Re: [systemd-devel] DynamicUser and udev uaccess

2024-07-18 Thread Andrei Borzenkov
On 19.07.2024 05:01, Renjaya Raga Zenta wrote: Hi there, We have a service using DynamicUser=yes which interacts with some USB scanners. It seems TAG+="uaccess" is already set by 70-uaccess.rules as we use libsane. But unfortunately, the service cannot access the scanner unless we set MODE="666"

[systemd-devel] DynamicUser and udev uaccess

2024-07-18 Thread Renjaya Raga Zenta
Hi there, We have a service using DynamicUser=yes which interacts with some USB scanners. It seems TAG+="uaccess" is already set by 70-uaccess.rules as we use libsane. But unfortunately, the service cannot access the scanner unless we set MODE="666" manually in another udev rule. Is it the expect

Re: [systemd-devel] BindReadOnlyPaths statement in service file behaves unexpectedly

2024-07-18 Thread Thomas Köller
On 18.07.24 16:37, Thomas Köller wrote: In a service file I am creating I use the BindReadOnlyPaths statement like this: root@htpc:~# cat /etc/systemd/system/vpn.service [Unit] Before = systemd-networkd.service After = network-setup.service Requisite = network-setup.service ConditionPathExists

Re: [systemd-devel] namespace problem

2024-07-18 Thread Mantas Mikulėnas
On Thu, Jul 18, 2024, 15:43 Thomas Köller wrote: > Am 18.07.24 um 14:04 schrieb Mantas Mikulėnas: > > Yes, but namespace persistence actually relies on filesystem access – > > it's implemented as a bind-mount of the namespace file descriptor (onto > > /run/netns for the 'ip netns' tool), as other

[systemd-devel] BindReadOnlyPaths statement in service file behaves unexpectedly

2024-07-18 Thread Thomas Köller
In a service file I am creating I use the BindReadOnlyPaths statement like this: root@htpc:~# cat /etc/systemd/system/vpn.service [Unit] Before = systemd-networkd.service After = network-setup.service Requisite = network-setup.service ConditionPathExists = /run/systemd/network/50-tap_vpn.networ

Re: [systemd-devel] Better systemd naming for Azure/MANA nic

2024-07-18 Thread Haiyang Zhang
+@Lennart Poettering Will you be able to help on this? Or know someone who can update systemd for better naming for Azure/MANA nic? Thanks! -Haiyang From: Haiyang Zhang Sent: Friday, April 19, 2024 2:32 PM To: dimitri.led...@surgut.co.uk Cc: Jack Aboutboul ; Sh

Re: [systemd-devel] namespace problem

2024-07-18 Thread Andrei Borzenkov
On Thu, Jul 18, 2024 at 4:00 PM Thomas Köller wrote: > > Am 18.07.24 um 14:04 schrieb Mantas Mikulėnas: > > Yes, but namespace persistence actually relies on filesystem access – > > it's implemented as a bind-mount of the namespace file descriptor (onto > > /run/netns for the 'ip netns' tool), as

Re: [systemd-devel] namespace problem

2024-07-18 Thread Thomas Köller
Am 18.07.24 um 14:04 schrieb Mantas Mikulėnas: Yes, but namespace persistence actually relies on filesystem access – it's implemented as a bind-mount of the namespace file descriptor (onto /run/netns for the 'ip netns' tool), as otherwise namespaces only exist as long as processes that hold the

Re: [systemd-devel] namespace problem

2024-07-18 Thread Mantas Mikulėnas
On Thu, Jul 18, 2024 at 2:14 PM Thomas Köller wrote: > > Does it use any hardening options at all? > > Thanks for the hint. As it seems this is an undocumented side effect of > 'ProtectSystem = full'. From reading the docs I got the impression that > only file system access is affected by this pa

Re: [systemd-devel] namespace problem

2024-07-18 Thread Thomas Köller
Does it use any hardening options at all? Thanks for the hint. As it seems this is an undocumented side effect of 'ProtectSystem = full'. From reading the docs I got the impression that only file system access is affected by this parameter.

Re: [systemd-devel] namespace problem

2024-07-18 Thread Thomas Köller
Am 18.07.24 um 12:18 schrieb Mantas Mikulėnas: Would really like to see the contents of the .service file. Does it use any hardening options at all? root@htpc:~/netsu# cat /etc/systemd/system/network-setup.service [Unit] Before = systemd-networkd.service Before = network-setup.service [Service]

Re: [systemd-devel] namespace problem

2024-07-18 Thread Mantas Mikulėnas
Would really like to see the contents of the .service file. Does it use any hardening options at all? On Thu, Jul 18, 2024 at 10:49 AM Thomas Köller wrote: > Hi, > > I have a problem creating a namespace from a systemd service. The > service (type oneshot) invokes a shell script containing these

[systemd-devel] namespace problem

2024-07-18 Thread Thomas Köller
Hi, I have a problem creating a namespace from a systemd service. The service (type oneshot) invokes a shell script containing these two lines: ip netns add vpnlink iw phy phy0 set netns name vpnlink Both commands succeed, meaning they do not return an error, and so the service start