systemd: add hostname fallback when polkit is not available

When polkit is not available, networkd will not have permissions to call hostnamed's dbus methods, as it runs without privileges. To solve this, when building without polkit, make a new PACKAGECONFIG 'polkit_hostnamed_fallback' available which changes hostnamed so that it runs as the 'systemd-network' user, the same as networkd, so that the authorization works (and also with CAP_SYS_ADMIN since it loses root). Also run it with a separate 'systemd-hostname' group which also owns the bus, to avoid giving the 'systemd-network' additional privileges. (From OE-Core rev: 07a8f1629662d4d66d056d95be3cb9e749242274) Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Luca Boccassi <luca.boccassi@microsoft.com> 2021-02-18 18:36:20 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-02-19 11:17:11 +0000
commit: 3dc37c12c17d5bb6d4701a425a4f79f6e31784ee (patch)
tree: a4b56ec4683cee0413d9f46fc9a4466694a44eb8 /meta/recipes-core
parent: 1827be4a19b5928819da4be1cd0406463012f9ea (diff)
download: poky-3dc37c12c17d5bb6d4701a425a4f79f6e31784ee.tar.gz
3 files changed, 35 insertions, 1 deletions
diff --git a/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf b/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf
new file mode 100644
index 0000000000..6b224ba9b9
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf
@@ -0,0 +1,6 @@
+[Service]
+# By running with these options instead of root, networkd is allowed to request
+# a hostname change via DBUS when policykit is not present
+User=systemd-network
+Group=systemd-hostname
+AmbientCapabilities=CAP_SYS_ADMIN
diff --git a/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf b/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf
new file mode 100644
index 0000000000..f4d0271cdb
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf
@@ -0,0 +1,11 @@
+<?xml version="1.0"?> <!--*-nxml-*-->
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+        "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+        <policy group="systemd-hostname">
+                <allow own="org.freedesktop.hostname1"/>
+                <allow send_destination="org.freedesktop.hostname1"/>
+                <allow receive_sender="org.freedesktop.hostname1"/>
+        </policy>
+</busconfig>
diff --git a/meta/recipes-core/systemd/systemd_247.3.bb b/meta/recipes-core/systemd/systemd_247.3.bb
index a99e543a77..59e000f1dd 100644
--- a/meta/recipes-core/systemd/systemd_247.3.bb
+++ b/meta/recipes-core/systemd/systemd_247.3.bb
@@ -16,6 +16,8 @@ REQUIRED_DISTRO_FEATURES = "systemd"
 SRC_URI += "file://touchscreen.rules \
           file://00-create-volatile.conf \
+           ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'file://org.freedesktop.hostname1_no_polkit.conf', '', d)} \
+           ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'file://00-hostnamed-network-user.conf', '', d)} \
           file://init \
           file://99-default.preset \
           file://systemd-pager.sh \
@@ -164,6 +166,10 @@ PACKAGECONFIG[openssl] = "-Dopenssl=true,-Dopenssl=false,openssl"
 PACKAGECONFIG[pam] = "-Dpam=true,-Dpam=false,libpam,${PAM_PLUGINS}"
 PACKAGECONFIG[pcre2] = "-Dpcre2=true,-Dpcre2=false,libpcre2"
 PACKAGECONFIG[polkit] = "-Dpolkit=true,-Dpolkit=false"
+# If polkit is disabled and networkd+hostnamed are in use, enabling this option and
+# using dbus-broker will allow networkd to be authorized to change the
+# hostname without acquiring additional privileges
+PACKAGECONFIG[polkit_hostnamed_fallback] = ",,,,dbus-broker,polkit"
 PACKAGECONFIG[portabled] = "-Dportabled=true,-Dportabled=false"
 PACKAGECONFIG[qrencode] = "-Dqrencode=true,-Dqrencode=false,qrencode,,qrencode"
 PACKAGECONFIG[quotacheck] = "-Dquotacheck=true,-Dquotacheck=false"
@@ -306,6 +312,15 @@ do_install() {
                fi
        fi
+        # If polkit is not available and a fallback was requested, install a drop-in that allows networkd to
+        # request hostname changes via DBUS without elevating its privileges
+        if ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'true', 'false', d)}; then
+                install -d ${D}${systemd_unitdir}/system/systemd-hostnamed.service.d/
+                install -m 0644 ${WORKDIR}/00-hostnamed-network-user.conf ${D}${systemd_unitdir}/system/systemd-hostnamed.service.d/
+                install -d ${D}${datadir}/dbus-1/system.d/
+                install -m 0644 ${WORKDIR}/org.freedesktop.hostname1_no_polkit.conf ${D}${datadir}/dbus-1/system.d/
+        fi
        # create link for existing udev rules
        ln -s ${base_bindir}/udevadm ${D}${base_sbindir}/udevadm
@@ -370,7 +385,8 @@ USERADD_PACKAGES = "${PN} ${PN}-extra-utils \
                    ${@bb.utils.contains('PACKAGECONFIG', 'microhttpd', '${PN}-journal-remote', '', d)} \
                    ${@bb.utils.contains('PACKAGECONFIG', 'journal-upload', '${PN}-journal-upload', '', d)} \
 "
-GROUPADD_PARAM_${PN} = "-r systemd-journal"
+GROUPADD_PARAM_${PN} = "-r systemd-journal;"
+GROUPADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', '-r systemd-hostname;', '', d)}"
 USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /sbin/nologin systemd-coredump;', '', d)}"
 USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /sbin/nologin systemd-network;', '', d)}"
 USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}"
@@ -589,6 +605,7 @@ FILES_${PN} = " ${base_bindir}/* \
                ${datadir}/dbus-1/system.d/org.freedesktop.network1.conf \
                ${datadir}/dbus-1/system.d/org.freedesktop.resolve1.conf \
                ${datadir}/dbus-1/system.d/org.freedesktop.systemd1.conf \
+                ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', '${datadir}/dbus-1/system.d/org.freedesktop.hostname1_no_polkit.conf', '', d)} \
                ${datadir}/dbus-1/system.d/org.freedesktop.hostname1.conf \
                ${datadir}/dbus-1/system.d/org.freedesktop.login1.conf \
                ${datadir}/dbus-1/system.d/org.freedesktop.timesync1.conf \
author	Luca Boccassi <luca.boccassi@microsoft.com>	2021-02-18 18:36:20 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-02-19 11:17:11 +0000
commit	3dc37c12c17d5bb6d4701a425a4f79f6e31784ee (patch)
tree	a4b56ec4683cee0413d9f46fc9a4466694a44eb8 /meta/recipes-core
parent	1827be4a19b5928819da4be1cd0406463012f9ea (diff)
download	poky-3dc37c12c17d5bb6d4701a425a4f79f6e31784ee.tar.gz

diff --git a/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf b/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf new file mode 100644 index 0000000000..6b224ba9b9 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf
@@ -0,0 +1,6 @@
		1	[Service]
		2	# By running with these options instead of root, networkd is allowed to request
		3	# a hostname change via DBUS when policykit is not present
		4	User=systemd-network
		5	Group=systemd-hostname
		6	AmbientCapabilities=CAP_SYS_ADMIN


diff --git a/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf b/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf new file mode 100644 index 0000000000..f4d0271cdb --- /dev/null +++ b/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf
@@ -0,0 +1,11 @@
		1	<?xml version="1.0"?> <!---nxml--->
		2	<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
		3	"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
		4
		5	<busconfig>
		6	<policy group="systemd-hostname">
		7	<allow own="org.freedesktop.hostname1"/>
		8	<allow send_destination="org.freedesktop.hostname1"/>
		9	<allow receive_sender="org.freedesktop.hostname1"/>
		10	</policy>
		11	</busconfig>


diff --git a/meta/recipes-core/systemd/systemd_247.3.bb b/meta/recipes-core/systemd/systemd_247.3.bb index a99e543a77..59e000f1dd 100644 --- a/meta/recipes-core/systemd/systemd_247.3.bb +++ b/meta/recipes-core/systemd/systemd_247.3.bb
@@ -16,6 +16,8 @@ REQUIRED_DISTRO_FEATURES = "systemd"
16		16
17	SRC_URI += "file://touchscreen.rules \	17	SRC_URI += "file://touchscreen.rules \
18	file://00-create-volatile.conf \	18	file://00-create-volatile.conf \
		19	${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'file://org.freedesktop.hostname1_no_polkit.conf', '', d)} \
		20	${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'file://00-hostnamed-network-user.conf', '', d)} \
19	file://init \	21	file://init \
20	file://99-default.preset \	22	file://99-default.preset \
21	file://systemd-pager.sh \	23	file://systemd-pager.sh \
@@ -164,6 +166,10 @@ PACKAGECONFIG[openssl] = "-Dopenssl=true,-Dopenssl=false,openssl"
164	PACKAGECONFIG[pam] = "-Dpam=true,-Dpam=false,libpam,${PAM_PLUGINS}"	166	PACKAGECONFIG[pam] = "-Dpam=true,-Dpam=false,libpam,${PAM_PLUGINS}"
165	PACKAGECONFIG[pcre2] = "-Dpcre2=true,-Dpcre2=false,libpcre2"	167	PACKAGECONFIG[pcre2] = "-Dpcre2=true,-Dpcre2=false,libpcre2"
166	PACKAGECONFIG[polkit] = "-Dpolkit=true,-Dpolkit=false"	168	PACKAGECONFIG[polkit] = "-Dpolkit=true,-Dpolkit=false"
		169	# If polkit is disabled and networkd+hostnamed are in use, enabling this option and
		170	# using dbus-broker will allow networkd to be authorized to change the
		171	# hostname without acquiring additional privileges
		172	PACKAGECONFIG[polkit_hostnamed_fallback] = ",,,,dbus-broker,polkit"
167	PACKAGECONFIG[portabled] = "-Dportabled=true,-Dportabled=false"	173	PACKAGECONFIG[portabled] = "-Dportabled=true,-Dportabled=false"
168	PACKAGECONFIG[qrencode] = "-Dqrencode=true,-Dqrencode=false,qrencode,,qrencode"	174	PACKAGECONFIG[qrencode] = "-Dqrencode=true,-Dqrencode=false,qrencode,,qrencode"
169	PACKAGECONFIG[quotacheck] = "-Dquotacheck=true,-Dquotacheck=false"	175	PACKAGECONFIG[quotacheck] = "-Dquotacheck=true,-Dquotacheck=false"
@@ -306,6 +312,15 @@ do_install() {
306	fi	312	fi
307	fi	313	fi
308		314
		315	# If polkit is not available and a fallback was requested, install a drop-in that allows networkd to
		316	# request hostname changes via DBUS without elevating its privileges
		317	if ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'true', 'false', d)}; then
		318	install -d ${D}${systemd_unitdir}/system/systemd-hostnamed.service.d/
		319	install -m 0644 ${WORKDIR}/00-hostnamed-network-user.conf ${D}${systemd_unitdir}/system/systemd-hostnamed.service.d/
		320	install -d ${D}${datadir}/dbus-1/system.d/
		321	install -m 0644 ${WORKDIR}/org.freedesktop.hostname1_no_polkit.conf ${D}${datadir}/dbus-1/system.d/
		322	fi
		323
309	# create link for existing udev rules	324	# create link for existing udev rules
310	ln -s ${base_bindir}/udevadm ${D}${base_sbindir}/udevadm	325	ln -s ${base_bindir}/udevadm ${D}${base_sbindir}/udevadm
311		326
@@ -370,7 +385,8 @@ USERADD_PACKAGES = "${PN} ${PN}-extra-utils \
370	${@bb.utils.contains('PACKAGECONFIG', 'microhttpd', '${PN}-journal-remote', '', d)} \	385	${@bb.utils.contains('PACKAGECONFIG', 'microhttpd', '${PN}-journal-remote', '', d)} \
371	${@bb.utils.contains('PACKAGECONFIG', 'journal-upload', '${PN}-journal-upload', '', d)} \	386	${@bb.utils.contains('PACKAGECONFIG', 'journal-upload', '${PN}-journal-upload', '', d)} \
372	"	387	"
373	GROUPADD_PARAM_${PN} = "-r systemd-journal"	388	GROUPADD_PARAM_${PN} = "-r systemd-journal;"
		389	GROUPADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', '-r systemd-hostname;', '', d)}"
374	USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /sbin/nologin systemd-coredump;', '', d)}"	390	USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /sbin/nologin systemd-coredump;', '', d)}"
375	USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /sbin/nologin systemd-network;', '', d)}"	391	USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /sbin/nologin systemd-network;', '', d)}"
376	USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}"	392	USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}"
@@ -589,6 +605,7 @@ FILES_${PN} = " ${base_bindir}/* \
589	${datadir}/dbus-1/system.d/org.freedesktop.network1.conf \	605	${datadir}/dbus-1/system.d/org.freedesktop.network1.conf \
590	${datadir}/dbus-1/system.d/org.freedesktop.resolve1.conf \	606	${datadir}/dbus-1/system.d/org.freedesktop.resolve1.conf \
591	${datadir}/dbus-1/system.d/org.freedesktop.systemd1.conf \	607	${datadir}/dbus-1/system.d/org.freedesktop.systemd1.conf \
		608	${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', '${datadir}/dbus-1/system.d/org.freedesktop.hostname1_no_polkit.conf', '', d)} \
592	${datadir}/dbus-1/system.d/org.freedesktop.hostname1.conf \	609	${datadir}/dbus-1/system.d/org.freedesktop.hostname1.conf \
593	${datadir}/dbus-1/system.d/org.freedesktop.login1.conf \	610	${datadir}/dbus-1/system.d/org.freedesktop.login1.conf \
594	${datadir}/dbus-1/system.d/org.freedesktop.timesync1.conf \	611	${datadir}/dbus-1/system.d/org.freedesktop.timesync1.conf \