On Tue, Dec 15, 2020 at 06:19:09AM +0200, Jarkko Sakkinen wrote:
> On Mon, Dec 14, 2020 at 08:25:50AM +0100, Ulrich Windl wrote:
> > >>> Topi Miettinen schrieb am 11.12.2020 um 12:46 in
> > Nachricht
> > <27796c04-249e-6cf0-c3e1-0fd657a82...@gmail.com>:
> > > On 11.12.2020 12.46, Jarkko Sakkinen
On Mon, Dec 14, 2020 at 08:25:50AM +0100, Ulrich Windl wrote:
> >>> Topi Miettinen schrieb am 11.12.2020 um 12:46 in
> Nachricht
> <27796c04-249e-6cf0-c3e1-0fd657a82...@gmail.com>:
> > On 11.12.2020 12.46, Jarkko Sakkinen wrote:
> >> On Wed, Dec 09, 2020 at 10:35:21AM +0200, Topi Miettinen wrote:
On Mon, Dec 14, 2020 at 06:18:24PM +0200, Adi Ml wrote:
> I guess that udev can block devices from userspace only, so from there.
>
> Of course, you are right-whitelist is better.
>
> As for usbguard, I thought about using seccomp and filterring system calls
> in my udev service based on their
Thank you for the reply, Colin. I found that to be the case[1]. I
think everything is working as expected now. I still have quirks with
the kodi-x11.service since it has to call xinit as well as the kodi
binary but I do not know of a cleaner way to do it unless there is a
multiple unit solution
I guess that udev can block devices from userspace only, so from there.
Of course, you are right-whitelist is better.
As for usbguard, I thought about using seccomp and filterring system calls
in my udev service based on their code - I have seen that they list a group
of system calls and
John wrote on 14/12/2020 12:52:
> Note that it looks
> like I will need to add some udev rules to allow the kodi user to
> shutdown the system which it could do when the PAMName=login was
> present.
Just a small hint, but it might be policykit rules you need to add
rather than udev rules.
Col
On Mon, Dec 14, 2020 at 05:31:17PM +0200, Adi Ml wrote:
> I am using udev in order to create a kiosk mode. I want to block devices
> which fit a certain vid pid.
Block devices from where? The kernel or userspace?
udev runs _after_ the kernel has seen the device and bound to it.
And usb
I am using udev in order to create a kiosk mode. I want to block devices
which fit a certain vid pid. I want to filter system calls anyway because I
dont know which devices are entered and I want to avoid devices which will
do unusual things like rubber ducky.
What do you mean by filtering system
On Mon, Dec 14, 2020 at 04:30:58PM +0200, Adi Ml wrote:
> Hi,
> Is there some way to detect which system calls, I am using in udev (in
> order to filter it)?
I don't understand, if you don't know what system calls you are needing,
why do you need to filter anything? Do you not trust udev to work
Hi,
Is there some way to detect which system calls, I am using in udev (in
order to filter it)?
I do not use any script, I just echo 0 to the authorized file in the device
connected in order to disable it when it is not the wanted device (the
match is based on serial number, vid, pid)
Thank you
Hi systemd-devel team,
We are getting below crash in our CI environment with systemd v244-stable,
so could you please confirm whether the PR:
https://github.com/systemd/systemd/pull/15557
On Mon, Dec 14, 2020 at 02:54:31PM +0200, Adi Ml wrote:
> Hi,
>
> I would like to harden my udev service with the
> SystemCallFilter option. What systemcalls should be permitted/allowed in
> order to secure it and avoid irrelevant system calls?
It all depends on what type of scripts/programs you
Hi,
I would like to harden my udev service with the
SystemCallFilter option. What systemcalls should be permitted/allowed in
order to secure it and avoid irrelevant system calls?
Thank you!
___
systemd-devel mailing list
On Mon, Dec 14, 2020 at 12:39 AM Andrei Borzenkov wrote:
> If your application creates user session, on shutdown systemd will stop
> existing sessions and it happens independently of your service.
Andrei - Thank you for this info. It caused me to search 'systemd
wait for user session on
14 matches
Mail list logo