[systemd-devel] jailrooting services with RootDirectory - how ?
Branko
brankob at avtomatika.com
Wed Sep 28 08:40:56 UTC 2022
On Wed, 28 Sep 2022 18:11:14 +1000 (AEST)
Michael Chapman <mike at very.puzzling.org> wrote:
Sure, but this example is kind of useless as it doesn't bind-mount
anything into chroot.
We have already established (sorry, didn't post it to the whole list,
it seems):
1. After service fails to start, it doesn't properly unmount all mounts.
Quite some stuff tends to stay mounted. I assume it might also fail to
mount some maps.
2. Even if I move chroot dir outside of hierarchy that I bind-mount
through BindPaths ( like /CHROOTS/my_debug) after failed start it tends
to grow one or couple levels down (so I get
/CHROOTS/my_Debug/CHROOTS/my_debug etc etc) after failed start.
3.
If I manually bind-mount all the needed dirs into chroot dir before I
start the service, it runs fine ( minus the fact that it makes deeper
level maps into chroot )...
I'm running systemd-251.4 on gentoo and it has a couple of patches:
- 251-revert-fortify-source-3-fix.patch
- gentoo-generator-path-r2.patch"
- gentoo-systemctl-disable-sysv-sync-r1.patch"
- gentoo-journald-audit.patch"
On a first glance, none of those seems relevant to this case...
I run gentoo-hardened profile, in case that matters.
> > Is there a simple demo example that uses it that I could try ?
>
> This worked for me:
>
> $ cd /tmp/root
> $ cat hello.c
> #include <stdio.h>
>
> int main(void) {
> puts("Hello, world!");
> }
> $ clang -static -o hello hello.c
> $ cat /etc/systemd/system/hello.service
> [Service]
> Type=oneshot
> ExecStart=/hello
> RootDirectory=/tmp/root
> $ systemctl daemon-reload
> $ systemctl start hello.service
> $ systemctl status hello.service
> ○ hello.service
> Loaded: loaded (/etc/systemd/system/hello.service; static)
> Active: inactive (dead)
>
> Sep 28 18:07:35 hostname systemd[1]: Finished hello.service.
> Sep 28 18:08:54 hostname systemd[1]: Starting hello.service...
> Sep 28 18:08:54 hostname hello[510676]: Hello, world!
> Sep 28 18:08:54 hostname systemd[1]: hello.service: Deactivated
> successfully. Sep 28 18:08:54 hostname systemd[1]: Finished
> hello.service.
More information about the systemd-devel
mailing list