AmbientCapabilities in user at .service)
>>
>> - children (session services) run with Reg SMACK label (I added
>> support for DefaultSmackProcessLabel to user.conf, to avoid
>> modifications of all unit files)
>
> sounds upstreamable.
https://github.com/systemd/systemd/pull/23921
Done.
Thanks, for help.
>> - children DO NOT inherit capabilites from systemd --user (they do now)
>>
>> This last is a problem because I'd like to avoid modifications of all
>> service files. I tried to drop inheritable caps before execve() (in
>> exec_child()) but as described in capabilities(7) this results in
>> dropping caps from the ambient set too, which means systemd --user
>> doens't get what it needs.
>>
>> Is there anything I am missing? Is there any way to start a service with
>> UID!=0, some capabilities set but not implicitly inheritable by
>> processes spawned by the service?
>
> Quite frankly that should probably be the default behaviour.
>
> I'd probably merge a patch that unconditionally resets all caps
> passed to children of the --user manager even if the manager itself
> got some ambient caps passed. It might be a slight compat breakage,
> but I think it would be safer that way, as the service execution
> environment becomes more uniform then.
>
> Security credentials should be passed down to user services opt-in,
> not opt-out after all.
>
> Can you prep a patch for that and submit via github?
RFC https://github.com/systemd/systemd/pull/23988
--
Łukasz Stelmach
Samsung R&D Institute Poland
Samsung Electronics
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20220713/56e27ea6/attachment-0001.sig>
More information about the systemd-devel
mailing list