privileged: Add systemd units for socket activating the daemon

Tests: - Daemon starts up with uid/gid set to root. - Daemon does not run by default if a request is not received. Socket file is created with 666 permissions and root:root ownership. Socket file parent directory is created with 755 permissions and root:root ownership. - Daemon starts if a request is sent to the socket using nc. - If there an exception in daemon starting, then restart is done every second to 5 seconds, forever. - Build a Debian package. - Install it on fresh trixie Debian VM. Ensure that setup works and privileged daemon is auto-enabled. - Start a fresh trixie Debian VM and install freedombox from Debian repos. Upgrade to the built package. Privileged daemon works and is auto-enabled. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
2026-01-21 07:55:00 +00:00 · 2025-06-26 18:26:51 -07:00 · 2025-06-26 18:26:51 -07:00 · 71a50e6d19
commit 71a50e6d19
parent a6089664eb
3 changed files with 39 additions and 1 deletions
--- a/data/usr/lib/systemd/system/freedombox-privileged.service
+++ b/data/usr/lib/systemd/system/freedombox-privileged.service
@ -0,0 +1,21 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+[Unit]
+Description=FreedomBox Privileged Service
+Documentation=https://wiki.debian.org/FreedomBox/
+# Don't hit the start rate limiting.
+StartLimitIntervalSec=0
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/freedombox-privileged
+TimeoutSec=300s
+User=root
+Group=root
+NotifyAccess=main
+PrivateTmp=yes
+Restart=on-failure
+# Don't restart too fast
+RestartSec=1
+RestartSteps=3
+RestartMaxDelaySec=5
--- a/data/usr/lib/systemd/system/freedombox-privileged.socket
+++ b/data/usr/lib/systemd/system/freedombox-privileged.socket
@ -0,0 +1,16 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+[Unit]
+Description=FreedomBox Privileged Service Socket
+Documentation=https://wiki.debian.org/FreedomBox/
+
+[Socket]
+Accept=no
+ListenStream=/run/freedombox/privileged.socket
+SocketUser=root
+SocketGroup=root
+SocketMode=0666
+DirectoryMode=755
+
+[Install]
+WantedBy=sockets.target
--- a/debian/rules
+++ b/debian/rules
@ -34,4 +34,5 @@ override_dh_installsystemd:
 	# (as of debhelper 13.5.2) that still has hardcoded search path of
 	# /lib/systemd/system for searching systemd services. See #987989 and
 	# reversion of its changes.
-	dh_installsystemd --tmpdir=debian/tmp/usr --package=freedombox plinth.service
+	dh_installsystemd --tmpdir=debian/tmp/usr --package=freedombox \
+		plinth.service freedombox-privileged.socket