From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 13 Jun 2025 13:12:25 +0000 (+0200)
Subject: nsresourced: make sure "tun" driver is properly loaded and accessible
X-Git-Tag: v258-rc1~322
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=273d14f5ddf5971cb89efb006ffd799a0d267214;p=thirdparty%2Fsystemd.git

nsresourced: make sure "tun" driver is properly loaded and accessible

We need access to /dev/net/tun, hence make sure we can actually see
/dev/. Also make sure the module is properly loaded before we operate,
given that we run with limit caps. But then again give the CAP_NET_ADMIN
cap, since we need to configure the network tap/tun devices.

Follow-up for: 1365034727b3322e0adf371700cc540a1bcd95c1
---

diff --git a/units/systemd-nsresourced.service.in b/units/systemd-nsresourced.service.in
index 6ecfefc7cf1..0e2d6b3628c 100644
--- a/units/systemd-nsresourced.service.in
+++ b/units/systemd-nsresourced.service.in
@@ -13,17 +13,20 @@ Documentation=man:systemd-nsresourced.service(8)
 Requires=systemd-nsresourced.socket
 Conflicts=shutdown.target
 Before=sysinit.target shutdown.target
+Wants=modprobe@tun.service
+After=modprobe@tun.service
 DefaultDependencies=no
 
 [Service]
-CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_CHOWN CAP_FOWNER
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_CHOWN CAP_FOWNER CAP_NET_ADMIN
 ExecStart={{LIBEXECDIR}}/systemd-nsresourced
 IPAddressDeny=any
 LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
-PrivateDevices=yes
+DevicePolicy=closed
+DeviceAllow=/dev/net/tun rwm
 ProtectProc=invisible
 ProtectControlGroups=yes
 ProtectHome=yes