117 lines
6.2 KiB
Diff
117 lines
6.2 KiB
Diff
From c789d2f457d2e160d00760aa3ecfd6883c64cf5f Mon Sep 17 00:00:00 2001
|
|
From: Topi Miettinen <toiwoton@gmail.com>
|
|
Date: Sat, 27 Nov 2021 12:51:39 +0200
|
|
Subject: [PATCH] namespace: allow ProcSubset=pid with some ProtectKernel
|
|
options
|
|
|
|
In case `/proc` is successfully mounted with pid tree subset only due to
|
|
`ProcSubset=pid`, the protective mounts for `ProtectKernelTunables=yes` and
|
|
`ProtectKernelLogs=yes` to non-pid `/proc` paths are failing because the paths
|
|
don't exist. But the pid only option may have failed gracefully (for example
|
|
because of ancient kernel), so let's try the mounts but it's not fatal if they
|
|
don't succeed.
|
|
|
|
(cherry picked from commit 788e720181aead8c85ba30fc7ec9a1455a865cbe)
|
|
|
|
Conflict:NA
|
|
Reference:https://github.com/systemd/systemd/commit/c789d2f457d2e160d00760aa3ecfd6883c64cf5f
|
|
---
|
|
src/core/namespace.c | 42 ++++++++++++++++++++++++++++++++++--------
|
|
1 file changed, 34 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/src/core/namespace.c b/src/core/namespace.c
|
|
index 9251871384..b933d46cf6 100644
|
|
--- a/src/core/namespace.c
|
|
+++ b/src/core/namespace.c
|
|
@@ -101,7 +101,7 @@ static const MountEntry apivfs_table[] = {
|
|
};
|
|
|
|
/* ProtectKernelTunables= option and the related filesystem APIs */
|
|
-static const MountEntry protect_kernel_tunables_table[] = {
|
|
+static const MountEntry protect_kernel_tunables_proc_table[] = {
|
|
{ "/proc/acpi", READONLY, true },
|
|
{ "/proc/apm", READONLY, true }, /* Obsolete API, there's no point in permitting access to this, ever */
|
|
{ "/proc/asound", READONLY, true },
|
|
@@ -116,6 +116,9 @@ static const MountEntry protect_kernel_tunables_table[] = {
|
|
{ "/proc/sys", READONLY, true },
|
|
{ "/proc/sysrq-trigger", READONLY, true },
|
|
{ "/proc/timer_stats", READONLY, true },
|
|
+};
|
|
+
|
|
+static const MountEntry protect_kernel_tunables_sys_table[] = {
|
|
{ "/sys", READONLY, false },
|
|
{ "/sys/fs/bpf", READONLY, true },
|
|
{ "/sys/fs/cgroup", READWRITE_IMPLICIT, false }, /* READONLY is set by ProtectControlGroups= option */
|
|
@@ -133,8 +136,11 @@ static const MountEntry protect_kernel_modules_table[] = {
|
|
};
|
|
|
|
/* ProtectKernelLogs= option */
|
|
-static const MountEntry protect_kernel_logs_table[] = {
|
|
+static const MountEntry protect_kernel_logs_proc_table[] = {
|
|
{ "/proc/kmsg", INACCESSIBLE, true },
|
|
+};
|
|
+
|
|
+static const MountEntry protect_kernel_logs_dev_table[] = {
|
|
{ "/dev/kmsg", INACCESSIBLE, true },
|
|
};
|
|
|
|
@@ -1554,9 +1560,11 @@ static size_t namespace_calculate_mounts(
|
|
(n_extension_images > 0 ? n_hierarchies + n_extension_images : 0) + /* Mount each image plus an overlay per hierarchy */
|
|
n_temporary_filesystems +
|
|
ns_info->private_dev +
|
|
- (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
|
|
+ (ns_info->protect_kernel_tunables ?
|
|
+ ELEMENTSOF(protect_kernel_tunables_proc_table) + ELEMENTSOF(protect_kernel_tunables_sys_table) : 0) +
|
|
(ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
|
|
- (ns_info->protect_kernel_logs ? ELEMENTSOF(protect_kernel_logs_table) : 0) +
|
|
+ (ns_info->protect_kernel_logs ?
|
|
+ ELEMENTSOF(protect_kernel_logs_proc_table) + ELEMENTSOF(protect_kernel_logs_dev_table) : 0) +
|
|
(ns_info->protect_control_groups ? 1 : 0) +
|
|
protect_home_cnt + protect_system_cnt +
|
|
(ns_info->protect_hostname ? 2 : 0) +
|
|
@@ -2037,10 +2045,21 @@ int setup_namespace(
|
|
.flags = DEV_MOUNT_OPTIONS,
|
|
};
|
|
|
|
+ /* In case /proc is successfully mounted with pid tree subset only (ProcSubset=pid), the
|
|
+ protective mounts to non-pid /proc paths would fail. But the pid only option may have
|
|
+ failed gracefully, so let's try the mounts but it's not fatal if they don't succeed. */
|
|
+ bool ignore_protect_proc = ns_info->ignore_protect_paths || ns_info->proc_subset == PROC_SUBSET_PID;
|
|
if (ns_info->protect_kernel_tunables) {
|
|
r = append_static_mounts(&m,
|
|
- protect_kernel_tunables_table,
|
|
- ELEMENTSOF(protect_kernel_tunables_table),
|
|
+ protect_kernel_tunables_proc_table,
|
|
+ ELEMENTSOF(protect_kernel_tunables_proc_table),
|
|
+ ignore_protect_proc);
|
|
+ if (r < 0)
|
|
+ goto finish;
|
|
+
|
|
+ r = append_static_mounts(&m,
|
|
+ protect_kernel_tunables_sys_table,
|
|
+ ELEMENTSOF(protect_kernel_tunables_sys_table),
|
|
ns_info->ignore_protect_paths);
|
|
if (r < 0)
|
|
goto finish;
|
|
@@ -2057,8 +2076,15 @@ int setup_namespace(
|
|
|
|
if (ns_info->protect_kernel_logs) {
|
|
r = append_static_mounts(&m,
|
|
- protect_kernel_logs_table,
|
|
- ELEMENTSOF(protect_kernel_logs_table),
|
|
+ protect_kernel_logs_proc_table,
|
|
+ ELEMENTSOF(protect_kernel_logs_proc_table),
|
|
+ ignore_protect_proc);
|
|
+ if (r < 0)
|
|
+ goto finish;
|
|
+
|
|
+ r = append_static_mounts(&m,
|
|
+ protect_kernel_logs_dev_table,
|
|
+ ELEMENTSOF(protect_kernel_logs_dev_table),
|
|
ns_info->ignore_protect_paths);
|
|
if (r < 0)
|
|
goto finish;
|
|
--
|
|
2.33.0
|
|
|