<html>
<head>
<base href="https://bugs.freedesktop.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED WONTFIX - CONFIG_GRKERNSEC_PROC prevents systemd's active users to have enough permission"
href="https://bugs.freedesktop.org/show_bug.cgi?id=65575#c10">Comment # 10</a>
on <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED WONTFIX - CONFIG_GRKERNSEC_PROC prevents systemd's active users to have enough permission"
href="https://bugs.freedesktop.org/show_bug.cgi?id=65575">bug 65575</a>
from <span class="vcard"><a class="email" href="mailto:lennart@poettering.net" title="Lennart Poettering <lennart@poettering.net>"> <span class="fn">Lennart Poettering</span></a>
</span></b>
<pre>(In reply to <a href="show_bug.cgi?id=65575#c9">comment #9</a>)
<span class="quote">> Please reopen. This could be replicated on vanilla kernel by ”mount /proc
> -oremount,hidepid=1”</span >
Well, this sounds useful, but I don't see how we can support this, we need
access to the PID directory of the sender of messages, to collect metadata,
there's really no way around it.
This also needed by policykit and similar software. I think the current concept
of hidepid=1 is really not compatible with how operating systems work these
days.
Unfortunately hidepid=1 is implemented as a global boolean setting, instead of
a per-/proc-instance setting. If it was the latter would neatly support it in
systemd, by simply enabling it for specific services, by placing them in a
mount namespace of their own and then mounting a /proc instance with the flag
set into them. But, unfortunately, hidepid=1 applies to all /proc instances the
same way currently, so we cannot do that. (This is fixable though in the
kernel, but nobody has done that yet).</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>