summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/core/kmod-setup.c2
-rw-r--r--src/core/main.c1
-rw-r--r--src/core/manager.c7
-rw-r--r--src/core/mount-setup.c22
-rw-r--r--src/core/mount-setup.h1
-rw-r--r--src/core/namespace.c9
-rw-r--r--src/dbus1-generator/dbus1-generator.c2
-rw-r--r--src/libsystemd/sd-bus/PORTING-DBUS110
-rw-r--r--src/libsystemd/sd-bus/bus-kernel.c60
-rw-r--r--src/libsystemd/sd-bus/bus-kernel.h1
-rw-r--r--src/libsystemd/sd-bus/kdbus.h40
-rw-r--r--src/libsystemd/sd-bus/sd-bus.c2
-rw-r--r--src/login/pam_systemd.c2
-rw-r--r--src/nspawn/nspawn.c62
-rw-r--r--src/shared/def.h4
-rw-r--r--units/systemd-bus-proxyd@.service.in2
-rw-r--r--units/user/systemd-bus-proxyd@.service.in2
17 files changed, 64 insertions, 165 deletions
diff --git a/src/core/kmod-setup.c b/src/core/kmod-setup.c
index 38e1726e08..8136d3c0f8 100644
--- a/src/core/kmod-setup.c
+++ b/src/core/kmod-setup.c
@@ -71,7 +71,7 @@ int kmod_setup(void) {
{ "unix", "/proc/net/unix", true, NULL },
/* IPC is needed before we bring up any other services */
- { "kdbus", "/sys/bus/kdbus", false, cmdline_check_kdbus },
+ { "kdbus", "/sys/fs/kdbus", false, cmdline_check_kdbus },
};
struct kmod_ctx *ctx = NULL;
unsigned int i;
diff --git a/src/core/main.c b/src/core/main.c
index 56a1f6193c..d563ae3509 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1556,6 +1556,7 @@ int main(int argc, char *argv[]) {
#ifdef HAVE_KMOD
kmod_setup();
#endif
+ mount_setup_late();
hostname_setup();
machine_id_setup(NULL);
loopback_setup();
diff --git a/src/core/manager.c b/src/core/manager.c
index 1bc36a6c41..2bc1058436 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -729,13 +729,6 @@ static int manager_setup_kdbus(Manager *m) {
}
log_debug("Successfully set up kdbus on %s", p);
-
- /* Create the namespace directory here, so that the contents
- * of that directory is not visible to non-root users. This is
- * necessary to ensure that users cannot get access to busses
- * of virtualized users when no UID namespacing is used. */
- if (m->running_as == SYSTEMD_SYSTEM)
- mkdir_p_label("/dev/kdbus/domain", 0700);
#endif
return 0;
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index cda25ede13..e9a2ec6886 100644
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -110,6 +110,13 @@ static const MountPoint mount_table[] = {
#endif
};
+static const MountPoint mount_table_late[] = {
+#ifdef ENABLE_KDBUS
+ { "kdbusfs", "/sys/fs/kdbus", "kdbusfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
+ NULL, MNT_IN_CONTAINER },
+#endif
+};
+
/* These are API file systems that might be mounted by other software,
* we just list them here so that we know that we should ignore them */
@@ -221,6 +228,21 @@ int mount_setup_early(void) {
return r;
}
+int mount_setup_late(void) {
+ unsigned i;
+ int r = 0;
+
+ for (i = 0; i < ELEMENTSOF(mount_table_late); i ++) {
+ int j;
+
+ j = mount_one(mount_table_late + i, false);
+ if (r == 0)
+ r = j;
+ }
+
+ return r;
+}
+
int mount_cgroup_controllers(char ***join_controllers) {
_cleanup_set_free_free_ Set *controllers = NULL;
_cleanup_fclose_ FILE *f;
diff --git a/src/core/mount-setup.h b/src/core/mount-setup.h
index 4b521ad0e1..928bd6edfe 100644
--- a/src/core/mount-setup.h
+++ b/src/core/mount-setup.h
@@ -24,6 +24,7 @@
#include <stdbool.h>
int mount_setup_early(void);
+int mount_setup_late(void);
int mount_setup(bool loaded_policy);
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 4bc288de1d..eb7f2ad60d 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -145,7 +145,7 @@ static int mount_dev(BindMount *m) {
"/dev/tty\0";
char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
- const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devkdbus = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL;
+ const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL;
_cleanup_umask_ mode_t u;
int r;
@@ -185,10 +185,6 @@ static int mount_dev(BindMount *m) {
mkdir(devmqueue, 0755);
mount("/dev/mqueue", devmqueue, NULL, MS_BIND, NULL);
- devkdbus = strappenda(temporary_mount, "/dev/kdbus");
- mkdir(devkdbus, 0755);
- mount("/dev/kdbus", devkdbus, NULL, MS_BIND, NULL);
-
devhugepages = strappenda(temporary_mount, "/dev/hugepages");
mkdir(devhugepages, 0755);
mount("/dev/hugepages", devhugepages, NULL, MS_BIND, NULL);
@@ -254,9 +250,6 @@ fail:
if (devshm)
umount(devshm);
- if (devkdbus)
- umount(devkdbus);
-
if (devhugepages)
umount(devhugepages);
diff --git a/src/dbus1-generator/dbus1-generator.c b/src/dbus1-generator/dbus1-generator.c
index 3c4522b589..57af80c0e9 100644
--- a/src/dbus1-generator/dbus1-generator.c
+++ b/src/dbus1-generator/dbus1-generator.c
@@ -319,7 +319,7 @@ int main(int argc, char *argv[]) {
umask(0022);
- if (access("/dev/kdbus/control", F_OK) < 0)
+ if (access("/sys/fs/kdbus/control", F_OK) < 0)
return 0;
r = cg_pid_get_owner_uid(0, NULL);
diff --git a/src/libsystemd/sd-bus/PORTING-DBUS1 b/src/libsystemd/sd-bus/PORTING-DBUS1
index 81e94132b3..2dedb28bcf 100644
--- a/src/libsystemd/sd-bus/PORTING-DBUS1
+++ b/src/libsystemd/sd-bus/PORTING-DBUS1
@@ -14,11 +14,11 @@ GVariant compatible marshaler to your library first.
After you have done that: here's the basic principle how kdbus works:
-You connect to a bus by opening its bus node in /dev/kdbus/. All
+You connect to a bus by opening its bus node in /sys/fs/kdbus/. All
buses have a device node there, it starts with a numeric UID of the
owner of the bus, followed by a dash and a string identifying the
-bus. The system bus is thus called /dev/kdbus/0-system, and for user
-buses the device node is /dev/kdbus/1000-user (if 1000 is your user
+bus. The system bus is thus called /sys/fs/kdbus/0-system, and for user
+buses the device node is /sys/fs/kdbus/1000-user (if 1000 is your user
id).
(Before we proceed, please always keep a copy of libsystemd next
@@ -496,12 +496,12 @@ parameter.
Client libraries should use the following connection string when
connecting to the system bus:
- kernel:path=/dev/kdbus/0-system/bus;unix:path=/var/run/dbus/system_bus_socket
+ kernel:path=/sys/fs/kdbus/0-system/bus;unix:path=/var/run/dbus/system_bus_socket
This will ensure that kdbus is preferred over the legacy AF_UNIX
socket, but compatibility is kept. For the user bus use:
- kernel:path=/dev/kdbus/$UID-user/bus;unix:path=$XDG_RUNTIME_DIR/bus
+ kernel:path=/sys/fs/kdbus/$UID-user/bus;unix:path=$XDG_RUNTIME_DIR/bus
With $UID replaced by the callers numer user ID, and $XDG_RUNTIME_DIR
following the XDG basedir spec.
diff --git a/src/libsystemd/sd-bus/bus-kernel.c b/src/libsystemd/sd-bus/bus-kernel.c
index 5e7bc12239..afac3b6bcc 100644
--- a/src/libsystemd/sd-bus/bus-kernel.c
+++ b/src/libsystemd/sd-bus/bus-kernel.c
@@ -1282,7 +1282,7 @@ int bus_kernel_create_bus(const char *name, bool world, char **s) {
assert(name);
assert(s);
- fd = open("/dev/kdbus/control", O_RDWR|O_NOCTTY|O_CLOEXEC);
+ fd = open("/sys/fs/kdbus/control", O_RDWR|O_NOCTTY|O_CLOEXEC);
if (fd < 0)
return -errno;
@@ -1323,7 +1323,7 @@ int bus_kernel_create_bus(const char *name, bool world, char **s) {
if (s) {
char *p;
- p = strjoin("/dev/kdbus/", n->str, "/bus", NULL);
+ p = strjoin("/sys/fs/kdbus/", n->str, "/bus", NULL);
if (!p) {
safe_close(fd);
return -ENOMEM;
@@ -1403,7 +1403,7 @@ int bus_kernel_open_bus_fd(const char *bus, char **path) {
int fd;
size_t len;
- len = strlen("/dev/kdbus/") + DECIMAL_STR_MAX(uid_t) + 1 + strlen(bus) + strlen("/bus") + 1;
+ len = strlen("/sys/fs/kdbus/") + DECIMAL_STR_MAX(uid_t) + 1 + strlen(bus) + strlen("/bus") + 1;
if (path) {
p = malloc(len);
@@ -1412,7 +1412,7 @@ int bus_kernel_open_bus_fd(const char *bus, char **path) {
*path = p;
} else
p = alloca(len);
- sprintf(p, "/dev/kdbus/" UID_FMT "-%s/bus", getuid(), bus);
+ sprintf(p, "/sys/fs/kdbus/" UID_FMT "-%s/bus", getuid(), bus);
fd = open(p, O_RDWR|O_NOCTTY|O_CLOEXEC);
if (fd < 0)
@@ -1585,58 +1585,6 @@ int bus_kernel_make_starter(
return fd;
}
-int bus_kernel_create_domain(const char *name, char **s) {
- struct kdbus_cmd_make *make;
- struct kdbus_item *n;
- int fd;
-
- assert(name);
- assert(s);
-
- fd = open("/dev/kdbus/control", O_RDWR|O_NOCTTY|O_CLOEXEC);
- if (fd < 0)
- return -errno;
-
- make = alloca0_align(ALIGN8(offsetof(struct kdbus_cmd_make, items) +
- offsetof(struct kdbus_item, str) +
- strlen(name) + 1),
- 8);
-
- n = make->items;
- strcpy(n->str, name);
- n->size = offsetof(struct kdbus_item, str) + strlen(n->str) + 1;
- n->type = KDBUS_ITEM_MAKE_NAME;
-
- make->size = ALIGN8(offsetof(struct kdbus_cmd_make, items) + n->size);
- make->flags = KDBUS_MAKE_ACCESS_WORLD;
-
- if (ioctl(fd, KDBUS_CMD_DOMAIN_MAKE, make) < 0) {
- safe_close(fd);
- return -errno;
- }
-
- /* The higher 32bit of the flags field are considered
- * 'incompatible flags'. Refuse them all for now. */
- if (make->flags > 0xFFFFFFFFULL) {
- safe_close(fd);
- return -ENOTSUP;
- }
-
- if (s) {
- char *p;
-
- p = strappend("/dev/kdbus/domain/", name);
- if (!p) {
- safe_close(fd);
- return -ENOMEM;
- }
-
- *s = p;
- }
-
- return fd;
-}
-
int bus_kernel_try_close(sd_bus *bus) {
assert(bus);
assert(bus->is_kernel);
diff --git a/src/libsystemd/sd-bus/bus-kernel.h b/src/libsystemd/sd-bus/bus-kernel.h
index f1d832a764..c1ee285cd1 100644
--- a/src/libsystemd/sd-bus/bus-kernel.h
+++ b/src/libsystemd/sd-bus/bus-kernel.h
@@ -71,7 +71,6 @@ int bus_kernel_make_starter(int fd, const char *name, bool activating, bool acce
int bus_kernel_create_bus(const char *name, bool world, char **s);
int bus_kernel_create_endpoint(const char *bus_name, const char *ep_name, char **path);
-int bus_kernel_create_domain(const char *name, char **s);
int bus_kernel_set_endpoint_policy(int fd, uid_t uid, BusEndpoint *ep);
diff --git a/src/libsystemd/sd-bus/kdbus.h b/src/libsystemd/sd-bus/kdbus.h
index a870b176cf..e3a80c352d 100644
--- a/src/libsystemd/sd-bus/kdbus.h
+++ b/src/libsystemd/sd-bus/kdbus.h
@@ -635,8 +635,8 @@ enum kdbus_make_flags {
* @kernel_flags: Supported flags for the used command, kernel → userspace
* @items: Items describing details
*
- * This structure is used with the KDBUS_CMD_BUS_MAKE, KDBUS_CMD_ENDPOINT_MAKE
- * and KDBUS_CMD_DOMAIN_MAKE ioctls.
+ * This structure is used with the KDBUS_CMD_BUS_MAKE and
+ * KDBUS_CMD_ENDPOINT_MAKE ioctls.
*/
struct kdbus_cmd_make {
__u64 size;
@@ -839,8 +839,6 @@ struct kdbus_cmd_match {
* name. The bus is immediately shut down and
* cleaned up when the opened "control" device node
* is closed.
- * KDBUS_CMD_DOMAIN_MAKE: Similar to KDBUS_CMD_BUS_MAKE, but it creates a
- * new kdbus domain.
* KDBUS_CMD_ENDPOINT_MAKE: Creates a new named special endpoint to talk to
* the bus. Such endpoints usually carry a more
* restrictive policy and grant restricted access
@@ -887,44 +885,42 @@ struct kdbus_cmd_match {
*/
#define KDBUS_CMD_BUS_MAKE _IOW(KDBUS_IOCTL_MAGIC, 0x00, \
struct kdbus_cmd_make)
-#define KDBUS_CMD_DOMAIN_MAKE _IOW(KDBUS_IOCTL_MAGIC, 0x10, \
- struct kdbus_cmd_make)
-#define KDBUS_CMD_ENDPOINT_MAKE _IOW(KDBUS_IOCTL_MAGIC, 0x20, \
+#define KDBUS_CMD_ENDPOINT_MAKE _IOW(KDBUS_IOCTL_MAGIC, 0x10, \
struct kdbus_cmd_make)
-#define KDBUS_CMD_HELLO _IOWR(KDBUS_IOCTL_MAGIC, 0x30, \
+#define KDBUS_CMD_HELLO _IOWR(KDBUS_IOCTL_MAGIC, 0x20, \
struct kdbus_cmd_hello)
-#define KDBUS_CMD_BYEBYE _IO(KDBUS_IOCTL_MAGIC, 0x31) \
+#define KDBUS_CMD_BYEBYE _IO(KDBUS_IOCTL_MAGIC, 0x21) \
-#define KDBUS_CMD_MSG_SEND _IOWR(KDBUS_IOCTL_MAGIC, 0x40, \
+#define KDBUS_CMD_MSG_SEND _IOWR(KDBUS_IOCTL_MAGIC, 0x30, \
struct kdbus_msg)
-#define KDBUS_CMD_MSG_RECV _IOWR(KDBUS_IOCTL_MAGIC, 0x41, \
+#define KDBUS_CMD_MSG_RECV _IOWR(KDBUS_IOCTL_MAGIC, 0x31, \
struct kdbus_cmd_recv)
-#define KDBUS_CMD_MSG_CANCEL _IOW(KDBUS_IOCTL_MAGIC, 0x42, \
+#define KDBUS_CMD_MSG_CANCEL _IOW(KDBUS_IOCTL_MAGIC, 0x32, \
struct kdbus_cmd_cancel)
-#define KDBUS_CMD_FREE _IOW(KDBUS_IOCTL_MAGIC, 0x43, \
+#define KDBUS_CMD_FREE _IOW(KDBUS_IOCTL_MAGIC, 0x33, \
struct kdbus_cmd_free)
-#define KDBUS_CMD_NAME_ACQUIRE _IOWR(KDBUS_IOCTL_MAGIC, 0x50, \
+#define KDBUS_CMD_NAME_ACQUIRE _IOWR(KDBUS_IOCTL_MAGIC, 0x40, \
struct kdbus_cmd_name)
-#define KDBUS_CMD_NAME_RELEASE _IOW(KDBUS_IOCTL_MAGIC, 0x51, \
+#define KDBUS_CMD_NAME_RELEASE _IOW(KDBUS_IOCTL_MAGIC, 0x41, \
struct kdbus_cmd_name)
-#define KDBUS_CMD_NAME_LIST _IOWR(KDBUS_IOCTL_MAGIC, 0x52, \
+#define KDBUS_CMD_NAME_LIST _IOWR(KDBUS_IOCTL_MAGIC, 0x42, \
struct kdbus_cmd_name_list)
-#define KDBUS_CMD_CONN_INFO _IOWR(KDBUS_IOCTL_MAGIC, 0x60, \
+#define KDBUS_CMD_CONN_INFO _IOWR(KDBUS_IOCTL_MAGIC, 0x50, \
struct kdbus_cmd_info)
-#define KDBUS_CMD_CONN_UPDATE _IOW(KDBUS_IOCTL_MAGIC, 0x61, \
+#define KDBUS_CMD_CONN_UPDATE _IOW(KDBUS_IOCTL_MAGIC, 0x51, \
struct kdbus_cmd_update)
-#define KDBUS_CMD_BUS_CREATOR_INFO _IOWR(KDBUS_IOCTL_MAGIC, 0x62, \
+#define KDBUS_CMD_BUS_CREATOR_INFO _IOWR(KDBUS_IOCTL_MAGIC, 0x52, \
struct kdbus_cmd_info)
-#define KDBUS_CMD_ENDPOINT_UPDATE _IOW(KDBUS_IOCTL_MAGIC, 0x71, \
+#define KDBUS_CMD_ENDPOINT_UPDATE _IOW(KDBUS_IOCTL_MAGIC, 0x61, \
struct kdbus_cmd_update)
-#define KDBUS_CMD_MATCH_ADD _IOW(KDBUS_IOCTL_MAGIC, 0x80, \
+#define KDBUS_CMD_MATCH_ADD _IOW(KDBUS_IOCTL_MAGIC, 0x70, \
struct kdbus_cmd_match)
-#define KDBUS_CMD_MATCH_REMOVE _IOW(KDBUS_IOCTL_MAGIC, 0x81, \
+#define KDBUS_CMD_MATCH_REMOVE _IOW(KDBUS_IOCTL_MAGIC, 0x71, \
struct kdbus_cmd_match)
#endif /* _KDBUS_UAPI_H_ */
diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
index e6b47f7fd8..b1a1f79d86 100644
--- a/src/libsystemd/sd-bus/sd-bus.c
+++ b/src/libsystemd/sd-bus/sd-bus.c
@@ -807,7 +807,7 @@ static int parse_container_kernel_address(sd_bus *b, const char **p, char **guid
machine = NULL;
free(b->kernel);
- b->kernel = strdup("/dev/kdbus/0-system/bus");
+ b->kernel = strdup("/sys/fs/kdbus/0-system/bus");
if (!b->kernel)
return -ENOMEM;
diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c
index 0c71177deb..9250a6903a 100644
--- a/src/login/pam_systemd.c
+++ b/src/login/pam_systemd.c
@@ -180,7 +180,7 @@ static int export_legacy_dbus_address(
int r;
/* skip export if kdbus is not active */
- if (access("/dev/kdbus", F_OK) < 0)
+ if (access("/sys/fs/kdbus", F_OK) < 0)
return PAM_SUCCESS;
if (asprintf(&s, KERNEL_USER_BUS_FMT ";" UNIX_USER_BUS_FMT,
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index fca3222a87..c2311b36d5 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1441,26 +1441,6 @@ static int setup_journal(const char *directory) {
return 0;
}
-static int setup_kdbus(const char *dest, const char *path) {
- const char *p;
-
- if (!path)
- return 0;
-
- p = strappenda(dest, "/dev/kdbus");
- if (mkdir(p, 0755) < 0) {
- log_error("Failed to create kdbus path: %m");
- return -errno;
- }
-
- if (mount(path, p, "bind", MS_BIND, NULL) < 0) {
- log_error("Failed to mount kdbus domain path: %m");
- return -errno;
- }
-
- return 0;
-}
-
static int drop_capabilities(void) {
return capability_bounding_set_drop(~arg_retain, false);
}
@@ -1546,7 +1526,7 @@ static int register_machine(pid_t pid, int local_ifindex) {
return r;
}
- r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 11,
+ r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 9,
/* Allow the container to
* access and create the API
* device nodes, so that
@@ -1566,18 +1546,7 @@ static int register_machine(pid_t pid, int local_ifindex) {
* container to ever create
* these device nodes. */
"/dev/pts/ptmx", "rw",
- "char-pts", "rw",
- /* Allow the container
- * access to all kdbus
- * devices. Again, the
- * container cannot create
- * these nodes, only use
- * them. We use a pretty
- * open match here, so that
- * the kernel API can still
- * change. */
- "char-kdbus", "rw",
- "char-kdbus/*", "rw");
+ "char-pts", "rw");
if (r < 0) {
log_error("Failed to add device whitelist: %s", strerror(-r));
return r;
@@ -2991,9 +2960,9 @@ static int on_orderly_shutdown(sd_event_source *s, const struct signalfd_siginfo
int main(int argc, char *argv[]) {
- _cleanup_free_ char *kdbus_domain = NULL, *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL;
+ _cleanup_free_ char *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL;
bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
- _cleanup_close_ int master = -1, kdbus_fd = -1, image_fd = -1;
+ _cleanup_close_ int master = -1, image_fd = -1;
_cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 };
_cleanup_fdset_free_ FDSet *fds = NULL;
int r = EXIT_FAILURE, k, n_fd_passed, loop_nr = -1;
@@ -3140,26 +3109,6 @@ int main(int argc, char *argv[]) {
goto finish;
}
- if (access("/dev/kdbus/control", F_OK) >= 0) {
-
- if (arg_share_system) {
- kdbus_domain = strdup("/dev/kdbus");
- if (!kdbus_domain) {
- log_oom();
- goto finish;
- }
- } else {
- const char *ns;
-
- ns = strappenda("machine-", arg_machine);
- kdbus_fd = bus_kernel_create_domain(ns, &kdbus_domain);
- if (r < 0)
- log_debug("Failed to create kdbus domain: %s", strerror(-r));
- else
- log_debug("Successfully created kdbus domain as %s", kdbus_domain);
- }
- }
-
if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
log_error("Failed to create kmsg socket pair: %m");
goto finish;
@@ -3365,9 +3314,6 @@ int main(int argc, char *argv[]) {
if (mount_tmpfs(arg_directory) < 0)
_exit(EXIT_FAILURE);
- if (setup_kdbus(arg_directory, kdbus_domain) < 0)
- _exit(EXIT_FAILURE);
-
/* Tell the parent that we are ready, and that
* it can cgroupify us to that we lack access
* to certain devices and resources. */
diff --git a/src/shared/def.h b/src/shared/def.h
index 92394e8183..98e3e10fb6 100644
--- a/src/shared/def.h
+++ b/src/shared/def.h
@@ -62,7 +62,7 @@
#endif
#define UNIX_SYSTEM_BUS_PATH "unix:path=/var/run/dbus/system_bus_socket"
-#define KERNEL_SYSTEM_BUS_PATH "kernel:path=/dev/kdbus/0-system/bus"
+#define KERNEL_SYSTEM_BUS_PATH "kernel:path=/sys/fs/kdbus/0-system/bus"
#ifdef ENABLE_KDBUS
# define DEFAULT_SYSTEM_BUS_PATH KERNEL_SYSTEM_BUS_PATH ";" UNIX_SYSTEM_BUS_PATH
@@ -71,7 +71,7 @@
#endif
#define UNIX_USER_BUS_FMT "unix:path=%s/bus"
-#define KERNEL_USER_BUS_FMT "kernel:path=/dev/kdbus/"UID_FMT"-user/bus"
+#define KERNEL_USER_BUS_FMT "kernel:path=/sys/fs/kdbus/"UID_FMT"-user/bus"
#define PLYMOUTH_SOCKET { \
.un.sun_family = AF_UNIX, \
diff --git a/units/systemd-bus-proxyd@.service.in b/units/systemd-bus-proxyd@.service.in
index eef703f2f7..fdcd3029fd 100644
--- a/units/systemd-bus-proxyd@.service.in
+++ b/units/systemd-bus-proxyd@.service.in
@@ -12,7 +12,7 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
# The first argument will be replaced by the service by information on
# the process requesting the proxy, we need a placeholder to keep the
# space available for this.
-ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges --address=kernel:path=/dev/kdbus/0-system/bus --configuration=/etc/dbus-1/system.conf --configuration=/etc/dbus-1/system-local.conf --configuration=/etc/dbus-1/system.d/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges --address=kernel:path=/sys/fs/kdbus/0-system/bus --configuration=/etc/dbus-1/system.conf --configuration=/etc/dbus-1/system-local.conf --configuration=/etc/dbus-1/system.d/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
NotifyAccess=main
CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP
PrivateTmp=yes
diff --git a/units/user/systemd-bus-proxyd@.service.in b/units/user/systemd-bus-proxyd@.service.in
index 2f4df7cb5a..48294db266 100644
--- a/units/user/systemd-bus-proxyd@.service.in
+++ b/units/user/systemd-bus-proxyd@.service.in
@@ -12,5 +12,5 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
# The first argument will be replaced by the service by information on
# the process requesting the proxy, we need a placeholder to keep the
# space available for this.
-ExecStart=@rootlibexecdir@/systemd-bus-proxyd --address=kernel:path=/dev/kdbus/%U-user/bus --configuration=/etc/dbus-1/session.conf --configuration=/etc/dbus-1/session-local.conf --configuration=/etc/dbus-1/session.d/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ExecStart=@rootlibexecdir@/systemd-bus-proxyd --address=kernel:path=/sys/fs/kdbus/%U-user/bus --configuration=/etc/dbus-1/session.conf --configuration=/etc/dbus-1/session-local.conf --configuration=/etc/dbus-1/session.d/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
NotifyAccess=main