mirror of
https://gitlab.postmarketos.org/postmarketOS/pmaports.git
synced 2025-07-23 06:45:25 +03:00
99 lines
2.9 KiB
Desktop File
99 lines
2.9 KiB
Desktop File
[Unit]
|
|
Description=usb-moded USB gadget controller
|
|
DefaultDependencies=no
|
|
Wants=systemd-udev-settle.service
|
|
Requires=dbus.socket
|
|
After=local-fs.target dbus.socket systemd-udev-settle.service
|
|
Conflicts=shutdown.target
|
|
|
|
[Service]
|
|
Type=notify
|
|
TimeoutSec=25
|
|
EnvironmentFile=-/var/lib/environment/usb-moded/*.conf
|
|
EnvironmentFile=-/run/usb-moded/*.conf
|
|
ExecStart=/usr/sbin/usb_moded --systemd --force-syslog $USB_MODED_ARGS $USB_MODED_HW_ADAPTATION_ARGS
|
|
Restart=always
|
|
ExecReload=/bin/kill -HUP $MAINPID
|
|
|
|
## Sandboxing
|
|
|
|
# What we want to have is:
|
|
#
|
|
# / - readonly
|
|
# /tmp - private writable
|
|
# /config - shared writable (configfs gadget setup)
|
|
# /sys - shared writable (android-usb gadget setup, wakelocks)
|
|
# /dev - shared writable (mounting/unmounting mtp fs)
|
|
# /run/usb-moded - shared writable (udhcpd config file)
|
|
# /var/lib/usb-moded - writable (usb-moded runtime settings data)
|
|
#
|
|
# Seems that attempting to use high level settings
|
|
# like ProtectSystem, PrivateTmp, ... leads to problems
|
|
# like mtp mount done from usb-moded not being visible
|
|
# to mtp daemon
|
|
|
|
ProtectSystem=no
|
|
PrivateDevices=no
|
|
PrivateTmp=no
|
|
|
|
# Could use low level settings, but they are not
|
|
# supported by our version of systemd ...
|
|
|
|
#ReadOnlyPaths=/
|
|
#ReadWritePaths=/tmp
|
|
#ReadWritePaths=/sys
|
|
#ReadWritePaths=/dev
|
|
#ReadWritePaths=/config
|
|
#ReadWritePaths=/run/usb-moded
|
|
#ReadWritePaths=/var/lib/usb-moded
|
|
|
|
# Usb-moded needs to start/stop user sessions services
|
|
# when activating/deactivating mtp mode -> must retain
|
|
# access to user data and home directories
|
|
|
|
ProtectHome=no
|
|
|
|
# a) The list of supplementary groups usb-moded needs to
|
|
# function properly varies from one device to another.
|
|
# b) If any of the listed supplementary groups do not
|
|
# exist on the system, systemd refuses to execute
|
|
#
|
|
# Combining (a) and (b) makes SupplementaryGroups useless,
|
|
# and we need to rely on CAP_DAC_OVERRIDE
|
|
|
|
#SupplementaryGroups=system wakelock ...
|
|
|
|
################################################################################################################################################################################################################################################################
|
|
|
|
## Security
|
|
|
|
# NoNewPrivileges does not work in Jolla Phone
|
|
#NoNewPrivileges=yes
|
|
|
|
# Note: Due to old systemd version: CapabilityBoundingSet merging
|
|
# does not work - all caps must be listed on a single line.
|
|
|
|
# CAP_BLOCK_SUSPEND
|
|
# -> wakelocking
|
|
|
|
# CAP_NET_ADMIN
|
|
# CAP_NET_RAW
|
|
# -> network setup via ifconfig subprocess etc
|
|
|
|
# CAP_SETUID
|
|
# CAP_SETGID
|
|
# -> running systemctl-user -> uid/gid change
|
|
|
|
# CAP_SYS_RESOURCE
|
|
# -> running systemctl-user -> scheduling config
|
|
|
|
# CAP_DAC_OVERRIDE
|
|
# -> working around problems with SupplementaryGroups=
|
|
|
|
# CAP_SYS_ADMIN
|
|
# -> mount/unmount mtp device
|
|
|
|
CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE CAP_DAC_OVERRIDE CAP_SYS_ADMIN
|
|
|
|
[Install]
|
|
WantedBy=basic.target
|