Open tofurky opened 2 weeks ago
For clarity, can you post the working service file?
[Unit]
Description=Kodi standalone (GBM)
After=remote-fs.target systemd-user-sessions.service network-online.target nss-lookup.target sound.target bluetooth.target polkit.service upower.service mysqld.service lircd.service mythtv-backend.service sys-devices-pci0000:00-0000:00:1f.3-sound-card0-controlC0.device
Wants=network-online.target polkit.service upower.service mythtv-backend.service sys-devices-pci0000:00-0000:00:1f.3-sound-card0-controlC0.device
Conflicts=getty@tty1.service
[Service]
User=kodi
Group=kodi
EnvironmentFile=-/etc/default/kodi-gbm
PAMName=login
Type=simple
TTYPath=/dev/tty1
TTYReset=yes
ExecStart=/usr/bin/flatpak run -v tv.kodi.Kodi --standalone --audio-backend=alsa --windowing=gbm
ExecStop=/usr/bin/flatpak kill tv.kodi.Kodi
Restart=on-abort
StandardInput=tty
StandardOutput=journal
StandardError=journal
CapabilityBoundingSet=
[Install]
Alias=display-manager.service
It's still got some issues; stderr/stdout from flatpak isn't captured unless I wrap it in something like /bin/sh -c "/usr/bin/flatpak ... >/tmp/out 2>&1"
, but mostly works as expected.
I haven't used flatpak before but if you feel like there is some value for other users, perhaps I can put your service into a contrib
folder or something that is technically unsupported.
I used the kodi-gbm.service unit as a template to create my own unit with the tv.kodi.Kodi flatpak and ran into an issue when
TTYPath=
was set; bubblewrap sandbox refused to start (even when runningbwrap
directly inExecStart
to debug, without flatpak).I'm using flatpak now as that's the only supported way to get the official non-distro builds these days.
The error from bwrap was
Unexpected capabilities but not setuid, old file caps config?
(https://github.com/containers/bubblewrap/blob/a253257cd298892da43e15201d83f9a02c9b58b5/bubblewrap.c#L875-L881)After running
systemd-analyze security kodi-gbm.service
, I saw that all capabilities were allowed. Not really sure whyTTYPath
is what does it; maybe an interplay withPAMName=login
and actually succeeding in starting a proper login session? WithoutTTYPath
, the following is seen:pam_systemd(login:session): Failed to create session: VT number out of range
.Anyways, the fix was to add
CapabilityBoundingSet=
under[Service]
to prevent any new capabilities from being obtained. I don't understand this fully enough to add a PR or README note; but, hopefully this helps someone running into the same issue. This would also prevent binding to a privileged port, I think.Some more details - strace showed the following when replacing
ExecStart
withstrace -s1024 bwrap >/tmp/bwrap 2>&1
: