Commit Graph

48 Commits

Author SHA1 Message Date
Lennart Poettering
e0f968ad96 units: drop systemd-remount-fs.service dependency from more services
All services using StateDirectory= don't need the explicit dep anymore,
let's hence drop it everywhere.
2020-04-08 16:29:41 +02:00
Kevin Kuehler
6168ae5840 units: set ProtectKernelLogs=yes on relevant units
We set ProtectKernelLogs=yes on all long running services except for
udevd, since it accesses /dev/kmsg, and journald, since it calls syslog
and accesses /dev/kmsg.
2019-11-15 00:59:54 -08:00
Zbigniew Jędrzejewski-Szmek
21d0dd5a89 meson: allow WatchdogSec= in services to be configured
As discussed on systemd-devel [1], in Fedora we get lots of abrt reports
about the watchdog firing [2], but 100% of them seem to be caused by resource
starvation in the machine, and never actual deadlocks in the services being
monitored. Killing the services not only does not improve anything, but it
makes the resource starvation worse, because the service needs cycles to restart,
and coredump processing is also fairly expensive. This adds a configuration option
to allow the value to be changed. If the setting is not set, there is no change.

My plan is to set it to some ridiculusly high value, maybe 1h, to catch cases
where a service is actually hanging.

[1] https://lists.freedesktop.org/archives/systemd-devel/2019-October/043618.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1300212
2019-10-25 17:20:24 +02:00
Lennart Poettering
e070037c88 Revert "timesyncd: add Conflicts for ntpd and chronyd"
This reverts commit 971a7a1526.

These unit names are typically different on distributions, let's not
hardcode those. Stuff like this should probably live in the distro
RPM/.deb, but not upstream, where we should be distro agnostic and
agnostic to other higher level packages like this.
2019-07-24 17:29:28 +02:00
Zbigniew Jędrzejewski-Szmek
971a7a1526 timesyncd: add Conflicts for ntpd and chronyd
Users might end up with more than one of those service enabled, through
admin mistake, or broken installation scriptlets, or whatever. On my machine,
I had both chronyd and timesyncd happilly running at the same time. If
more than one is enabled, it's better to have just one running. Adding
Conflicts will make the issue more visible in logs too.
2019-07-22 15:58:08 +02:00
Peter A. Bigot
4ea0f675ae units: add time-set.target
time-sync.target is supposed to indicate system clock is synchronized
with a remote clock, but as used through 241 it only provided a system
clock that was updated based on a locally-maintained timestamp.  Systems
that are powered off for extended periods would not come up with
accurate time.

Retain the existing behavior using a new time-set.target leaving
time-sync.target for cases where accuracy is required.

Closes #8861
2019-04-08 14:34:05 +02:00
Lennart Poettering
62aa29247c units: turn on RestrictSUIDSGID= in most of our long-running daemons 2019-04-02 16:56:48 +02:00
Topi Miettinen
99894b867f units: enable ProtectHostname=yes 2019-02-20 10:50:44 +02:00
Lennart Poettering
3ca9940cb9 units: set NoNewPrivileges= for all long-running services
Previously, setting this option by default was problematic due to
SELinux (as this would also prohibit the transition from PID1's label to
the service's label). However, this restriction has since been lifted,
hence let's start making use of this universally in our services.

On SELinux system this change should be synchronized with a policy
update that ensures that NNP-ful transitions from init_t to service
labels is permitted.

An while we are at it: sort the settings in the unit files this touches.
This might increase the size of the change in this case, but hopefully
should result in stabler patches later on.

Fixes: #1219
2018-11-12 19:02:55 +01:00
Zbigniew Jędrzejewski-Szmek
162e0b75f9 Revert "timesyncd: enable DynamicUser="
This reverts commit 48d3e88c18.

I kept the follow-symlink=false → follow-symlink=true change instact, since
we're likely to have existing installations with a symlink now.
2018-09-19 10:00:09 +02:00
Zbigniew Jędrzejewski-Szmek
89be857a41 Revert "unit: drop After=systemd-sysusers.service from timesyncd"
This reverts commit be80154827.
2018-09-19 09:56:36 +02:00
Lennart Poettering
ee8f26180d units: switch from system call blacklist to whitelist
This is generally the safer approach, and is what container managers
(including nspawn) do, hence let's move to this too for our own
services. This is particularly useful as this this means the new
@system-service system call filter group will get serious real-life
testing quickly.

This also switches from firing SIGSYS on unexpected syscalls to
returning EPERM. This would have probably been a better default anyway,
but it's hard to change that these days. When whitelisting system calls
SIGSYS is highly problematic as system calls that are newly introduced
to Linux become minefields for services otherwise.

Note that this enables a system call filter for udev for the first time,
and will block @clock, @mount and @swap from it. Some downstream
distributions might want to revert this locally if they want to permit
unsafe operations on udev rules, but in general this shiuld be mostly
safe, as we already set MountFlags=shared for udevd, hence at least
@mount won't change anything.
2018-06-14 17:44:20 +02:00
Yu Watanabe
be80154827 unit: drop After=systemd-sysusers.service from timesyncd
After=systemd-sysusers.service is not necessary, as timesyncd
already enables DynamicUser=.
2018-05-22 22:20:17 +09:00
Yu Watanabe
e7dd394767 timesync: expose manager properties on bus 2018-05-03 18:05:14 +09:00
Peter A. Bigot
2dd79846dd time-wait-sync: use watchfile to coordinate with timesyncd
Systems that have an accurate real-time clock may have an initial
unsynchronized time that is close enough to the synchronized time that
the final adjustment doesn't trigger a waking "clock set" event.  Have
timesyncd touch a file in its runtime directory as a secondary signal
for synchronization.  Continue to support the timerfd-based trigger as a
sufficient condition when the watchfile is not present.

Closes issue #8683
2018-04-14 09:52:40 -05:00
Zbigniew Jędrzejewski-Szmek
a7df2d1e43 Add SPDX license headers to unit files 2017-11-19 19:08:15 +01:00
Yu Watanabe
48d3e88c18 timesyncd: enable DynamicUser= 2017-10-06 16:05:20 +09:00
Lennart Poettering
bff8f2543b units: set LockPersonality= for all our long-running services (#6819)
Let's lock things down. Also, using it is the only way how to properly
test this to the fullest extent.
2017-09-14 19:45:40 +02:00
Yu Watanabe
96f9f6aca7 unit: drop redundant options 2017-08-31 18:29:41 +09:00
Yu Watanabe
53d133ea1b timesync: move stamp file to /var/lib/systemd/timesync/clock 2017-08-30 15:59:57 +09:00
Yu Watanabe
87a85e25a2 units: make use of !! ExecStart= prefix in systemd-timesyncd.service
Let's make use of !! to run timesyncd with ambient capabilities on
systems supporting them.
2017-08-27 01:41:12 +09:00
Lennart Poettering
6489ccfe48 units: make use of @reboot and @swap in our long-running service SystemCallFilter= settings
Tighten security up a bit more.
2017-02-09 16:12:03 +01:00
Lennart Poettering
b6c7278c38 units: turn on ProtectKernelModules= for most long-running services 2017-02-09 16:12:03 +01:00
Lennart Poettering
c7fb922d62 units: switch on ProtectSystem=strict for our long running services
Let's step up the protection a notch
2017-02-09 16:12:03 +01:00
Lennart Poettering
3c19d0b46b units: restrict namespace for a good number of our own services
Basically, we turn it on for most long-running services, with the
exception of machined (whose child processes need to join containers
here and there), and importd (which sandboxes tar in a CLONE_NEWNET
namespace). machined is left unrestricted, and importd is restricted to
use only "net"
2017-02-09 16:12:03 +01:00
Lennart Poettering
7f396e5f66 units: set SystemCallArchitectures=native on all our long-running services 2017-02-09 16:12:03 +01:00
Lennart Poettering
0c28d51ac8 units: further lock down our long-running services
Let's make this an excercise in dogfooding: let's turn on more security
features for all our long-running services.

Specifically:

- Turn on RestrictRealtime=yes for all of them

- Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of
  them

- Turn on RestrictAddressFamilies= for all of them, but different sets of
  address families for each

Also, always order settings in the unit files, that the various sandboxing
features are close together.

Add a couple of missing, older settings for a numbre of unit files.

Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively
turning of networking from udev rule commands. Since this might break stuff
(that is already broken I'd argue) this is documented in NEWS.
2016-09-25 10:52:57 +02:00
Lennart Poettering
4e069746fe units: tighten system call filters a bit
Take away kernel keyring access, CPU emulation system calls and various debug
system calls from the various daemons we have.
2016-06-13 16:25:54 +02:00
Topi Miettinen
40093ce5dd units: add a basic SystemCallFilter (#3471)
Add a line
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
for daemons shipped by systemd. As an exception, systemd-timesyncd
needs @clock system calls and systemd-localed is not privileged.
ptrace(2) is blocked to prevent seccomp escapes.
2016-06-09 09:32:04 +02:00
Topi Miettinen
40652ca479 units: enable MemoryDenyWriteExecute (#3459)
Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute.

Closes: #3459
2016-06-08 14:23:37 +02:00
Lennart Poettering
c2fc2c2560 units: increase watchdog timeout to 3min for all our services
Apparently, disk IO issues are more frequent than we hope, and 1min
waiting for disk IO happens, so let's increase the watchdog timeout a
bit, for all our services.

See #1353 for an example where this triggers.
2015-09-29 21:55:51 +02:00
Kay Sievers
4b16233e59 timesyncd: enable timesyncd in virtual machines
On Fri, Mar 13, 2015 at 8:25 PM, Michael Marineau <michael.marineau@coreos.com> wrote:
> Currently systemd-timesyncd.service includes
> ConditionVirtualization=no, disabling it in both containers and
> virtual machines. Each VM platform tends to deal with or ignore the
> time problem in their own special ways, KVM/QEMU has the kernel time
> source kvm-clock, Xen has had different schemes over the years, VMware
> expects a userspace daemon sync the clock, and other platforms are
> content to drift with the wind as far as I can tell.
>
> I don't know of a robust way to know if a platform needs a little
> extra help from userspace to keep the clock sane or not but it seems
> generally safer to try than to risk drifting. Does anyone know of a
> reason to leave timesyncd off by default? Otherwise switching to
> ConditionVirtualization=!container should be reasonable.
2015-03-15 19:44:59 +01:00
Lennart Poettering
a24111cea6 Revert "units: add SecureBits"
This reverts commit 6a716208b3.

Apparently this doesn't work.

http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
2015-02-11 18:28:06 +01:00
Topi Miettinen
6a716208b3 units: add SecureBits
No setuid programs are expected to be executed, so add
SecureBits=noroot noroot-locked
to unit files.
2015-02-11 17:33:36 +01:00
Kay Sievers
01b85ba3ad timesyncd: do not start in virtualized environments 2014-06-17 03:34:09 +02:00
Lennart Poettering
689d781b87 units: minor cleanups 2014-06-17 02:43:44 +02:00
Lennart Poettering
ecde7065f7 units: rebuild /etc/passwd, the udev hwdb and the journal catalog files on boot
Only when necessary of course, nicely guarded with the new
ConditionNeedsUpdate= condition we added.
2014-06-13 13:26:32 +02:00
Lennart Poettering
55152b6ede units: pull in time-sync.target from systemd-timedated.service
After all, that's what we document for time-sync.target in
systemd.special(5), hence let's follow our own suggestion.
2014-06-06 16:20:33 +02:00
Lennart Poettering
1b8689f949 core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.

With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
2014-06-04 18:12:55 +02:00
Lennart Poettering
417116f234 core: add new ReadOnlySystem= and ProtectedHome= settings for service units
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.

ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.

This patch also enables these settings for all our long-running services.

Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
2014-06-03 23:57:51 +02:00
Kay Sievers
d636d37679 timesyncd: only update stamp file when we are synchronized
Create initial stamp file with compiled-in time to prevent bootups
with clocks in the future from storing invalid timestamps.

At shutdown, only update the timestamp if we got an authoritative
time to store.
2014-05-24 08:04:56 +08:00
Kay Sievers
52ffb444cb timesyncd: order after tmpfiles to get a working network monitor 2014-05-22 07:57:33 +09:00
Lennart Poettering
ece6e766cf timesyncd: save clock to disk everytime we get an NTP fix, and bump clock at boot using this
This is useful to make sure the system clock stays monotonic even on
systems that lack an RTC.

Also, why we are at it, also use the systemd release time for bumping
the clock, since it's a slightly less bad than starting with jan 1st,
1970.

This also moves timesyncd into the early bootphase, in order to make
sure this initial bump is guaranteed to have finished by the time we
start real daemons which might write to the file systemd and thus
shouldn't leave 1970's timestamps all over the place...
2014-05-21 00:23:39 +09:00
Lennart Poettering
9f7115498b timesyncd: enable watchdog support 2014-05-18 20:52:49 +09:00
Lennart Poettering
a349eb10d3 timesyncd: run timesyncd as unpriviliged user "systemd-timesync" (but still with CAP_SYS_TIME) 2014-05-18 20:52:49 +09:00
Lennart Poettering
e3ad07d21c timesyncd: limit capabilities to CAP_SYS_TIME 2014-05-15 18:55:19 +02:00
Tom Gundersen
0968137439 timesyncd: start after networkd
This is needed for the network monitor to work (as it requires networkd to set up the correct directories first).
2014-05-13 12:44:22 +02:00
Kay Sievers
a91df40e69 timesyncd: add unit and man page 2014-04-29 09:51:53 +02:00