summaryrefslogtreecommitdiffstats
path: root/security-blueprint/part-5/2-SystemD.md
blob: 903df11e3236461c1f5c8219a1894bcaad189533 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# SystemD

`afm-system-daemon` is used to:

- Manage users and user sessions.
- Setup applications and services (_CGroups_, _namespaces_, autostart, permissions).
- Use of `libsystemd` for its programs (event management, **D-Bus** interface).

<!-- config -->

Domain             | Object         | Recommendations
------------------ | -------------- | ------------------------------------
Platform-SystemD-1 | Security model | Use Namespaces for containerization.
Platform-SystemD-2 | Security model | Use CGroups to organise processes.

<!-- endconfig -->

See [systemd integration and user management](http://iot.bzh/download/public/2017/AMM-Dresden/AGL-systemd.pdf) for more information.

## Benefits

- Removal of one privileged process: **afm-user-daemon**
- Access and use of high level features:

  - Socket activation.
  - Management of users and integration of **PAM**.
  - Dependency resolution to services.
  - `Cgroups` and resource control.
  - `Namespaces` containerization.
  - Autostart of required API.
  - Permissions and security settings.
  - Network management.

<!-- pagebreak -->

## CGroups

Control Groups offer a lot of features, with the most useful ones you can
control: Memory usage, how much CPU time is allocated, how much device I/O is
allowed or which devices can be accessed. **SystemD** uses _CGroups_ to organise
processes (each service is a _CGroups_, and all processes started by that
service use that _CGroups_). By default, **SystemD** automatically creates a
hierarchy of slice, scope and service units to provide a unified structure for
the _CGroups_ tree. With the `systemctl` command, you can further modify this
structure by creating custom slices. Currently, in AGL, there are 2 slices
(**user.slice** and **system.slice**).

## Namespaces

### User side

There are several ways of authenticating users (Key Radio Frequency, Phone,
Gesture, ...). Each authentication provides dynamic allocation of **uids** to
authenticated users. **Uids** is used to ensure privacy of users and **SMACK**
for applications privacy.

First, the user initiates authentication with **PAM** activation. **PAM**
Standard offers highly configurable authentication with modular design like
face recognition, Voice identification or with a password. Then users should
access identity services with services and applications.