<html> <head> <base href="https://bugs.freedesktop.org/" /> </head> <body> <div> <a class="bz_bug_link bz_status_RESOLVED bz_closed" title="RESOLVED WONTFIX - CONFIG_GRKERNSEC_PROC prevents systemd's active users to have enough permission" href="https://bugs.freedesktop.org/show_bug.cgi?id=65575#c10">Comment # 10</a> on <a class="bz_bug_link bz_status_RESOLVED bz_closed" title="RESOLVED WONTFIX - CONFIG_GRKERNSEC_PROC prevents systemd's active users to have enough permission" href="https://bugs.freedesktop.org/show_bug.cgi?id=65575">bug 65575</a> from <a class="email" href="mailto:lennart@poettering.net" title="Lennart Poettering <lennart@poettering.net>"> Lennart Poettering</a> <pre>(In reply to <a href="show_bug.cgi?id=65575#c9">comment #9</a>) > Please reopen. This could be replicated on vanilla kernel by ”mount /proc > -oremount,hidepid=1” Well, this sounds useful, but I don't see how we can support this, we need access to the PID directory of the sender of messages, to collect metadata, there's really no way around it. This also needed by policykit and similar software. I think the current concept of hidepid=1 is really not compatible with how operating systems work these days. Unfortunately hidepid=1 is implemented as a global boolean setting, instead of a per-/proc-instance setting. If it was the latter would neatly support it in systemd, by simply enabling it for specific services, by placing them in a mount namespace of their own and then mounting a /proc instance with the flag set into them. But, unfortunately, hidepid=1 applies to all /proc instances the same way currently, so we cannot do that. (This is fixable though in the kernel, but nobody has done that yet).</pre> </div> <hr> You are receiving this mail because: <ul> <li>You are the QA Contact for the bug.</li> <li>You are the assignee for the bug.</li> </ul> </body> </html>