rename_process() requires CAP_SYS_RESOURCE so let's make sure it is in
our permitted set after execve() by adding in to the bounding set.
Previously,
systemd-userdbd.service - User Database Manager
Loaded: loaded (/usr/lib/systemd/system/systemd-userdbd.service; indirect; preset: disabled)
Active: active (running) since Mon 2022-12-19 17:07:21 CET; 17min ago
TriggeredBy: ● systemd-userdbd.socket
Docs: man:systemd-userdbd.service(8)
Main PID: 1880 (systemd-userdbd)
Status: "Processing requests..."
Tasks: 4 (limit: 2272)
Memory: 5.2M
CPU: 244ms
CGroup: /system.slice/systemd-userdbd.service
├─1880 /usr/lib/systemd/systemd-userdbd
├─2270 systemd-userwork
├─2271 systemd-userwork
└─2272 systemd-userwork
Now,
Loaded: loaded (/usr/lib/systemd/system/systemd-userdbd.service; indirect; preset: disabled)
Active: active (running) since Mon 2022-12-19 17:27:02 CET; 15s ago
TriggeredBy: ● systemd-userdbd.socket
Docs: man:systemd-userdbd.service(8)
Main PID: 2404 (systemd-userdbd)
Status: "Processing requests..."
Tasks: 4 (limit: 2272)
Memory: 5.5M
CPU: 89ms
CGroup: /system.slice/systemd-userdbd.service
├─2404 /usr/lib/systemd/systemd-userdbd
├─2407 "systemd-userwork: waiting..."
├─2408 "systemd-userwork: waiting..."
└─2409 "systemd-userwork: waiting..."
DefaultDependencies=no
[Service]
-CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE
ExecStart={{ROOTLIBEXECDIR}}/systemd-userdbd
IPAddressDeny=any
LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
projects / thirdparty / systemd.git / commitdiff
