From: Luca Boccassi Date: Thu, 18 Feb 2021 18:36:20 +0000 (+0000) Subject: systemd: add hostname fallback when polkit is not available X-Git-Tag: yocto-3.3~450 X-Git-Url: https://code.ossystems.io/gitweb?a=commitdiff_plain;h=07a8f1629662d4d66d056d95be3cb9e749242274;p=openembedded-core.git systemd: add hostname fallback when polkit is not available When polkit is not available, networkd will not have permissions to call hostnamed's dbus methods, as it runs without privileges. To solve this, when building without polkit, make a new PACKAGECONFIG 'polkit_hostnamed_fallback' available which changes hostnamed so that it runs as the 'systemd-network' user, the same as networkd, so that the authorization works (and also with CAP_SYS_ADMIN since it loses root). Also run it with a separate 'systemd-hostname' group which also owns the bus, to avoid giving the 'systemd-network' additional privileges. Signed-off-by: Luca Boccassi Signed-off-by: Richard Purdie --- diff --git a/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf b/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf new file mode 100644 index 0000000000..6b224ba9b9 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf @@ -0,0 +1,6 @@ +[Service] +# By running with these options instead of root, networkd is allowed to request +# a hostname change via DBUS when policykit is not present +User=systemd-network +Group=systemd-hostname +AmbientCapabilities=CAP_SYS_ADMIN diff --git a/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf b/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf new file mode 100644 index 0000000000..f4d0271cdb --- /dev/null +++ b/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf @@ -0,0 +1,11 @@ + + + + + + + + + + diff --git a/meta/recipes-core/systemd/systemd_247.3.bb b/meta/recipes-core/systemd/systemd_247.3.bb index a99e543a77..59e000f1dd 100644 --- a/meta/recipes-core/systemd/systemd_247.3.bb +++ b/meta/recipes-core/systemd/systemd_247.3.bb @@ -16,6 +16,8 @@ REQUIRED_DISTRO_FEATURES = "systemd" SRC_URI += "file://touchscreen.rules \ file://00-create-volatile.conf \ + ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'file://org.freedesktop.hostname1_no_polkit.conf', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'file://00-hostnamed-network-user.conf', '', d)} \ file://init \ file://99-default.preset \ file://systemd-pager.sh \ @@ -164,6 +166,10 @@ PACKAGECONFIG[openssl] = "-Dopenssl=true,-Dopenssl=false,openssl" PACKAGECONFIG[pam] = "-Dpam=true,-Dpam=false,libpam,${PAM_PLUGINS}" PACKAGECONFIG[pcre2] = "-Dpcre2=true,-Dpcre2=false,libpcre2" PACKAGECONFIG[polkit] = "-Dpolkit=true,-Dpolkit=false" +# If polkit is disabled and networkd+hostnamed are in use, enabling this option and +# using dbus-broker will allow networkd to be authorized to change the +# hostname without acquiring additional privileges +PACKAGECONFIG[polkit_hostnamed_fallback] = ",,,,dbus-broker,polkit" PACKAGECONFIG[portabled] = "-Dportabled=true,-Dportabled=false" PACKAGECONFIG[qrencode] = "-Dqrencode=true,-Dqrencode=false,qrencode,,qrencode" PACKAGECONFIG[quotacheck] = "-Dquotacheck=true,-Dquotacheck=false" @@ -306,6 +312,15 @@ do_install() { fi fi + # If polkit is not available and a fallback was requested, install a drop-in that allows networkd to + # request hostname changes via DBUS without elevating its privileges + if ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'true', 'false', d)}; then + install -d ${D}${systemd_unitdir}/system/systemd-hostnamed.service.d/ + install -m 0644 ${WORKDIR}/00-hostnamed-network-user.conf ${D}${systemd_unitdir}/system/systemd-hostnamed.service.d/ + install -d ${D}${datadir}/dbus-1/system.d/ + install -m 0644 ${WORKDIR}/org.freedesktop.hostname1_no_polkit.conf ${D}${datadir}/dbus-1/system.d/ + fi + # create link for existing udev rules ln -s ${base_bindir}/udevadm ${D}${base_sbindir}/udevadm @@ -370,7 +385,8 @@ USERADD_PACKAGES = "${PN} ${PN}-extra-utils \ ${@bb.utils.contains('PACKAGECONFIG', 'microhttpd', '${PN}-journal-remote', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'journal-upload', '${PN}-journal-upload', '', d)} \ " -GROUPADD_PARAM_${PN} = "-r systemd-journal" +GROUPADD_PARAM_${PN} = "-r systemd-journal;" +GROUPADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', '-r systemd-hostname;', '', d)}" USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /sbin/nologin systemd-coredump;', '', d)}" USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /sbin/nologin systemd-network;', '', d)}" USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}" @@ -589,6 +605,7 @@ FILES_${PN} = " ${base_bindir}/* \ ${datadir}/dbus-1/system.d/org.freedesktop.network1.conf \ ${datadir}/dbus-1/system.d/org.freedesktop.resolve1.conf \ ${datadir}/dbus-1/system.d/org.freedesktop.systemd1.conf \ + ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', '${datadir}/dbus-1/system.d/org.freedesktop.hostname1_no_polkit.conf', '', d)} \ ${datadir}/dbus-1/system.d/org.freedesktop.hostname1.conf \ ${datadir}/dbus-1/system.d/org.freedesktop.login1.conf \ ${datadir}/dbus-1/system.d/org.freedesktop.timesync1.conf \