From df069bc4562743193ae477980330e46a76cc84dc Mon Sep 17 00:00:00 2001 From: naglis <827324+naglis@users.noreply.github.com> Date: Fri, 15 Sep 2023 22:04:38 +0300 Subject: [PATCH 1/2] systemd: base "ListenStream" on build options Make `mpd.socket` configurable based on build options, so that e.g. `ListenStream=6600` is not added if `tcp` option is not enabled. --- systemd/meson.build | 10 ++++++++++ systemd/system/meson.build | 6 ++++-- systemd/system/{mpd.socket => mpd.socket.in} | 3 +-- systemd/user/meson.build | 7 ++++--- 4 files changed, 19 insertions(+), 7 deletions(-) rename systemd/system/{mpd.socket => mpd.socket.in} (66%) diff --git a/systemd/meson.build b/systemd/meson.build index b74d76e6c..9f81d3ffd 100644 --- a/systemd/meson.build +++ b/systemd/meson.build @@ -1,5 +1,15 @@ systemd_unit_conf = configuration_data() systemd_unit_conf.set('prefix', get_option('prefix')) +systemd_socket_conf = configuration_data() +listen_streams = [] +if get_option('local_socket') + listen_streams += 'ListenStream=%t/mpd/socket' +endif +if get_option('tcp') + listen_streams += 'ListenStream=6600' +endif +systemd_socket_conf.set('listen_streams', '\n'.join(listen_streams)) + subdir('system') subdir('user') diff --git a/systemd/system/meson.build b/systemd/system/meson.build index c6d676b7c..34849827e 100644 --- a/systemd/system/meson.build +++ b/systemd/system/meson.build @@ -12,8 +12,10 @@ if systemd_system_unit_dir == '' systemd_system_unit_dir = join_paths(get_option('prefix'), 'lib', 'systemd', 'system') endif -install_data( - 'mpd.socket', +configure_file( + input: 'mpd.socket.in', + output: 'mpd.socket', + configuration: systemd_socket_conf, install_dir: systemd_system_unit_dir, ) diff --git a/systemd/system/mpd.socket b/systemd/system/mpd.socket.in similarity index 66% rename from systemd/system/mpd.socket rename to systemd/system/mpd.socket.in index 56c4a27fc..793581efe 100644 --- a/systemd/system/mpd.socket +++ b/systemd/system/mpd.socket.in @@ -1,6 +1,5 @@ [Socket] -ListenStream=%t/mpd/socket -ListenStream=6600 +@listen_streams@ Backlog=5 KeepAlive=true PassCredentials=true diff --git a/systemd/user/meson.build b/systemd/user/meson.build index 7a3522ce5..892876da0 100644 --- a/systemd/user/meson.build +++ b/systemd/user/meson.build @@ -12,9 +12,10 @@ if systemd_user_unit_dir == '' systemd_user_unit_dir = join_paths(get_option('prefix'), 'lib', 'systemd', 'user') endif -# copy the system socket unit to the "user" directory -install_data( - join_paths('..', 'system', 'mpd.socket'), +configure_file( + input: join_paths('..', 'system', 'mpd.socket.in'), + output: 'mpd.socket', + configuration: systemd_socket_conf, install_dir: systemd_user_unit_dir, ) From bdfe5e97cd3389b87ae94a0f6a848609559e7a88 Mon Sep 17 00:00:00 2001 From: naglis <827324+naglis@users.noreply.github.com> Date: Fri, 15 Sep 2023 22:27:19 +0300 Subject: [PATCH 2/2] systemd: base "RestrictAddressFamilies" on build options This allows to not allow `AF_NETLINK` if `smbclient` is not enabled. --- systemd/meson.build | 7 +++++++ systemd/system/mpd.service.in | 3 +-- systemd/user/mpd.service.in | 3 +-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/systemd/meson.build b/systemd/meson.build index 9f81d3ffd..1ae36c0ff 100644 --- a/systemd/meson.build +++ b/systemd/meson.build @@ -1,6 +1,13 @@ systemd_unit_conf = configuration_data() systemd_unit_conf.set('prefix', get_option('prefix')) +address_families = ['AF_INET', 'AF_INET6', 'AF_UNIX'] +if get_option('smbclient').enabled() + # AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh* + address_families += 'AF_NETLINK' +endif +systemd_unit_conf.set('address_families', ' '.join(address_families)) + systemd_socket_conf = configuration_data() listen_streams = [] if get_option('local_socket') diff --git a/systemd/system/mpd.service.in b/systemd/system/mpd.service.in index 87bc88942..fcb4b52c1 100644 --- a/systemd/system/mpd.service.in +++ b/systemd/system/mpd.service.in @@ -27,8 +27,7 @@ NoNewPrivileges=yes ProtectKernelTunables=yes ProtectControlGroups=yes ProtectKernelModules=yes -# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh* -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK +RestrictAddressFamilies=@address_families@ RestrictNamespaces=yes [Install] diff --git a/systemd/user/mpd.service.in b/systemd/user/mpd.service.in index 91b24dc5f..16ad03b0d 100644 --- a/systemd/user/mpd.service.in +++ b/systemd/user/mpd.service.in @@ -28,8 +28,7 @@ ProtectSystem=yes NoNewPrivileges=yes ProtectKernelTunables=yes ProtectControlGroups=yes -# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh* -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK +RestrictAddressFamilies=@address_families@ RestrictNamespaces=yes # Note that "ProtectKernelModules=yes" is missing in the user unit