systemd: add user unit
The user unit omits the "ProtectKernelModules" setting which fails with modular kernels: Failed at step CAPABILITIES spawning /usr/bin/mpd: Operation not permitted It is unfortunate that systemd (version 232) is unable to reduce its own capabilities, because this requires us to split system and user units. https://bugs.musicpd.org/view.php?id=4608
This commit is contained in:
Max Kellermann
29
systemd/user/mpd.service.in
Normal file
29
systemd/user/mpd.service.in
Normal file
@@ -0,0 +1,29 @@
|
||||
[Unit]
|
||||
Description=Music Player Daemon
|
||||
After=network.target sound.target
|
||||
|
||||
[Service]
|
||||
ExecStart=@prefix@/bin/mpd --no-daemon
|
||||
|
||||
# allow MPD to use real-time priority 50
|
||||
LimitRTPRIO=50
|
||||
LimitRTTIME=infinity
|
||||
|
||||
# disallow writing to /usr, /bin, /sbin, ...
|
||||
ProtectSystem=yes
|
||||
|
||||
# more paranoid security settings
|
||||
NoNewPrivileges=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectControlGroups=yes
|
||||
# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
|
||||
RestrictNamespaces=yes
|
||||
|
||||
# Note that "ProtectKernelModules=yes" is missing in the user unit
|
||||
# because systemd 232 is unable to reduce its own capabilities
|
||||
# ("Failed at step CAPABILITIES spawning /usr/bin/mpd: Operation not
|
||||
# permitted")
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
Reference in New Issue
Block a user