SystemD
afm-system-daemon is used to:
- Manage users and user sessions.
- Setup applications and services (CGroups, namespaces, autostart, permissions).
- Use of
libsystemdfor its programs (event management, D-Bus interface).
| Domain | Object | Recommendations |
|---|---|---|
| Platform-SystemD-1 | Security model | Use Namespaces for containerization. |
| Platform-SystemD-2 | Security model | Use CGroups to organise processes. |
See systemd integration and user management for more information.
Benefits
- Removal of one privileged process: afm-user-daemon
-
Access and use of high level features:
-
Socket activation.
- Management of users and integration of PAM.
- Dependency resolution to services.
Cgroupsand resource control.Namespacescontainerization.- Autostart of required API.
- Permissions and security settings.
- Network management.
CGroups
Control Groups offer a lot of features, with the most useful ones you can
control: Memory usage, how much CPU time is allocated, how much device I/O is
allowed or which devices can be accessed. SystemD uses CGroups to organise
processes (each service is a CGroups, and all processes started by that
service use that CGroups). By default, SystemD automatically creates a
hierarchy of slice, scope and service units to provide a unified structure for
the CGroups tree. With the systemctl command, you can further modify this
structure by creating custom slices. Currently, in AGL, there are 2 slices
(user.slice and system.slice).
Namespaces
User side
There are several ways of authenticating users (Key Radio Frequency, Phone, Gesture, ...). Each authentication provides dynamic allocation of uids to authenticated users. Uids is used to ensure privacy of users and SMACK for applications privacy.
First, the user initiates authentication with PAM activation. PAM Standard offers highly configurable authentication with modular design like face recognition, Voice identification or with a password. Then users should access identity services with services and applications.