systemd: add user unit

The user unit omits the "ProtectKernelModules" setting which fails with modular kernels: Failed at step CAPABILITIES spawning /usr/bin/mpd: Operation not permitted It is unfortunate that systemd (version 232) is unable to reduce its own capabilities, because this requires us to split system and user units. https://bugs.musicpd.org/view.php?id=4608
author: Max Kellermann <max@musicpd.org> 2016-12-13 08:41:55 +0100
committer: Max Kellermann <max@musicpd.org> 2016-12-13 10:24:10 +0100
commit: ab332d7b2eb6ebc1052885bdcebac9c2673a7dde (patch)
tree: 6a7662d989fd522726de0c36dfa5cd2a826f2fc8 /systemd
parent: 53e22b81ef026e873c992bca35e27b41580a0bf8 (diff)
1 files changed, 29 insertions, 0 deletions
diff --git a/systemd/user/mpd.service.in b/systemd/user/mpd.service.in
new file mode 100644
index 000000000..fa0f43d41
--- /dev/null
+++ b/systemd/user/mpd.service.in
@@ -0,0 +1,29 @@
+[Unit]
+Description=Music Player Daemon
+After=network.target sound.target
+
+[Service]
+ExecStart=@prefix@/bin/mpd --no-daemon
+
+# allow MPD to use real-time priority 50
+LimitRTPRIO=50
+LimitRTTIME=infinity
+
+# disallow writing to /usr, /bin, /sbin, ...
+ProtectSystem=yes
+
+# more paranoid security settings
+NoNewPrivileges=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+RestrictNamespaces=yes
+
+# Note that "ProtectKernelModules=yes" is missing in the user unit
+# because systemd 232 is unable to reduce its own capabilities
+# ("Failed at step CAPABILITIES spawning /usr/bin/mpd: Operation not
+# permitted")
+
+[Install]
+WantedBy=default.target
author	Max Kellermann <max@musicpd.org>	2016-12-13 08:41:55 +0100
committer	Max Kellermann <max@musicpd.org>	2016-12-13 10:24:10 +0100
commit	ab332d7b2eb6ebc1052885bdcebac9c2673a7dde (patch)
tree	6a7662d989fd522726de0c36dfa5cd2a826f2fc8 /systemd
parent	53e22b81ef026e873c992bca35e27b41580a0bf8 (diff)