From bddfc8afd329ac68a23f66a3512d4e249af25191 Mon Sep 17 00:00:00 2001 From: Tom Gundersen Date: Mon, 2 Jun 2014 21:50:50 +0200 Subject: [PATCH] networkd: drop CAP_SYS_MODULE Rely on modules being built-in or autoloaded on-demand. As networkd is a network facing service, we want to limits its capabilities, as much as possible. Also, we may not have CAP_SYS_MODULE in a container, and we want networkd to work the same there. Module autoloading does not always work, but should be fixed by the kernel patch f98f89a0104454f35a: 'net: tunnels - enable module autoloading', which is currently in net-next and which people may consider backporting if they want tunneling support without compiling in the modules. Early adopters may also use a module-load.d snippet and order systemd-modules-load.service before networkd to force the module loading of tunneling modules. This sholud fix the various build issues people have reported. --- Makefile.am | 13 +++------ src/libsystemd-network/network-internal.c | 35 ----------------------- src/libsystemd-network/network-internal.h | 3 -- src/network/networkd-manager.c | 6 ---- src/network/networkd-tunnel.c | 22 -------------- src/network/networkd.c | 3 +- src/network/networkd.h | 1 - units/systemd-networkd.service.in | 2 +- 8 files changed, 6 insertions(+), 79 deletions(-) diff --git a/Makefile.am b/Makefile.am index d2f2880c2..b14a6c339 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4253,15 +4253,13 @@ systemd_networkd_SOURCES = \ systemd_networkd_LDADD = \ libsystemd-networkd-core.la \ - libsystemd-capability.la \ - $(KMOD_LIBS) + libsystemd-capability.la noinst_LTLIBRARIES += \ libsystemd-networkd-core.la libsystemd_networkd_core_la_CFLAGS = \ - $(AM_CFLAGS) \ - $(KMOD_CFLAGS) + $(AM_CFLAGS) libsystemd_networkd_core_la_SOURCES = \ src/libsystemd-network/network-internal.h \ @@ -4290,8 +4288,7 @@ rootlibexec_PROGRAMS += \ systemd-networkd-wait-online systemd_networkd_wait_online_CFLAGS = \ - $(AM_CFLAGS) \ - $(KMOD_CFLAGS) + $(AM_CFLAGS) systemd_networkd_wait_online_SOURCES = \ src/libsystemd-network/network-internal.h \ @@ -4308,12 +4305,10 @@ test_network_SOURCES = \ src/network/test-network.c test_network_CFLAGS = \ - $(AM_CFLAGS) \ - $(KMOD_CFLAGS) + $(AM_CFLAGS) test_network_LDADD = \ libsystemd-networkd-core.la - $(KMOD_LIBS) tests += \ test-network diff --git a/src/libsystemd-network/network-internal.c b/src/libsystemd-network/network-internal.c index 261603f84..e9146d0e5 100644 --- a/src/libsystemd-network/network-internal.c +++ b/src/libsystemd-network/network-internal.c @@ -327,41 +327,6 @@ int net_parse_inaddr(const char *address, unsigned char *family, void *dst) { return 0; } -int load_module(struct kmod_ctx *ctx, const char *mod_name) { - struct kmod_list *modlist = NULL, *l; - int r; - - assert(ctx); - assert(mod_name); - - r = kmod_module_new_from_lookup(ctx, mod_name, &modlist); - if (r < 0) - return r; - - if (!modlist) { - log_error("Failed to find module '%s'", mod_name); - return -ENOENT; - } - - kmod_list_foreach(l, modlist) { - struct kmod_module *mod = kmod_module_get_module(l); - - r = kmod_module_probe_insert_module(mod, 0, NULL, NULL, NULL, NULL); - if (r == 0) - log_info("Inserted module '%s'", kmod_module_get_name(mod)); - else { - log_error("Failed to insert '%s': %s", kmod_module_get_name(mod), - strerror(-r)); - } - - kmod_module_unref(mod); - } - - kmod_module_unref_list(modlist); - - return r; -} - void serialize_in_addrs(FILE *f, const char *key, struct in_addr *addresses, size_t size) { unsigned i; diff --git a/src/libsystemd-network/network-internal.h b/src/libsystemd-network/network-internal.h index c08cddd79..2aeecf0ce 100644 --- a/src/libsystemd-network/network-internal.h +++ b/src/libsystemd-network/network-internal.h @@ -24,7 +24,6 @@ #include #include #include -#include #include "udev.h" #include "condition-util.h" @@ -67,8 +66,6 @@ int net_parse_inaddr(const char *address, unsigned char *family, void *dst); int net_get_unique_predictable_data(struct udev_device *device, uint8_t result[8]); -int load_module(struct kmod_ctx *ctx, const char *mod_name); - void serialize_in_addrs(FILE *f, const char *key, struct in_addr *addresses, size_t size); int deserialize_in_addrs(struct in_addr **addresses, size_t *size, const char *string); int deserialize_in6_addrs(struct in6_addr **addresses, size_t *size, const char *string); diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c index c4a325de4..4b35ea0d2 100644 --- a/src/network/networkd-manager.c +++ b/src/network/networkd-manager.c @@ -21,7 +21,6 @@ #include #include -#include #include "conf-parser.h" #include "path-util.h" @@ -120,10 +119,6 @@ int manager_new(Manager **ret) { return -ENOMEM; } - m->kmod_ctx = kmod_new(NULL, NULL); - if (!m->kmod_ctx) - return -ENOMEM; - m->links = hashmap_new(uint64_hash_func, uint64_compare_func); if (!m->links) return -ENOMEM; @@ -150,7 +145,6 @@ void manager_free(Manager *m) { free(m->state_file); - kmod_unref(m->kmod_ctx); udev_monitor_unref(m->udev_monitor); udev_unref(m->udev); sd_bus_unref(m->bus); diff --git a/src/network/networkd-tunnel.c b/src/network/networkd-tunnel.c index e3ceb8b52..60b16ba84 100644 --- a/src/network/networkd-tunnel.c +++ b/src/network/networkd-tunnel.c @@ -24,7 +24,6 @@ #include #include #include -#include #include "sd-rtnl.h" #include "networkd.h" @@ -443,27 +442,6 @@ int netdev_create_tunnel(Link *link, sd_rtnl_message_handler_t callback) { assert(netdev->ifname); assert(netdev->manager); assert(netdev->manager->rtnl); - assert(netdev->manager->kmod_ctx); - - /* Load kernel module first */ - switch(netdev->kind) { - case NETDEV_KIND_IPIP: - case NETDEV_KIND_GRE: - case NETDEV_KIND_SIT: - r = load_module(netdev->manager->kmod_ctx, - netdev_kind_to_string(netdev->kind)); - if (r < 0) { - log_error_netdev(netdev, - "Could not load Kernel module: %s . Ignoring", - netdev_kind_to_string(netdev->kind)); - return r; - } - break; - case NETDEV_KIND_VTI: - break; - default: - return -ENOTSUP; - } r = sd_rtnl_message_new_link(netdev->manager->rtnl, &m, RTM_NEWLINK, 0); if (r < 0) { diff --git a/src/network/networkd.c b/src/network/networkd.c index cd7dd3ca0..d8f31a490 100644 --- a/src/network/networkd.c +++ b/src/network/networkd.c @@ -71,8 +71,7 @@ int main(int argc, char *argv[]) { (1ULL << CAP_NET_ADMIN) | (1ULL << CAP_NET_BIND_SERVICE) | (1ULL << CAP_NET_BROADCAST) | - (1ULL << CAP_NET_RAW) | - (1ULL << CAP_SYS_MODULE)); + (1ULL << CAP_NET_RAW)); if (r < 0) goto out; diff --git a/src/network/networkd.h b/src/network/networkd.h index 82d8d706b..6f77c7785 100644 --- a/src/network/networkd.h +++ b/src/network/networkd.h @@ -275,7 +275,6 @@ struct Manager { LIST_HEAD(Network, networks); usec_t network_dirs_ts_usec; - struct kmod_ctx *kmod_ctx; }; extern const char* const network_dirs[]; diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 33c3fca48..3538295df 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -19,7 +19,7 @@ Type=notify Restart=always RestartSec=0 ExecStart=@rootlibexecdir@/systemd-networkd -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_MODULE CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER WatchdogSec=1min [Install] -- 2.30.2