New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/evdevremapkeys: init #94100
nixos/evdevremapkeys: init #94100
Conversation
8cd838b
to
8e8d27a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've left some comments I hope you find useful.
description = "Remap Evdev Input"; | ||
after = [ "systemd-udev-settle.service" ]; | ||
wantedBy = [ "multi-user.target" ]; | ||
serviceConfig = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice to add some systemd
hardening options here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you mean?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think he means:
Can we run the daemon as a DynamicUser=yes
instead of as root
Also we could set things like:
RestrictAddressFamilies=AF_NETLINK
PrivateTmp=yes
Etc.. (See man systemd.exec
for more isolation options)
However I expect that this unit probably has to run as root to be able to create new input events
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm going to take a look if this is possible to harden by running as a less privileged user. But I'm also not expecting much.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even if you still end up running as root
there are some settings you can apply to limit the abilities this service can have on a system. Though still hoping for a non root
user, maybe with some capabilities
or something.
|
||
systemd.services.evdevremapkeys = { | ||
description = "Remap Evdev Input"; | ||
after = [ "systemd-udev-settle.service" ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was reading the manpage of systemd-udev-settle
and it said:
Using this service is not recommended. There can be no guarantee that hardware is fully discovered at any specific
time, because the kernel does hardware detection asynchronously, and certain buses and devices take a very long
time to become ready, and also additional hardware may be plugged in at any time. Instead, services should
subscribe to udev events and react to any new hardware as it is discovered. Services that, based on configuration,
expect certain devices to appear, may warn or report failure after a timeout. This timeout should be tailored to
the hardware type. Waiting for systemd-udev-settle.service usually slows boot significantly, because it means
waiting for all unrelated events too.
I also saw that the example upstream provides doesn't depend on it https://github.com/philipl/evdevremapkeys/blob/master/examples/evdevremapkeys.service
Why do we need it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the source code of evdevremapkeys
it seems they subscribe to udev
events properly; so I don't think there is any need to wait for systemd-udev-settle
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whoops, I did indeed copy this mindlessly this from somewhere else in nixpkgs during development and then forgot to actually make this sensible :). I've updated the service definition to reflect upstream's service example.
8e8d27a
to
ccbe0a5
Compare
I marked this as stale due to inactivity. → More info |
Superseded by #215247 |
Motivation for this change
Implement a basic evdevremapkeys service. The tool itself already exists as a derivation, this merely adds a module to turn it into a service.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)