From: Topi Miettinen <toiwoton@gmail.com>
Date: Sun, 25 Sep 2022 17:47:53 +0000 (+0300)
Subject: units: udev: partially emulate ProtectClock=
X-Git-Tag: v252-rc1~90
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=75723d31a678bdd6b9d0160834e54dc09e3dedd1;p=thirdparty%2Fsystemd.git

units: udev: partially emulate ProtectClock=

Drop CAP_SYS_TIME and CAP_WAKE_ALARM capabilities and block clock-related
system calls. Update TODO.
---

diff --git a/TODO b/TODO
index 2a6dbe97393..f6be4ec545f 100644
--- a/TODO
+++ b/TODO
@@ -1996,8 +1996,7 @@ Features:
   - kill scsi_id
   - add trigger --subsystem-match=usb/usb_device device
   - reimport udev db after MOVE events for devices without dev_t
-  - re-enable ProtectClock= or set CapabilityBoundingSet= to drop CAP_SYS_TIME
-    and CAP_WAKE_ALARM (and possibly other unnecessary capabilities?).
+  - re-enable ProtectClock= once only cgroupsv2 is supported.
     See f562abe2963bad241d34e0b308e48cf114672c84.
 
 * coredump:
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 3579de4a687..e9dbe85ef4a 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -16,6 +16,7 @@ Before=sysinit.target
 ConditionPathIsReadWrite=/sys
 
 [Service]
+CapabilityBoundingSet=~CAP_SYS_TIME CAP_WAKE_ALARM
 Delegate=pids
 Type=notify
 # Note that udev will reset the value internally for its workers
@@ -34,6 +35,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 SystemCallFilter=@system-service @module @raw-io bpf
+SystemCallFilter=~@clock
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes