Add signal waits and sandbox validation

Author: dannote

guides/dbus-manager.md

@@ -52,13 +52,23 @@ end)
 ## Job tracking
 
 Unit lifecycle methods return jobs through `Systemd.Manager`. Top-level helpers
-wait for jobs by default; pass `wait: false` to inspect the job yourself:
+wait for jobs by default; pass `wait: false` to inspect the job yourself.
+Polling is available through `Systemd.Job.await/3`; signal-driven waiting is
+available through `Systemd.Job.await_signal/3` and systemd's `JobRemoved` signal:
 
 ```elixir
 {:ok, conn} = Systemd.Manager.connect()
 {:ok, job} = Systemd.Manager.restart_unit(conn, "my_app@4000.service")
 {:ok, :running} = Systemd.Job.state(conn, job)
-:ok = Systemd.Job.await(conn, job, timeout: 10_000)
+:ok = Systemd.Job.await_signal(conn, job, timeout: 10_000)
+```
+
+For lower-level signal handling, subscribe to manager signals directly:
+
+```elixir
+{:ok, sub} = Systemd.Signal.subscribe_manager(conn)
+{:ok, removed} = Systemd.Signal.await_job_removed(sub, job.object_path)
+:ok = Systemd.Signal.unsubscribe(sub)
 ```
 
 Jobs can be cancelled through the job object when systemd still exposes it:

guides/xamal-style-deployment.md

@@ -21,7 +21,15 @@ unit_file =
       restart: "on-failure",
       restart_sec: 5,
       timeout_stop_sec: 30,
-      limit_nofile: 1_048_576
+      limit_nofile: 1_048_576,
+      cpu_accounting: true,
+      cpu_quota: "50%",
+      memory_accounting: true,
+      memory_max: "512M",
+      tasks_max: 512,
+      no_new_privileges: true,
+      protect_system: :strict,
+      protect_home: "read-only"
     ],
     install: [wanted_by: "multi-user.target"]
   )

lib/systemd/job.ex

@@ -3,7 +3,7 @@ defmodule Systemd.Job do
   A systemd job returned by manager operations such as `StartUnit`.
   """
 
-  alias Systemd.{DBus, Error, Properties}
+  alias Systemd.{DBus, Error, Properties, Signal}
 
   @interface "org.freedesktop.systemd1.Job"
 
@@ -51,6 +51,24 @@ defmodule Systemd.Job do
     end
   end
 
+  @doc """
+  Waits for this job's `JobRemoved` D-Bus signal.
+  """
+  @spec await_signal(pid(), t(), keyword()) :: :ok | {:error, Error.t()}
+  def await_signal(conn, %__MODULE__{object_path: path}, opts \\ []) do
+    with {:ok, subscription} <- Signal.subscribe_manager(conn) do
+      try do
+        case Signal.await_job_removed(subscription, path, opts) do
+          {:ok, %{result: "done"}} -> :ok
+          {:ok, %{result: result}} -> {:error, Error.protocol_error({:job_failed, result})}
+          {:error, error} -> {:error, error}
+        end
+      after
+        Signal.unsubscribe(subscription)
+      end
+    end
+  end
+
   @doc """
   Polls until a job leaves `waiting`/`running` or disappears from the bus.
   """

lib/systemd/signal.ex

@@ -0,0 +1,120 @@
+defmodule Systemd.Signal do
+  @moduledoc """
+  Helpers for receiving systemd D-Bus signals.
+  """
+
+  alias Rebus.Message
+  alias Systemd.{DBus, Error}
+
+  @dbus_destination "org.freedesktop.DBus"
+  @dbus_path "/org/freedesktop/DBus"
+  @dbus_interface "org.freedesktop.DBus"
+  @systemd_destination "org.freedesktop.systemd1"
+  @manager_path "/org/freedesktop/systemd1"
+  @manager_interface "org.freedesktop.systemd1.Manager"
+
+  @type subscription :: %__MODULE__{conn: pid(), ref: reference(), match_rule: String.t()}
+  @type job_removed :: %{
+          id: non_neg_integer(),
+          job_path: String.t(),
+          unit: String.t(),
+          result: String.t()
+        }
+
+  @enforce_keys [:conn, :ref, :match_rule]
+  defstruct [:conn, :ref, :match_rule]
+
+  @doc """
+  Subscribes the current process to systemd manager signals.
+  """
+  @spec subscribe_manager(pid()) :: {:ok, subscription()} | {:error, Error.t()}
+  def subscribe_manager(conn) when is_pid(conn) do
+    match_rule =
+      "type='signal',sender='#{@systemd_destination}',path='#{@manager_path}',interface='#{@manager_interface}'"
+
+    with :ok <- add_match(conn, match_rule),
+         {:ok, []} <- manager_call(conn, "Subscribe"),
+         ref when is_reference(ref) <- Rebus.add_signal_handler(conn) do
+      {:ok, %__MODULE__{conn: conn, ref: ref, match_rule: match_rule}}
+    else
+      {:error, %Error{} = error} -> {:error, error}
+      other -> {:error, Error.protocol_error(other)}
+    end
+  end
+
+  @doc """
+  Removes a signal subscription returned by `subscribe_manager/1`.
+  """
+  @spec unsubscribe(subscription()) :: :ok | {:error, Error.t()}
+  def unsubscribe(%__MODULE__{conn: conn, ref: ref, match_rule: match_rule}) do
+    :ok = Rebus.delete_signal_handler(conn, ref)
+    remove_match(conn, match_rule)
+  end
+
+  @doc """
+  Waits for a `JobRemoved` signal matching a job object path.
+  """
+  @spec await_job_removed(subscription(), String.t(), keyword()) ::
+          {:ok, job_removed()} | {:error, Error.t()}
+  def await_job_removed(%__MODULE__{ref: ref}, job_path, opts \\ []) when is_binary(job_path) do
+    timeout = Keyword.get(opts, :timeout, 30_000)
+    deadline = System.monotonic_time(:millisecond) + timeout
+    do_await_job_removed(ref, job_path, deadline)
+  end
+
+  defp do_await_job_removed(ref, job_path, deadline) do
+    remaining = max(deadline - System.monotonic_time(:millisecond), 0)
+
+    receive do
+      {^ref, %Message{} = message} ->
+        case job_removed(message) do
+          {:ok, %{job_path: ^job_path} = removed} -> {:ok, removed}
+          {:ok, _other_job} -> do_await_job_removed(ref, job_path, deadline)
+          :ignore -> do_await_job_removed(ref, job_path, deadline)
+        end
+    after
+      remaining -> {:error, Error.connection_error(:timeout)}
+    end
+  end
+
+  defp job_removed(%Message{
+         type: :signal,
+         header_fields: headers,
+         body: [id, job_path, unit, result]
+       }) do
+    if Map.get(headers, :member) == "JobRemoved" and
+         Map.get(headers, :interface) == @manager_interface do
+      {:ok, %{id: id, job_path: job_path, unit: unit, result: result}}
+    else
+      :ignore
+    end
+  end
+
+  defp job_removed(_message), do: :ignore
+
+  defp add_match(conn, match_rule), do: dbus_void_call(conn, "AddMatch", [match_rule], "s")
+  defp remove_match(conn, match_rule), do: dbus_void_call(conn, "RemoveMatch", [match_rule], "s")
+
+  defp manager_call(conn, member) do
+    DBus.call_body(conn,
+      destination: @systemd_destination,
+      path: @manager_path,
+      interface: @manager_interface,
+      member: member
+    )
+  end
+
+  defp dbus_void_call(conn, member, body, signature) do
+    with {:ok, []} <-
+           DBus.call_body(conn,
+             destination: @dbus_destination,
+             path: @dbus_path,
+             interface: @dbus_interface,
+             member: member,
+             signature: signature,
+             body: body
+           ) do
+      :ok
+    end
+  end
+end

lib/systemd/unit_file/builder.ex

@@ -9,7 +9,10 @@ defmodule Systemd.UnitFile.Builder do
 
   @directive_names %{
     cpu_accounting: "CPUAccounting",
+    cpu_quota: "CPUQuota",
+    cpu_weight: "CPUWeight",
     io_accounting: "IOAccounting",
+    io_weight: "IOWeight",
     ip_accounting: "IPAccounting",
     limit_as: "LimitAS",
     limit_core: "LimitCORE",
@@ -26,10 +29,39 @@ defmodule Systemd.UnitFile.Builder do
     limit_rtprio: "LimitRTPRIO",
     limit_rttime: "LimitRTTIME",
     limit_sigpending: "LimitSIGPENDING",
+    memory_accounting: "MemoryAccounting",
+    memory_high: "MemoryHigh",
+    memory_low: "MemoryLow",
+    memory_max: "MemoryMax",
+    memory_min: "MemoryMin",
+    memory_swap_max: "MemorySwapMax",
+    no_new_privileges: "NoNewPrivileges",
     oom_policy: "OOMPolicy",
     pid_file: "PIDFile",
+    private_devices: "PrivateDevices",
+    private_network: "PrivateNetwork",
+    private_tmp: "PrivateTmp",
+    private_users: "PrivateUsers",
+    protect_clock: "ProtectClock",
+    protect_control_groups: "ProtectControlGroups",
+    protect_home: "ProtectHome",
+    protect_hostname: "ProtectHostname",
+    protect_kernel_logs: "ProtectKernelLogs",
+    protect_kernel_modules: "ProtectKernelModules",
+    protect_kernel_tunables: "ProtectKernelTunables",
+    protect_proc: "ProtectProc",
+    protect_system: "ProtectSystem",
+    restrict_address_families: "RestrictAddressFamilies",
+    restrict_namespaces: "RestrictNamespaces",
+    restrict_realtime: "RestrictRealtime",
+    restrict_suid_sgid: "RestrictSUIDSGID",
     runtime_directory_preserve: "RuntimeDirectoryPreserve",
     selinux_context: "SELinuxContext",
+    system_call_architectures: "SystemCallArchitectures",
+    system_call_error_number: "SystemCallErrorNumber",
+    system_call_filter: "SystemCallFilter",
+    tasks_accounting: "TasksAccounting",
+    tasks_max: "TasksMax",
     smack_process_label: "SmackProcessLabel",
     syslog_identifier: "SyslogIdentifier",
     tty_path: "TTYPath",

lib/systemd/unit_file/validator.ex

@@ -29,7 +29,7 @@ defmodule Systemd.UnitFile.Validator do
       ),
     "Service" =>
       MapSet.new(
-        ~w(Type ExecStart ExecStartPre ExecStartPost ExecCondition ExecReload ExecStop ExecStopPost Restart RestartSec User Group WorkingDirectory RootDirectory Environment EnvironmentFile PassEnvironment UnsetEnvironment TimeoutStartSec TimeoutStopSec TimeoutAbortSec KillSignal KillMode RemainAfterExit GuessMainPID PIDFile RuntimeDirectory RuntimeDirectoryPreserve StateDirectory CacheDirectory LogsDirectory ConfigurationDirectory StandardOutput StandardError SyslogIdentifier Slice Delegate CPUAccounting CPUWeight CPUQuota MemoryAccounting MemoryMin MemoryLow MemoryHigh MemoryMax MemorySwapMax TasksAccounting TasksMax IOAccounting IOWeight IPAccounting LimitNOFILE LimitNPROC LimitMEMLOCK LimitCORE LimitCPU LimitAS LimitFSIZE NoNewPrivileges PrivateTmp PrivateDevices ProtectSystem ProtectHome AmbientCapabilities CapabilityBoundingSet ReadWritePaths ReadOnlyPaths InaccessiblePaths OOMPolicy)
+        ~w(Type ExecStart ExecStartPre ExecStartPost ExecCondition ExecReload ExecStop ExecStopPost Restart RestartSec User Group WorkingDirectory RootDirectory Environment EnvironmentFile PassEnvironment UnsetEnvironment TimeoutStartSec TimeoutStopSec TimeoutAbortSec KillSignal KillMode RemainAfterExit GuessMainPID PIDFile RuntimeDirectory RuntimeDirectoryPreserve StateDirectory CacheDirectory LogsDirectory ConfigurationDirectory StandardOutput StandardError SyslogIdentifier Slice Delegate CPUAccounting CPUWeight CPUQuota MemoryAccounting MemoryMin MemoryLow MemoryHigh MemoryMax MemorySwapMax TasksAccounting TasksMax IOAccounting IOWeight IPAccounting LimitNOFILE LimitNPROC LimitMEMLOCK LimitCORE LimitCPU LimitAS LimitFSIZE NoNewPrivileges PrivateTmp PrivateDevices PrivateNetwork PrivateUsers ProtectSystem ProtectHome ProtectKernelTunables ProtectKernelModules ProtectKernelLogs ProtectControlGroups ProtectClock ProtectHostname ProtectProc RestrictAddressFamilies RestrictNamespaces RestrictRealtime RestrictSUIDSGID SystemCallFilter SystemCallArchitectures SystemCallErrorNumber AmbientCapabilities CapabilityBoundingSet ReadWritePaths ReadOnlyPaths InaccessiblePaths OOMPolicy)
       ),
     "Install" => MapSet.new(~w(WantedBy RequiredBy Also Alias DefaultInstance)),
     "Socket" =>
@@ -231,7 +231,18 @@ defmodule Systemd.UnitFile.Validator do
               "IPAccounting",
               "NoNewPrivileges",
               "PrivateTmp",
-              "PrivateDevices"
+              "PrivateDevices",
+              "PrivateNetwork",
+              "PrivateUsers",
+              "ProtectKernelTunables",
+              "ProtectKernelModules",
+              "ProtectKernelLogs",
+              "ProtectControlGroups",
+              "ProtectClock",
+              "ProtectHostname",
+              "RestrictNamespaces",
+              "RestrictRealtime",
+              "RestrictSUIDSGID"
             ] do
     boolean("Service", directive, value, span)
   end
@@ -256,6 +267,45 @@ defmodule Systemd.UnitFile.Validator do
   defp value_errors("Service", "CPUQuota", value, span),
     do: percentage("Service", "CPUQuota", value, span)
 
+  defp value_errors("Service", "ProtectSystem", value, span) do
+    one_of(
+      "Service",
+      "ProtectSystem",
+      String.downcase(value),
+      ~w(1 yes true on 0 no false off full strict),
+      span
+    )
+  end
+
+  defp value_errors("Service", "ProtectHome", value, span) do
+    one_of(
+      "Service",
+      "ProtectHome",
+      String.downcase(value),
+      ~w(1 yes true on 0 no false off read-only tmpfs),
+      span
+    )
+  end
+
+  defp value_errors("Service", "ProtectProc", value, span) do
+    one_of("Service", "ProtectProc", value, ~w(default invisible ptraceable noaccess), span)
+  end
+
+  defp value_errors("Service", directive, value, span)
+       when directive in [
+              "RestrictAddressFamilies",
+              "SystemCallFilter",
+              "SystemCallArchitectures",
+              "SystemCallErrorNumber",
+              "AmbientCapabilities",
+              "CapabilityBoundingSet",
+              "ReadWritePaths",
+              "ReadOnlyPaths",
+              "InaccessiblePaths"
+            ] do
+    non_empty_words("Service", directive, value, span)
+  end
+
   defp value_errors("Service", "KillMode", value, span) do
     one_of("Service", "KillMode", value, ~w(control-group mixed process none), span)
   end

test/systemd/manager_integration_test.exs

@@ -106,8 +106,10 @@ defmodule Systemd.ManagerIntegrationTest do
       TransientUnit.string("Description", "systemd Elixir resource integration test"),
       TransientUnit.string("Type", "oneshot"),
       TransientUnit.boolean("RemainAfterExit", true),
+      TransientUnit.boolean("CPUAccounting", true),
       TransientUnit.memory_max(67_108_864),
       TransientUnit.tasks_max(64),
+      TransientUnit.cpu_quota_per_sec_usec(500_000),
       TransientUnit.exec_start("/bin/true", ["/bin/true"])
     ]
 
@@ -116,13 +118,9 @@ defmodule Systemd.ManagerIntegrationTest do
         assert :ok = Job.await(conn, job, timeout: 5_000)
         assert {:ok, unit} = Manager.get_unit(conn, name)
 
-        assert {:ok, 67_108_864} =
-                 Properties.get(
-                   conn,
-                   unit.object_path,
-                   "org.freedesktop.systemd1.Service",
-                   "MemoryMax"
-                 )
+        assert {:ok, 67_108_864} = service_property(conn, unit, "MemoryMax")
+        assert {:ok, 64} = service_property(conn, unit, "TasksMax")
+        assert {:ok, 500_000} = service_property(conn, unit, "CPUQuotaPerSecUSec")
 
         assert :ok = Manager.stop_unit(conn, name) |> await_or_ok(conn)
 
@@ -131,6 +129,26 @@ defmodule Systemd.ManagerIntegrationTest do
     end
   end
 
+  test "waits for job completion using JobRemoved signal" do
+    assert {:ok, conn} = Manager.connect()
+
+    name = "systemd-elixir-signal-test-#{System.unique_integer([:positive])}.service"
+
+    properties = [
+      TransientUnit.string("Description", "systemd Elixir signal integration test"),
+      TransientUnit.string("Type", "oneshot"),
+      TransientUnit.exec_start("/bin/sleep", ["/bin/sleep", "1"])
+    ]
+
+    case Manager.start_transient_unit(conn, name, properties) do
+      {:ok, %Job{} = job} ->
+        assert :ok = Job.await_signal(conn, job, timeout: 5_000)
+
+      {:error, %Error{} = error} ->
+        assert Error.permission?(error)
+    end
+  end
+
   test "starts and awaits a harmless transient unit" do
     assert {:ok, conn} = Manager.connect()
 
@@ -152,6 +170,10 @@ defmodule Systemd.ManagerIntegrationTest do
     end
   end
 
+  defp service_property(conn, unit, property) do
+    Properties.get(conn, unit.object_path, "org.freedesktop.systemd1.Service", property)
+  end
+
   defp await_or_ok({:ok, %Job{} = job}, conn), do: Job.await(conn, job, timeout: 5_000)
   defp await_or_ok({:error, %Error{} = error}, _conn), do: {:error, error}