[systemd-devel] capabilities for systemd --user
Lukasz Stelmach
l.stelmach at samsung.com
Mon Jun 27 21:36:46 UTC 2022
Hi,
I need an apparently exotic configuration and I don't know how to
approach the problem. Here are the requirements:
- user at 1234.service (systemd --user)
+ runs with Priv SMACK label (SmackProcessLabel in user at .service)
+ has cap_mac_admin (and a few other capabilities) to assign SMACK
labels to its children (AmbientCapabilities in user at .service)
- children (session services) run with Reg SMACK label (I added
support for DefaultSmackProcessLabel to user.conf, to avoid
modifications of all unit files)
- children DO NOT inherit capabilites from systemd --user (they do now)
This last is a problem because I'd like to avoid modifications of all
service files. I tried to drop inheritable caps before execve() (in
exec_child()) but as described in capabilities(7) this results in
dropping caps from the ambient set too, which means systemd --user
doens't get what it needs.
Is there anything I am missing? Is there any way to start a service with
UID!=0, some capabilities set but not implicitly inheritable by
processes spawned by the service?
Kind regards,
--
Łukasz Stelmach
Samsung R&D Institute Poland
Samsung Electronics
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20220627/256963ed/attachment.sig>
More information about the systemd-devel
mailing list