diff options
3 files changed, 35 insertions, 1 deletions
diff --git a/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf b/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf new file mode 100644 index 0000000000..6b224ba9b9 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf | |||
| @@ -0,0 +1,6 @@ | |||
| 1 | [Service] | ||
| 2 | # By running with these options instead of root, networkd is allowed to request | ||
| 3 | # a hostname change via DBUS when policykit is not present | ||
| 4 | User=systemd-network | ||
| 5 | Group=systemd-hostname | ||
| 6 | AmbientCapabilities=CAP_SYS_ADMIN | ||
diff --git a/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf b/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf new file mode 100644 index 0000000000..f4d0271cdb --- /dev/null +++ b/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf | |||
| @@ -0,0 +1,11 @@ | |||
| 1 | <?xml version="1.0"?> <!--*-nxml-*--> | ||
| 2 | <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" | ||
| 3 | "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> | ||
| 4 | |||
| 5 | <busconfig> | ||
| 6 | <policy group="systemd-hostname"> | ||
| 7 | <allow own="org.freedesktop.hostname1"/> | ||
| 8 | <allow send_destination="org.freedesktop.hostname1"/> | ||
| 9 | <allow receive_sender="org.freedesktop.hostname1"/> | ||
| 10 | </policy> | ||
| 11 | </busconfig> | ||
diff --git a/meta/recipes-core/systemd/systemd_247.3.bb b/meta/recipes-core/systemd/systemd_247.3.bb index a99e543a77..59e000f1dd 100644 --- a/meta/recipes-core/systemd/systemd_247.3.bb +++ b/meta/recipes-core/systemd/systemd_247.3.bb | |||
| @@ -16,6 +16,8 @@ REQUIRED_DISTRO_FEATURES = "systemd" | |||
| 16 | 16 | ||
| 17 | SRC_URI += "file://touchscreen.rules \ | 17 | SRC_URI += "file://touchscreen.rules \ |
| 18 | file://00-create-volatile.conf \ | 18 | file://00-create-volatile.conf \ |
| 19 | ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'file://org.freedesktop.hostname1_no_polkit.conf', '', d)} \ | ||
| 20 | ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'file://00-hostnamed-network-user.conf', '', d)} \ | ||
| 19 | file://init \ | 21 | file://init \ |
| 20 | file://99-default.preset \ | 22 | file://99-default.preset \ |
| 21 | file://systemd-pager.sh \ | 23 | file://systemd-pager.sh \ |
| @@ -164,6 +166,10 @@ PACKAGECONFIG[openssl] = "-Dopenssl=true,-Dopenssl=false,openssl" | |||
| 164 | PACKAGECONFIG[pam] = "-Dpam=true,-Dpam=false,libpam,${PAM_PLUGINS}" | 166 | PACKAGECONFIG[pam] = "-Dpam=true,-Dpam=false,libpam,${PAM_PLUGINS}" |
| 165 | PACKAGECONFIG[pcre2] = "-Dpcre2=true,-Dpcre2=false,libpcre2" | 167 | PACKAGECONFIG[pcre2] = "-Dpcre2=true,-Dpcre2=false,libpcre2" |
| 166 | PACKAGECONFIG[polkit] = "-Dpolkit=true,-Dpolkit=false" | 168 | PACKAGECONFIG[polkit] = "-Dpolkit=true,-Dpolkit=false" |
| 169 | # If polkit is disabled and networkd+hostnamed are in use, enabling this option and | ||
| 170 | # using dbus-broker will allow networkd to be authorized to change the | ||
| 171 | # hostname without acquiring additional privileges | ||
| 172 | PACKAGECONFIG[polkit_hostnamed_fallback] = ",,,,dbus-broker,polkit" | ||
| 167 | PACKAGECONFIG[portabled] = "-Dportabled=true,-Dportabled=false" | 173 | PACKAGECONFIG[portabled] = "-Dportabled=true,-Dportabled=false" |
| 168 | PACKAGECONFIG[qrencode] = "-Dqrencode=true,-Dqrencode=false,qrencode,,qrencode" | 174 | PACKAGECONFIG[qrencode] = "-Dqrencode=true,-Dqrencode=false,qrencode,,qrencode" |
| 169 | PACKAGECONFIG[quotacheck] = "-Dquotacheck=true,-Dquotacheck=false" | 175 | PACKAGECONFIG[quotacheck] = "-Dquotacheck=true,-Dquotacheck=false" |
| @@ -306,6 +312,15 @@ do_install() { | |||
| 306 | fi | 312 | fi |
| 307 | fi | 313 | fi |
| 308 | 314 | ||
| 315 | # If polkit is not available and a fallback was requested, install a drop-in that allows networkd to | ||
| 316 | # request hostname changes via DBUS without elevating its privileges | ||
| 317 | if ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'true', 'false', d)}; then | ||
| 318 | install -d ${D}${systemd_unitdir}/system/systemd-hostnamed.service.d/ | ||
| 319 | install -m 0644 ${WORKDIR}/00-hostnamed-network-user.conf ${D}${systemd_unitdir}/system/systemd-hostnamed.service.d/ | ||
| 320 | install -d ${D}${datadir}/dbus-1/system.d/ | ||
| 321 | install -m 0644 ${WORKDIR}/org.freedesktop.hostname1_no_polkit.conf ${D}${datadir}/dbus-1/system.d/ | ||
| 322 | fi | ||
| 323 | |||
| 309 | # create link for existing udev rules | 324 | # create link for existing udev rules |
| 310 | ln -s ${base_bindir}/udevadm ${D}${base_sbindir}/udevadm | 325 | ln -s ${base_bindir}/udevadm ${D}${base_sbindir}/udevadm |
| 311 | 326 | ||
| @@ -370,7 +385,8 @@ USERADD_PACKAGES = "${PN} ${PN}-extra-utils \ | |||
| 370 | ${@bb.utils.contains('PACKAGECONFIG', 'microhttpd', '${PN}-journal-remote', '', d)} \ | 385 | ${@bb.utils.contains('PACKAGECONFIG', 'microhttpd', '${PN}-journal-remote', '', d)} \ |
| 371 | ${@bb.utils.contains('PACKAGECONFIG', 'journal-upload', '${PN}-journal-upload', '', d)} \ | 386 | ${@bb.utils.contains('PACKAGECONFIG', 'journal-upload', '${PN}-journal-upload', '', d)} \ |
| 372 | " | 387 | " |
| 373 | GROUPADD_PARAM_${PN} = "-r systemd-journal" | 388 | GROUPADD_PARAM_${PN} = "-r systemd-journal;" |
| 389 | GROUPADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', '-r systemd-hostname;', '', d)}" | ||
| 374 | USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /sbin/nologin systemd-coredump;', '', d)}" | 390 | USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /sbin/nologin systemd-coredump;', '', d)}" |
| 375 | USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /sbin/nologin systemd-network;', '', d)}" | 391 | USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /sbin/nologin systemd-network;', '', d)}" |
| 376 | USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}" | 392 | USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}" |
| @@ -589,6 +605,7 @@ FILES_${PN} = " ${base_bindir}/* \ | |||
| 589 | ${datadir}/dbus-1/system.d/org.freedesktop.network1.conf \ | 605 | ${datadir}/dbus-1/system.d/org.freedesktop.network1.conf \ |
| 590 | ${datadir}/dbus-1/system.d/org.freedesktop.resolve1.conf \ | 606 | ${datadir}/dbus-1/system.d/org.freedesktop.resolve1.conf \ |
| 591 | ${datadir}/dbus-1/system.d/org.freedesktop.systemd1.conf \ | 607 | ${datadir}/dbus-1/system.d/org.freedesktop.systemd1.conf \ |
| 608 | ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', '${datadir}/dbus-1/system.d/org.freedesktop.hostname1_no_polkit.conf', '', d)} \ | ||
| 592 | ${datadir}/dbus-1/system.d/org.freedesktop.hostname1.conf \ | 609 | ${datadir}/dbus-1/system.d/org.freedesktop.hostname1.conf \ |
| 593 | ${datadir}/dbus-1/system.d/org.freedesktop.login1.conf \ | 610 | ${datadir}/dbus-1/system.d/org.freedesktop.login1.conf \ |
| 594 | ${datadir}/dbus-1/system.d/org.freedesktop.timesync1.conf \ | 611 | ${datadir}/dbus-1/system.d/org.freedesktop.timesync1.conf \ |