[systemd-devel] ReadOnlyDirectories and new mounts
Yuriy M. Kaminskiy
yumkam at gmail.com
Mon Apr 11 19:22:09 UTC 2016
I have long-running service with tight restrictions:
ReadOnlyDirectories=/
ReadWriteDirectories=-/proc
ReadWriteDirectories=-/var/lib/foobar
ReadWriteDirectories=-/var/log/foobar
ReadWriteDirectories=-/var/run
I mounted some new directory on main system, and noticed that
newly-mounted directories have read-write permissions inside service
mount namespace:
nsenter -t `pidof foobar` -m cat /proc/self/mounts|grep -w rw
That's pretty bad, but I'm not sure how it can be solved.
Of course, I can set MountFlags=private, and it will break mount
propagation to service mount namespace - however, it will also break
*umount* propagation, which also can be extremely problematic (if
removable device was mounted when service is (re)started, such service
will keep it mounted even after "host/main" system unmounted device).
Or systemd may be fixed to watch for new mounts, then perform something
akin `nsenter -t $MAINPID mount -o remount,ro $new_mounted_path`,
however there will be window between mount and service namespace fixup.
More information about the systemd-devel
mailing list