[systemd-devel] Should services be able to run without /proc?

Antonius Frie antonius.frie at ruhr-uni-bochum.de
Tue Feb 9 14:57:29 UTC 2021 

Hi!

So this is kind of a follow-up to the thread in [1], and the 
corresponding PR in [2].

In short, the PR made some changes to allow for cases where /proc was 
not available in the mount namespace of the service, and added a test 
[3] to make sure that this would work. This test was later removed and 
rewritten to block /sys instead [4], because it turned out that having 
/proc unavailable sometimes caused problems with close_all_fds(), which 
is called in exec_child() after namespaces have been set up.

On current master, services that don't have /proc mounted don't work at 
all anymore, since find_executable_full() ends up opening the given path 
and calling access_fd() on the resulting fd, and access_fd uses 
/proc/self/fd/* to turn the fd back into a path it can call access() on. 
As far as I can tell, the reason for not using access on the path 
directly is that access_fd is more elegant since it avoids a potential 
race condition.

In addition to this, setup_private_users() also needs access to 
/proc/$pid/{uid_map, gid_map, setgroups} to do its job.

Given all this, I guess my question is whether it is still desirable to 
allow units to run without /proc, especially given that ProtectProc and 
ProcSubset exist now.* If not, it might be nice to just always mount 
/proc if it wouldn't otherwise be there (i.e. if RootImage/RootDirectory 
is used); currently, MountAPIVFS=yes is basically a required option 
because of this. (I guess you could mount proc manually, but then you 
can't use ProtectProc/ProcSubset.) I'm a bit unhappy about this, because 
MountAPIVFS also mounts /sys and /dev, and then you need separate 
options just to protect those again. Either way, maybe it would be good 
to explicitly state this requirement in the documentation?

Anyway, I hope that this was okay to post here, I don't really know a 
lot about this and maybe there are good reasons for why things are the 
way they are. I'd be happy about feedback though.

Cheers,
Antonius

* Using both ProtectProc=ptraceable and ProcSubset=pid really doesn't
let a lot of things through, and I don't think those interfere with any 
of the functions described above. The only thing I'm unsure about is 
setup_private_users(), since that spawns off a child process which then
goes and writes to /proc/$parent_pid/, but I guess children can ptrace
their parents? At least it seemed to work when I just tested it.

[1]: 
https://lists.freedesktop.org/archives/systemd-devel/2017-April/038634.html
[2]: https://github.com/systemd/systemd/pull/5985
[3]: https://github.com/systemd/systemd/pull/6017
[4]: 
https://github.com/systemd/systemd/commit/054d871d41039fcfc1a4a661c979941b9660c9e6

More information about the systemd-devel mailing list