Adding capability to systemd timer?

navras · September 19, 2023, 2:05pm

I’m trying to add CAP_WAKE_ALARM when creating timers with sytemd-run (ref) to get the same effect as systemd v254 which is not on Fedora 38, but I don’t know how to do this. Failed attempts:

$ sudo systemd-run --user --on-active=20 --timer-property=WakeSystem=true flatpak run io.bassi.Amberol
[sudo] password for user: 
Failed to connect to bus: No medium found

$ systemd-run --user --on-active=20 --timer-property=WakeSystem=true --timer-property=AmbientCapabilities=CAP_WAKE_ALARM flatpak run io.bassi.Amberol
Unknown assignment: AmbientCapabilities=CAP_WAKE_ALARM

$ systemd-run --user --on-active=20 --timer-property=WakeSystem=true --property=AmbientCapabilities=CAP_WAKE_ALARM flatpak run io.bassi.Amberol
Job failed. See "journalctl -xe" for details.

$ journalctl -xe
systemd[1857]: run-rbddaeff35126428ca8f30e4225825f12.timer: Failed to enter waiting state: Operation not permitted
systemd[1857]: run-rbddaeff35126428ca8f30e4225825f12.timer: Failed with result 'resources'.

vwbusguy · September 19, 2023, 6:45pm

I think you need to adjust the ProtectClock and/or ProtectKernelTunables, depending on what you’re trying to do, with the duly required “at your own risk” warning here:

https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock=

glb · September 19, 2023, 7:16pm

Both of those settings appear to default to off. Maybe the call to systemd-run could be wrapped with capsh --addamb=...? E.g.:

[/root]# capsh --caps="cap_setpcap=ep cap_wake_alarm=pi" --addamb="cap_wake_alarm" -- -c "systemd-run --quiet --scope capsh --print &> /proc/$$/fd/1"
Current: =ep cap_wake_alarm+i
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =cap_wake_alarm
Current IAB: ^cap_wake_alarm
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
Guessed mode: UNCERTAIN (0)

P.S. This looks like a useful reference: Fully Capable - Why didn't that work?

navras · September 20, 2023, 3:40am

Thanks for the replies.
Turns out it was easier for me to just upgrade to F39 beta. I also wanted to run the command as user because the Wayland apps require user env variables (and safer).