From 34c8c5425f01c288afa62a4f20fdde62f3664a3a Mon Sep 17 00:00:00 2001 From: Stuart D. Gathman Date: Aug 15 2016 18:08:23 +0000 Subject: Move modprobe to cjdns-loadmodules.service to avoid adding CAP_SYS_MODULE. --- diff --git a/cjdns.sbin.patch b/cjdns.sbin.patch index 21ed3dd..f628a1c 100644 --- a/cjdns.sbin.patch +++ b/cjdns.sbin.patch @@ -1,6 +1,23 @@ +diff -up ./contrib/systemd/cjdns-loadmodules.service.sbin ./contrib/systemd/cjdns-loadmodules.service +--- ./contrib/systemd/cjdns-loadmodules.service.sbin 2016-08-15 13:39:48.892573194 -0400 ++++ ./contrib/systemd/cjdns-loadmodules.service 2016-08-15 13:47:24.336772295 -0400 +@@ -0,0 +1,13 @@ ++[Unit] ++Description=Load cjdns kernel modules ++# Load kernel modules needed by cjdns so that it doesn't need the privilege ++Before=cjdns.service ++# Do not try to load modules in containers like openvz ++ConditionVirtualization=!container ++ ++[Service] ++Type=oneshot ++ExecStart=/usr/sbin/modprobe tun ++ ++[Install] ++WantedBy=multi-user.target diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.sh ---- ./contrib/systemd/cjdns-online.sh.sbin 2016-08-05 17:32:04.937119714 -0400 -+++ ./contrib/systemd/cjdns-online.sh 2016-08-05 17:32:04.937119714 -0400 +--- ./contrib/systemd/cjdns-online.sh.sbin 2016-08-15 13:33:11.356021398 -0400 ++++ ./contrib/systemd/cjdns-online.sh 2016-08-15 13:33:11.356021398 -0400 @@ -0,0 +1,90 @@ +#!/bin/sh +# Check whether cjdns IPs are available @@ -94,8 +111,16 @@ diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.s +fi diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service --- ./contrib/systemd/cjdns.service.sbin 2016-06-14 17:58:54.000000000 -0400 -+++ ./contrib/systemd/cjdns.service 2016-08-05 17:33:09.595862599 -0400 -@@ -7,12 +7,14 @@ After=network.target ++++ ./contrib/systemd/cjdns.service 2016-08-15 13:56:20.198792714 -0400 +@@ -1,18 +1,20 @@ + [Unit] + Description=cjdns: routing engine designed for security, scalability, speed and ease of use + Wants=network.target +-After=network.target ++After=network.target cjdns-loadmodules.service ++Requires=cjdns-loadmodules.service + + [Service] ProtectHome=true ProtectSystem=true SyslogIdentifier=cjdroute @@ -105,17 +130,15 @@ diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service - /usr/bin/cjdroute --genconf > /etc/cjdroute.conf; \ + /usr/sbin/cjdroute --genconf | cat > /etc/cjdroute.conf; \ echo 'WARNING: A new /etc/cjdroute.conf file has been generated.'; \ -- fi" + fi" -ExecStart=/bin/sh -c "exec cjdroute --nobg < /etc/cjdroute.conf" -+ fi; case $(wc -c /proc/modules) in \ -+ 0*) ;; *) /sbin/modprobe tun;; esac" +ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < /etc/cjdroute.conf" Restart=always [Install] diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdns-wait-online.service ---- ./contrib/systemd/cjdns-wait-online.service.sbin 2016-08-05 17:32:04.937119714 -0400 -+++ ./contrib/systemd/cjdns-wait-online.service 2016-08-05 17:32:04.937119714 -0400 +--- ./contrib/systemd/cjdns-wait-online.service.sbin 2016-08-15 13:33:11.356021398 -0400 ++++ ./contrib/systemd/cjdns-wait-online.service 2016-08-15 13:33:11.356021398 -0400 @@ -0,0 +1,13 @@ +[Unit] +Description=CJDNS Wait Online @@ -132,7 +155,7 @@ diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdn +WantedBy=multi-user.target diff -up ./contrib/upstart/cjdns.conf.sbin ./contrib/upstart/cjdns.conf --- ./contrib/upstart/cjdns.conf.sbin 2016-06-14 17:58:54.000000000 -0400 -+++ ./contrib/upstart/cjdns.conf 2016-08-05 17:32:04.938119725 -0400 ++++ ./contrib/upstart/cjdns.conf 2016-08-15 13:33:11.356021398 -0400 @@ -13,10 +13,16 @@ pre-start script if ! [ -s /etc/cjdroute.conf ]; then ( # start a subshell to avoid side effects of umask later on