GitHub-Mirror/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2025-10-06 00:13:24 +02:00
Code Issues Releases Wiki Activity

nsresourced: make sure "tun" driver is properly loaded and accessible

Browse Source 
We need access to /dev/net/tun, hence make sure we can actually see
/dev/. Also make sure the module is properly loaded before we operate,
given that we run with limit caps. But then again give the CAP_NET_ADMIN
cap, since we need to configure the network tap/tun devices.

Follow-up for: 1365034727
This commit is contained in:
Lennart Poettering
2025-06-13 15:12:25 +02:00
committed by Mike Yuan
parent 7ce370c466
commit 273d14f5dd
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
units/systemd-nsresourced.service.in
View File

@@ -13,17 +13,20 @@ Documentation=man:systemd-nsresourced.service(8)
Requires=systemd-nsresourced.socket
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
Wants=modprobe@tun.service
After=modprobe@tun.service
DefaultDependencies=no
[Service]
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_CHOWN CAP_FOWNER
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_CHOWN CAP_FOWNER CAP_NET_ADMIN
ExecStart={{LIBEXECDIR}}/systemd-nsresourced
IPAddressDeny=any
LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
DevicePolicy=closed
DeviceAllow=/dev/net/tun rwm
ProtectProc=invisible
ProtectControlGroups=yes
ProtectHome=yes