5 https://raw.githubusercontent.com/automotive-grade-linux/docs-sources/master/docs/security-blueprint/part-5/2-SystemD.md
8 <!-- WARNING: This file is generated by fetch_docs.js using /home/boron/Documents/AGL/docs-webtemplate/site/_data/tocs/architecture/master/security_blueprint-security-blueprint-book.yml -->
12 `afm-system-daemon` is used to:
14 - Manage users and user sessions.
15 - Setup applications and services (_CGroups_, _namespaces_, autostart, permissions).
16 - Use of `libsystemd` for its programs (event management, **D-Bus** interface).
18 <!-- section-config -->
20 Domain | Object | Recommendations
21 ------------------ | -------------- | ------------------------------------
22 Platform-SystemD-1 | Security model | Use Namespaces for containerization.
23 Platform-SystemD-2 | Security model | Use CGroups to organise processes.
25 <!-- end-section-config -->
27 See [systemd integration and user management](http://iot.bzh/download/public/2017/AMM-Dresden/AGL-systemd.pdf) for more information.
31 - Removal of one privileged process: **afm-user-daemon**
32 - Access and use of high level features:
35 - Management of users and integration of **PAM**.
36 - Dependency resolution to services.
37 - `Cgroups` and resource control.
38 - `Namespaces` containerization.
39 - Autostart of required API.
40 - Permissions and security settings.
47 Control Groups offer a lot of features, with the most useful ones you can
48 control: Memory usage, how much CPU time is allocated, how much device I/O is
49 allowed or which devices can be accessed. **SystemD** uses _CGroups_ to organise
50 processes (each service is a _CGroups_, and all processes started by that
51 service use that _CGroups_). By default, **SystemD** automatically creates a
52 hierarchy of slice, scope and service units to provide a unified structure for
53 the _CGroups_ tree. With the `systemctl` command, you can further modify this
54 structure by creating custom slices. Currently, in AGL, there are 2 slices
55 (**user.slice** and **system.slice**).
61 There are several ways of authenticating users (Key Radio Frequency, Phone,
62 Gesture, ...). Each authentication provides dynamic allocation of **uids** to
63 authenticated users. **Uids** is used to ensure privacy of users and **SMACK**
64 for applications privacy.
66 First, the user initiates authentication with **PAM** activation. **PAM**
67 Standard offers highly configurable authentication with modular design like
68 face recognition, Voice identification or with a password. Then users should
69 access identity services with services and applications.