3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-17 09:29:22 +01:00
iwd/src/iwd.service.in

30 lines
650 B
SYSTEMD
Raw Normal View History

[Unit]
Description=Wireless service
Documentation=man:iwd(8) man:iwd.config(5) man:iwd.network(5) man:iwd.ap(5)
build: add After=network-pre.target to service files systemd specifies a special passive target unit 'network-pre.target' which may be pulled in by services that want to run before any network interface is brought up or configured. Correspondingly, network management services such as iwd and ead should specify After=network-pre.target to ensure a proper ordering with respect to this special target. For more information on network-pre.target, see systemd.special(7). Two examples to explain the rationale of this change: 1. On one of our embedded systems running iwd, a oneshot service is run on startup to configure - among other things - the MAC address of the wireless network interface based on some data in an EEPROM. Following the systemd documentation, the oneshot service specifies: Before=network-pre.target Wants=network-pre.target ... to ensure that it is run before any network management software starts. In practice, before this change, iwd was starting up and connecting to an AP before the service had finished. iwd would then get kicked off by the AP when the MAC address got changed. By specifying After=network-pre.target, systemd will take care to avoid this situation. 2. An administrator may wish to use network-pre.target to ensure firewall rules are applied before any network management software is started. This use-case is described in the systemd documentation[1]. Since iwd can be used for IP configuration, it should also respect the After=network-pre.target convention. Note that network-pre.target is a passive unit that is only pulled in if another unit specifies e.g. Wants=network-pre.target. If no such unit exists, this change will have no effect on the order in which systemd starts iwd or ead. [1] https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
2021-01-22 15:41:23 +01:00
After=network-pre.target
Before=network.target
Wants=network.target
[Service]
Type=dbus
BusName=net.connman.iwd
ExecStart=@libexecdir@/iwd
NotifyAccess=main
LimitNPROC=1
2018-10-30 11:32:26 +01:00
Restart=on-failure
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
iwd.service: Harden systemd service file This commit hardens the iwd.service.in template file for systemd services. The following is a short explanation for each added directive: +PrivateTmp=true If true, sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace. +NoNewPrivileges=true If true, ensures that the service process and all its children can never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). +PrivateDevices=true If true, sets up a new /dev mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others. +ProtectHome=yes If true, the directories /home, /root and /run/user are made inaccessible and empty for processes invoked by this unit. +ProtectSystem=strict If set to "strict" the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev, /proc and /sys (protect these directories using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). +ReadWritePaths=/var/lib/iwd/ Sets up a new file system namespace for executed processes. These options may be used to limit access a process might have to the file system hierarchy. Each setting takes a space-separated list of paths relative to the host's root directory (i.e. the system running the service manager). Note that if paths contain symlinks, they are resolved relative to the root directory set with RootDirectory=/RootImage=. Paths listed in ReadWritePaths= are accessible from within the namespace with the same access modes as from outside of it. +ProtectControlGroups=yes If true, the Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be made read-only to all processes of the unit. +ProtectKernelModules=yes If true, explicit module loading will be denied. This allows module load and unload operations to be turned off on modular kernels. For further explanation to all directives see `man systemd.directives`
2019-02-26 00:30:09 +01:00
PrivateTmp=true
NoNewPrivileges=true
DevicePolicy=closed
DeviceAllow=/dev/rfkill rw
iwd.service: Harden systemd service file This commit hardens the iwd.service.in template file for systemd services. The following is a short explanation for each added directive: +PrivateTmp=true If true, sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace. +NoNewPrivileges=true If true, ensures that the service process and all its children can never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). +PrivateDevices=true If true, sets up a new /dev mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others. +ProtectHome=yes If true, the directories /home, /root and /run/user are made inaccessible and empty for processes invoked by this unit. +ProtectSystem=strict If set to "strict" the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev, /proc and /sys (protect these directories using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). +ReadWritePaths=/var/lib/iwd/ Sets up a new file system namespace for executed processes. These options may be used to limit access a process might have to the file system hierarchy. Each setting takes a space-separated list of paths relative to the host's root directory (i.e. the system running the service manager). Note that if paths contain symlinks, they are resolved relative to the root directory set with RootDirectory=/RootImage=. Paths listed in ReadWritePaths= are accessible from within the namespace with the same access modes as from outside of it. +ProtectControlGroups=yes If true, the Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be made read-only to all processes of the unit. +ProtectKernelModules=yes If true, explicit module loading will be denied. This allows module load and unload operations to be turned off on modular kernels. For further explanation to all directives see `man systemd.directives`
2019-02-26 00:30:09 +01:00
ProtectHome=yes
ProtectSystem=strict
ProtectControlGroups=yes
ProtectKernelModules=yes
ConfigurationDirectory=iwd
StateDirectory=iwd
StateDirectoryMode=0700
[Install]
2018-05-22 18:28:02 +02:00
WantedBy=multi-user.target