projects / platform / upstream / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2e68192)
units: make use of !! ExecStart= prefix in systemd-networkd.service
authorYu Watanabe <watanabe.yu+github@gmail.com>
Sat, 26 Aug 2017 16:40:47 +0000 (01:40 +0900)
committerYu Watanabe <watanabe.yu+github@gmail.com>
Sat, 26 Aug 2017 16:40:47 +0000 (01:40 +0900)
Let's make use of !! to run networkd with ambient capabilities on
systems supporting them.

src/network/networkd.c patch | blob | history
units/systemd-networkd.service.in patch | blob | history

diff --git a/src/network/networkd.c b/src/network/networkd.c
index fe60f1e..8efd160 100644 (file)
--- a/src/network/networkd.c
+++ b/src/network/networkd.c
@@ -70,13 +70,17 @@ int main(int argc, char *argv[]) {
         if (r < 0)
                 log_warning_errno(r, "Could not create runtime directory 'lldp': %m");
 
-        r = drop_privileges(uid, gid,
-                            (1ULL << CAP_NET_ADMIN) |
-                            (1ULL << CAP_NET_BIND_SERVICE) |
-                            (1ULL << CAP_NET_BROADCAST) |
-                            (1ULL << CAP_NET_RAW));
-        if (r < 0)
-                goto out;
+        /* Drop privileges, but only if we have been started as root. If we are not running as root we assume all
+         * privileges are already dropped. */
+        if (geteuid() == 0) {
+                r = drop_privileges(uid, gid,
+                                    (1ULL << CAP_NET_ADMIN) |
+                                    (1ULL << CAP_NET_BIND_SERVICE) |
+                                    (1ULL << CAP_NET_BROADCAST) |
+                                    (1ULL << CAP_NET_RAW));
+                if (r < 0)
+                        goto out;
+        }
 
         assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, -1) >= 0);
 
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 218e5c4..3f0ad77 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -20,9 +20,11 @@ Wants=network.target
 Type=notify
 Restart=on-failure
 RestartSec=0
-ExecStart=@rootlibexecdir@/systemd-networkd
+ExecStart=!!@rootlibexecdir@/systemd-networkd
 WatchdogSec=3min
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+User=systemd-network
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
 ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
@@ -32,7 +34,8 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
-ReadWritePaths=/run/systemd
+RuntimeDirectory=systemd/netif
+RuntimeDirectoryPreserve=yes
 
 [Install]
 WantedBy=multi-user.target
Domain: System / System Framework;