[systemd-devel] Unable to mask /proc using currently available options (InaccessiblePaths...)
Timothée Ravier
siosm99 at gmail.com
Wed Apr 12 16:27:27 UTC 2017
Hi,
I would like to make the /proc directory inaccessible for some services.
Unfortunately, adding the InaccessiblePaths=/proc option to a service unit will
not work.
With systemd v233, during the filesystem layout setup for the new service, an
empty directory will be mounted on top of /proc first (in core:namespace.c:
setup_namespace(): apply_mount()) and then mount points will be turned readonly
(in core:namespace.c: setup_namespace(): make_read_only()), using
/proc/mountinfo which is now unavailable. Thus this step will fail.
With systemd v233, it is possible to work around this issue leaving only a single
/proc/self/mountinfo file available using this hack:
$ umask 0277
$ mkdir -p /.proc/self
$ touch /.proc/self/mountinfo
And in the unit:
BindReadOnlyPaths=/.proc:/proc /proc/self/mountinfo:/.proc/self/mountinfo
But this is not really pretty.
I would like your opinion on the following suggestions before writing code:
* Should I extend the MountVFSAPI option to support the case where the
RootImage and RootDirectory options are not set?
* Should I add a special HideProc option to support hiding /proc for
conventional services?
As a side note, debug logs in core/namespace.c are non functional. A call to
log_open() appears to be missing.
Thanks
More information about the systemd-devel
mailing list