Adding capability to systemd timer?

I’m trying to add CAP_WAKE_ALARM when creating timers with sytemd-run (ref) to get the same effect as systemd v254 which is not on Fedora 38, but I don’t know how to do this. Failed attempts:

$ sudo systemd-run --user --on-active=20 --timer-property=WakeSystem=true flatpak run io.bassi.Amberol
[sudo] password for user: 
Failed to connect to bus: No medium found

$ systemd-run --user --on-active=20 --timer-property=WakeSystem=true --timer-property=AmbientCapabilities=CAP_WAKE_ALARM flatpak run io.bassi.Amberol
Unknown assignment: AmbientCapabilities=CAP_WAKE_ALARM

$ systemd-run --user --on-active=20 --timer-property=WakeSystem=true --property=AmbientCapabilities=CAP_WAKE_ALARM flatpak run io.bassi.Amberol
Job failed. See "journalctl -xe" for details.

$ journalctl -xe
systemd[1857]: run-rbddaeff35126428ca8f30e4225825f12.timer: Failed to enter waiting state: Operation not permitted
systemd[1857]: run-rbddaeff35126428ca8f30e4225825f12.timer: Failed with result 'resources'.

I think you need to adjust the ProtectClock and/or ProtectKernelTunables, depending on what you’re trying to do, with the duly required “at your own risk” warning here:

1 Like

Both of those settings appear to default to off. Maybe the call to systemd-run could be wrapped with capsh --addamb=...? E.g.:

[/root]# capsh --caps="cap_setpcap=ep cap_wake_alarm=pi" --addamb="cap_wake_alarm" -- -c "systemd-run --quiet --scope capsh --print &> /proc/$$/fd/1"
Current: =ep cap_wake_alarm+i
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =cap_wake_alarm
Current IAB: ^cap_wake_alarm
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
Guessed mode: UNCERTAIN (0)

P.S. This looks like a useful reference: Fully Capable - Why didn't that work?

1 Like

Thanks for the replies.
Turns out it was easier for me to just upgrade to F39 beta. I also wanted to run the command as user because the Wayland apps require user env variables (and safer).

1 Like