networkd: drop CAP_SYS_MODULE

Rely on modules being built-in or autoloaded on-demand.

As networkd is a network facing service, we want to limits its capabilities,
as much as possible. Also, we may not have CAP_SYS_MODULE in a container,
and we want networkd to work the same there.

Module autoloading does not always work, but should be fixed by the kernel
patch f98f89a0104454f35a: 'net: tunnels - enable module autoloading', which
is currently in net-next and which people may consider backporting if they
want tunneling support without compiling in the modules.

Early adopters may also use a module-load.d snippet and order
systemd-modules-load.service before networkd to force the module
loading of tunneling modules.

This sholud fix the various build issues people have reported.

diff --git a/Makefile.am b/Makefile.am
index d2f2880c28a087b5d3125ce8ceb4845d43b4fabe..b14a6c3392d6fe3d758fe20d716863f2eb031e0b 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -4253,15 +4253,13 @@ systemd_networkd_SOURCES = \
 
 systemd_networkd_LDADD = \
        libsystemd-networkd-core.la \
 
 systemd_networkd_LDADD = \
        libsystemd-networkd-core.la \

-       libsystemd-capability.la \
-       $(KMOD_LIBS)
+       libsystemd-capability.la

 
 noinst_LTLIBRARIES += \
        libsystemd-networkd-core.la
 
 libsystemd_networkd_core_la_CFLAGS = \
 
 noinst_LTLIBRARIES += \
        libsystemd-networkd-core.la
 
 libsystemd_networkd_core_la_CFLAGS = \

-       $(AM_CFLAGS) \
-       $(KMOD_CFLAGS)
+       $(AM_CFLAGS)

 
 libsystemd_networkd_core_la_SOURCES = \
        src/libsystemd-network/network-internal.h \
 
 libsystemd_networkd_core_la_SOURCES = \
        src/libsystemd-network/network-internal.h \


@@ -4290,8 +4288,7 @@ rootlibexec_PROGRAMS += \
        systemd-networkd-wait-online
 
 systemd_networkd_wait_online_CFLAGS = \
        systemd-networkd-wait-online
 
 systemd_networkd_wait_online_CFLAGS = \

-       $(AM_CFLAGS) \
-       $(KMOD_CFLAGS)
+       $(AM_CFLAGS)

 
 systemd_networkd_wait_online_SOURCES = \
        src/libsystemd-network/network-internal.h \
 
 systemd_networkd_wait_online_SOURCES = \
        src/libsystemd-network/network-internal.h \


@@ -4308,12 +4305,10 @@ test_network_SOURCES = \
        src/network/test-network.c
 
 test_network_CFLAGS = \
        src/network/test-network.c
 
 test_network_CFLAGS = \

-       $(AM_CFLAGS) \
-       $(KMOD_CFLAGS)
+       $(AM_CFLAGS)

 
 test_network_LDADD = \
        libsystemd-networkd-core.la
 
 test_network_LDADD = \
        libsystemd-networkd-core.la

-       $(KMOD_LIBS)

 
 tests += \
        test-network
 
 tests += \
        test-network

diff --git a/src/libsystemd-network/network-internal.c b/src/libsystemd-network/network-internal.c
index 261603f841df2861fcc65f865f2d65381252a690..e9146d0e54d46b83984d96cb0056569b1075099a 100644 (file)
--- a/src/libsystemd-network/network-internal.c
+++ b/src/libsystemd-network/network-internal.c
@@ -327,41 +327,6 @@ int net_parse_inaddr(const char *address, unsigned char *family, void *dst) {
         return 0;
 }
 
         return 0;
 }
 

-int load_module(struct kmod_ctx *ctx, const char *mod_name) {
-        struct kmod_list *modlist = NULL, *l;
-        int r;
-
-        assert(ctx);
-        assert(mod_name);
-
-        r = kmod_module_new_from_lookup(ctx, mod_name, &modlist);
-        if (r < 0)
-                return r;
-
-        if (!modlist) {
-                log_error("Failed to find module '%s'", mod_name);
-                return -ENOENT;
-        }
-
-        kmod_list_foreach(l, modlist) {
-                struct kmod_module *mod = kmod_module_get_module(l);
-
-                r = kmod_module_probe_insert_module(mod, 0, NULL, NULL, NULL, NULL);
-                if (r == 0)
-                        log_info("Inserted module '%s'", kmod_module_get_name(mod));
-                else {
-                        log_error("Failed to insert '%s': %s", kmod_module_get_name(mod),
-                                  strerror(-r));
-                }
-
-                kmod_module_unref(mod);
-        }
-
-        kmod_module_unref_list(modlist);
-
-        return r;
-}
-

 void serialize_in_addrs(FILE *f, const char *key, struct in_addr *addresses, size_t size) {
         unsigned i;
 
 void serialize_in_addrs(FILE *f, const char *key, struct in_addr *addresses, size_t size) {
         unsigned i;
 

diff --git a/src/libsystemd-network/network-internal.h b/src/libsystemd-network/network-internal.h
index c08cddd799383cfb5324de43b6c653ebb1811def..2aeecf0ce2237a65feadf59be71a06cfe8c869e2 100644 (file)
--- a/src/libsystemd-network/network-internal.h
+++ b/src/libsystemd-network/network-internal.h
@@ -24,7 +24,6 @@
 #include <netinet/ether.h>
 #include <netinet/in.h>
 #include <stdbool.h>
 #include <netinet/ether.h>
 #include <netinet/in.h>
 #include <stdbool.h>

-#include <libkmod.h>

 
 #include "udev.h"
 #include "condition-util.h"
 
 #include "udev.h"
 #include "condition-util.h"


@@ -67,8 +66,6 @@ int net_parse_inaddr(const char *address, unsigned char *family, void *dst);
 
 int net_get_unique_predictable_data(struct udev_device *device, uint8_t result[8]);
 
 
 int net_get_unique_predictable_data(struct udev_device *device, uint8_t result[8]);
 

-int load_module(struct kmod_ctx *ctx, const char *mod_name);
-

 void serialize_in_addrs(FILE *f, const char *key, struct in_addr *addresses, size_t size);
 int deserialize_in_addrs(struct in_addr **addresses, size_t *size, const char *string);
 int deserialize_in6_addrs(struct in6_addr **addresses, size_t *size, const char *string);
 void serialize_in_addrs(FILE *f, const char *key, struct in_addr *addresses, size_t size);
 int deserialize_in_addrs(struct in_addr **addresses, size_t *size, const char *string);
 int deserialize_in6_addrs(struct in6_addr **addresses, size_t *size, const char *string);

diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
index c4a325de426c119b558caac00d965a25aabc9cf1..4b35ea0d2901ac659453a9acccf8ecd7c63c48a6 100644 (file)
--- a/src/network/networkd-manager.c
+++ b/src/network/networkd-manager.c
@@ -21,7 +21,6 @@
 
 #include <sys/socket.h>
 #include <linux/if.h>
 
 #include <sys/socket.h>
 #include <linux/if.h>

-#include <libkmod.h>

 
 #include "conf-parser.h"
 #include "path-util.h"
 
 #include "conf-parser.h"
 #include "path-util.h"


@@ -120,10 +119,6 @@ int manager_new(Manager **ret) {
                         return -ENOMEM;
         }
 
                         return -ENOMEM;
         }
 

-        m->kmod_ctx = kmod_new(NULL, NULL);
-        if (!m->kmod_ctx)
-                return -ENOMEM;
-

         m->links = hashmap_new(uint64_hash_func, uint64_compare_func);
         if (!m->links)
                 return -ENOMEM;
         m->links = hashmap_new(uint64_hash_func, uint64_compare_func);
         if (!m->links)
                 return -ENOMEM;


@@ -150,7 +145,6 @@ void manager_free(Manager *m) {
 
         free(m->state_file);
 
 
         free(m->state_file);
 

-        kmod_unref(m->kmod_ctx);

         udev_monitor_unref(m->udev_monitor);
         udev_unref(m->udev);
         sd_bus_unref(m->bus);
         udev_monitor_unref(m->udev_monitor);
         udev_unref(m->udev);
         sd_bus_unref(m->bus);

diff --git a/src/network/networkd-tunnel.c b/src/network/networkd-tunnel.c
index e3ceb8b52b788ba6820b5294cd734102c8f701c8..60b16ba8496aff623d038adc15a6b62ca6dd2a02 100644 (file)
--- a/src/network/networkd-tunnel.c
+++ b/src/network/networkd-tunnel.c
@@ -24,7 +24,6 @@
 #include <net/if.h>
 #include <linux/ip.h>
 #include <linux/if_tunnel.h>
 #include <net/if.h>
 #include <linux/ip.h>
 #include <linux/if_tunnel.h>

-#include <libkmod.h>

 
 #include "sd-rtnl.h"
 #include "networkd.h"
 
 #include "sd-rtnl.h"
 #include "networkd.h"


@@ -443,27 +442,6 @@ int netdev_create_tunnel(Link *link, sd_rtnl_message_handler_t callback) {
         assert(netdev->ifname);
         assert(netdev->manager);
         assert(netdev->manager->rtnl);
         assert(netdev->ifname);
         assert(netdev->manager);
         assert(netdev->manager->rtnl);

-        assert(netdev->manager->kmod_ctx);
-
-        /* Load kernel module first */
-        switch(netdev->kind) {
-        case NETDEV_KIND_IPIP:
-        case NETDEV_KIND_GRE:
-        case NETDEV_KIND_SIT:
-                r = load_module(netdev->manager->kmod_ctx,
-                                netdev_kind_to_string(netdev->kind));
-                if (r < 0) {
-                        log_error_netdev(netdev,
-                                         "Could not load Kernel module: %s . Ignoring",
-                                         netdev_kind_to_string(netdev->kind));
-                        return r;
-                }
-                break;
-        case NETDEV_KIND_VTI:
-                break;
-        default:
-                return -ENOTSUP;
-        }

 
         r = sd_rtnl_message_new_link(netdev->manager->rtnl, &m, RTM_NEWLINK, 0);
         if (r < 0) {
 
         r = sd_rtnl_message_new_link(netdev->manager->rtnl, &m, RTM_NEWLINK, 0);
         if (r < 0) {

diff --git a/src/network/networkd.c b/src/network/networkd.c
index cd7dd3ca0f59ca67db4f9c527b6909bfbb174ab7..d8f31a490d6ae042ff832a035db7238df427897a 100644 (file)
--- a/src/network/networkd.c
+++ b/src/network/networkd.c
@@ -71,8 +71,7 @@ int main(int argc, char *argv[]) {
                             (1ULL << CAP_NET_ADMIN) |
                             (1ULL << CAP_NET_BIND_SERVICE) |
                             (1ULL << CAP_NET_BROADCAST) |
                             (1ULL << CAP_NET_ADMIN) |
                             (1ULL << CAP_NET_BIND_SERVICE) |
                             (1ULL << CAP_NET_BROADCAST) |

-                            (1ULL << CAP_NET_RAW) |
-                            (1ULL << CAP_SYS_MODULE));
+                            (1ULL << CAP_NET_RAW));

         if (r < 0)
                 goto out;
 
         if (r < 0)
                 goto out;
 

diff --git a/src/network/networkd.h b/src/network/networkd.h
index 82d8d706b57ec8df67a1ff31c31924114d5198a2..6f77c7785f0dbeffbfaa47abf282b3f93aa26e2f 100644 (file)
--- a/src/network/networkd.h
+++ b/src/network/networkd.h
@@ -275,7 +275,6 @@ struct Manager {
         LIST_HEAD(Network, networks);
 
         usec_t network_dirs_ts_usec;
         LIST_HEAD(Network, networks);
 
         usec_t network_dirs_ts_usec;

-        struct kmod_ctx *kmod_ctx;

 };
 
 extern const char* const network_dirs[];
 };
 
 extern const char* const network_dirs[];

diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 33c3fca488c6b154795499be7f8d395e44f9278a..3538295df4a8f48eee3dffc3ec89d6b6551bc88b 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -19,7 +19,7 @@ Type=notify
 Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-networkd
 Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-networkd

-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_MODULE CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER

 WatchdogSec=1min
 
 [Install]
 WatchdogSec=1min
 
 [Install]