systemd attestor, additional selectors for template and instance names

[kfox1111]

Currently supported selctors:

systemd:id	The unit Id of the workload (e.g. systemd:id:nginx.service)

It seems like ID includes the instance name in the case its templated. For example, if the template is [email protected] and the instance started [email protected], the selector is systemd:id:[email protected]. This is a useful selector.

It would be useful too though, to have the values: [email protected] and bar available as selectors. Maybe we add the selectors:

systemd:template Set to the template name of the workload (e.g. systemd:template:[email protected]) if its templated
systemd:instance Set to the instance name of the workload (eg.. a on systemctl start [email protected]) if its templated

[rturner3]

@kfox1111 Are you interested in these template and instance selectors because you want to select on one, but not the other? Or are you mostly interested in differentiating when a systemd unit is templatized vs. not?

I'm curious to learn more about the use case since it looks like these selectors duplicate the information in the existing ID selector.

[kfox1111]

For my own use, I want to match on the template rather then a specific instance. so match all foo@service.

[rturner3]

Got it. Do you need the instance selector? It seems like otherwise duplicate information to what is in the id selector.

Do you have any idea how we can produce this template selector?

[kfox1111]

hmm... I could live without it. Just thought more selectors were better then not.

I believe they all have an @ in their name. So if the ID has an @, slice off any characters between the first @ and the last '.' and use that as the template name?

[sorindumitru]

Looks like the interface provided by systemd through dbus doesn't have a field for the template name, but it has one for the fragment path:

$ gdbus introspect --system --dest org.freedesktop.systemd1 --object-path /org/freedesktop/systemd1/unit/systemd_2dbacklight_40leds_3achromes_3akbd_5fbacklight_2eservice
...
      readonly s FragmentPath = '/usr/lib/systemd/system/[email protected]';

Looking at the systemd attestor, we already emit the fragment path as a selector. @kfox1111 does this selector work for your needs?

[kfox1111]

Hmm... the same service could be managed via /usr/lib/systemd/system/[email protected] or /etc/systemd/system/[email protected], which is a little awkward, so may need two entries in some cases, but I think I can use that for now.

Maybe we make a selector for fragment, without the path in the name, for just the filepath.Base of fragment_path?

[sorindumitru]

Maybe, but we should also think about the security properties that the selector provides. I'm thinking about the fact that systemd also supports user services so you would want to know if [email protected] is the one from /home/malice/[email protected] or the system installed one in /usr/lib/systemd (or any other path that only privileged users have access to).

I'll see if I can find some more documentation about how FragmentPath is deduced.