units: udev: partially emulate ProtectClock=

Drop CAP_SYS_TIME and CAP_WAKE_ALARM capabilities and block clock-related
system calls. Update TODO.

diff --git a/TODO b/TODO
index 2a6dbe973934058f481290b906d1f8054c2633a1..f6be4ec545fbab9c7952e97798778912cf243ed2 100644 (file)
--- a/TODO
+++ b/TODO
@@ -1996,8 +1996,7 @@ Features:
   - kill scsi_id
   - add trigger --subsystem-match=usb/usb_device device
   - reimport udev db after MOVE events for devices without dev_t
-  - re-enable ProtectClock= or set CapabilityBoundingSet= to drop CAP_SYS_TIME
-    and CAP_WAKE_ALARM (and possibly other unnecessary capabilities?).
+  - re-enable ProtectClock= once only cgroupsv2 is supported.
     See f562abe2963bad241d34e0b308e48cf114672c84.
 
 * coredump:

diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 3579de4a68713c688ebb62993e154314a1552d77..e9dbe85ef4ad06f3f1317183651b5490f7d0d080 100644 (file)
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -16,6 +16,7 @@ Before=sysinit.target
 ConditionPathIsReadWrite=/sys
 
 [Service]
+CapabilityBoundingSet=~CAP_SYS_TIME CAP_WAKE_ALARM
 Delegate=pids
 Type=notify
 # Note that udev will reset the value internally for its workers
@@ -34,6 +35,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 SystemCallFilter=@system-service @module @raw-io bpf
+SystemCallFilter=~@clock
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes