[systemd-devel] jailrooting services with RootDirectory - how ?

Branko brankob at avtomatika.com
Wed Sep 28 08:40:56 UTC 2022


On Wed, 28 Sep 2022 18:11:14 +1000 (AEST)
Michael Chapman <mike at very.puzzling.org> wrote:

Sure, but this example is kind of useless as it doesn't bind-mount
anything into chroot.

We have already established (sorry, didn't post it to the whole list,
it seems):

1. After service fails to start, it doesn't properly unmount all mounts.
Quite some stuff tends to stay mounted. I assume it might also fail to
mount some maps.

2. Even if I move chroot dir outside of hierarchy that I bind-mount
through BindPaths ( like /CHROOTS/my_debug) after failed start it tends
to grow one or couple levels down (so I get
/CHROOTS/my_Debug/CHROOTS/my_debug etc etc) after failed start.

3.
If I manually bind-mount all the needed dirs into chroot dir before I
start the service, it runs fine ( minus the fact that it makes deeper
level maps into chroot )...

I'm running systemd-251.4 on gentoo and it has a couple of patches:
  - 251-revert-fortify-source-3-fix.patch
  - gentoo-generator-path-r2.patch"
  - gentoo-systemctl-disable-sysv-sync-r1.patch"
  - gentoo-journald-audit.patch"
On a first glance, none of those seems relevant to this case...

I run gentoo-hardened profile, in case that matters.



> > Is there a simple demo example that uses it that I could try ?
> 
> This worked for me:
> 
>     $ cd /tmp/root
>     $ cat hello.c
>     #include <stdio.h>
> 
>     int main(void) {
>         puts("Hello, world!");
>     }
>     $ clang -static -o hello hello.c
>     $ cat /etc/systemd/system/hello.service 
>     [Service]
>     Type=oneshot
>     ExecStart=/hello
>     RootDirectory=/tmp/root
>     $ systemctl daemon-reload
>     $ systemctl start hello.service
>     $ systemctl status hello.service
>     ○ hello.service
>          Loaded: loaded (/etc/systemd/system/hello.service; static)
>          Active: inactive (dead)
> 
>     Sep 28 18:07:35 hostname systemd[1]: Finished hello.service.
>     Sep 28 18:08:54 hostname systemd[1]: Starting hello.service...
>     Sep 28 18:08:54 hostname hello[510676]: Hello, world!
>     Sep 28 18:08:54 hostname systemd[1]: hello.service: Deactivated
> successfully. Sep 28 18:08:54 hostname systemd[1]: Finished
> hello.service.


More information about the systemd-devel mailing list