From 5d22db02ecee367ca6eae1235d0bb3b1acf93996 Mon Sep 17 00:00:00 2001 From: Mario Limonciello Date: Mon, 25 Apr 2022 12:23:50 -0500 Subject: [PATCH] trivial: Add a new configuration option `systemd_unit_user` This option will control what user the fwupd-refresh.service unit uses. --- data/motd/fwupd-refresh.service.in | 2 +- data/motd/meson.build | 11 +++++++++++ meson_options.txt | 1 + 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/data/motd/fwupd-refresh.service.in b/data/motd/fwupd-refresh.service.in index caf754abf..43ade0219 100644 --- a/data/motd/fwupd-refresh.service.in +++ b/data/motd/fwupd-refresh.service.in @@ -7,7 +7,7 @@ After=network.target Type=oneshot CacheDirectory=fwupdmgr StandardError=null -DynamicUser=yes +@user@ RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET AF_INET6 SystemCallFilter=~@mount ProtectKernelModules=yes diff --git a/data/motd/meson.build b/data/motd/meson.build index d73a8ceb0..81c635310 100644 --- a/data/motd/meson.build +++ b/data/motd/meson.build @@ -14,6 +14,17 @@ con2.set('bindir', bindir) con2.set('motd_fullpath', motd_fullpath) if libsystemd.found() + if get_option('systemd_unit_user') == '' + con2.set('user', 'DynamicUser=yes') + else + dynamic_options = [ + 'ProtectSystem=strict', + 'ProtectHome=read-only', + 'User=' + get_option('systemd_unit_user') + ] + con2.set('user','\n'.join(dynamic_options)) + endif + configure_file( input : 'fwupd-refresh.service.in', output : 'fwupd-refresh.service', diff --git a/meson_options.txt b/meson_options.txt index 9ff93281d..d00038dbc 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -53,6 +53,7 @@ option('plugin_powerd', type : 'feature', description : 'support for powerd', de option('qubes', type : 'boolean', value : false, description : 'build packages for Qubes OS') option('supported_build', type : 'feature', description: 'distribution package with upstream support', deprecated: {'true': 'enabled', 'false': 'disabled'}) option('systemd', type : 'feature', description : 'systemd support', deprecated: {'true': 'enabled', 'false': 'disabled'}) +option('systemd_unit_user', type : 'string', description : 'User account to use for fwupd-refresh.service (empty for DynamicUser)') option('systemd_root_prefix', type: 'string', value: '', description: 'Directory to base systemd’s installation directories on') option('elogind', type : 'feature', description : 'elogind support', deprecated: {'true': 'enabled', 'false': 'disabled'}) option('tests', type : 'boolean', value : true, description : 'enable tests')