Overview
Request 930206 accepted
- Added hardening to systemd service(s). Added patch(es):
* harden_brickd-resume.service.patch
* harden_brickd.service.patch
- Created by jsegitz
- In state accepted
-
Package maintainer:
frank_kunz
- Supersedes 914357
for (some unknown) reason the ProtectClock=true setting causes that brickd cannot access USB hardware anymore:
[pid 25337] openat(AT_FDCWD, "/dev/bus/usb/001/026", O_RDWR|O_CLOEXEC) = -1 EPERM (Operation not permitted) [pid 25337] write(2, "libusb: error [get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/001/026, errno=1\n", 91) = 91
Is this a known issue with those settings?
The access works with ProtectClock=true commented out in the service file.
that is surprising to me. It's not a USB time device by chance?
Seems not to be any clock device. It is has vendor specific descriptor data:
Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 255 Vendor Specific Class bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x16d0 MCS idProduct 0x063d bcdDevice 1.10 iManufacturer 1 Tinkerforge GmbH iProduct 2 Servo Brick iSerial 3 6JMVe4 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0020 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 255 Vendor Specific Class bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x84 EP 4 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x05 EP 5 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0
Please read
- https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock=
- https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#DeviceAllow=
You have to allow at least "/dev/bus/usb/*", and also "/dev/spidev*".
Request History
jsegitz created request
- Added hardening to systemd service(s). Added patch(es):
* harden_brickd-resume.service.patch
* harden_brickd.service.patch
frank_kunz accepted request
