[systemd-devel] jailrooting services with RootDirectory - how ?
Branko
brankob at avtomatika.com
Wed Sep 28 09:59:58 UTC 2022
On Wed, 28 Sep 2022 19:26:58 +1000 (AEST)
Michael Chapman <mike at very.puzzling.org> wrote:
> On Wed, 28 Sep 2022, Branko wrote:
> [...]
>
> No.
>
> I've given you a small, self-contained, working example.
>
> It's now your turn to give us a small, self-contained, non-working
> example, and to tell us what error messages and log messages you got
> for it.
OK. I h
Here is my_debug source:
************************
include <stdio.h>
int main() {
printf("************ IT's WORKING ***************\n");
}
*******************************
It was compiled with "gcc --static -o my_debug my_debug.c"
executable is placed in /usr/local/bin/my_debug
Service file:
********************************
[Service]
Type=exec
ExecStart=/usr/local/bin/my_debug
RootDirectory=/CHROOTS/my_debug
BindPaths=/usr/local/bin/my_debug:/CHROOTS/my_debug/usr/local/bin/my_debug
# just in case
BindPaths=/lib:/CHROOTS/my_debug/lib
BindPaths=/lib64:/CHROOTS/my_debug/lib64
BindPaths=/usr/lib64:/CHROOTS/my_debug/usr/lib64
BindPaths=/usr/lib:/CHROOTS/my_debug/usr/lib
********************************************
Debug log file:
*******************************************
sep 28 11:48:17 s5-fw systemd[1]: my_debug.service: Trying to enqueue
job my_debug.service/start/replace sep 28 11:48:17 s5-fw systemd[1]:
my_debug.service: Installed new job my_debug.service/start as 24012 sep
28 11:48:17 s5-fw systemd[1]: my_debug.service: Enqueued job
my_debug.service/start as 24012 sep 28 11:48:17 s5-fw systemd[1]:
my_debug.service: Will spawn child (service_enter_start):
/usr/local/bin/my_debug sep 28 11:48:17 s5-fw systemd[1]:
my_debug.service: Passing 0 fds to service sep 28 11:48:17 s5-fw
systemd[1]: my_debug.service: About to execute /usr/local/bin/my_debug
sep 28 11:48:17 s5-fw systemd[1]: my_debug.service: Forked
/usr/local/bin/my_debug as 28731 sep 28 11:48:17 s5-fw systemd[1]:
my_debug.service: Changed failed -> start sep 28 11:48:17 s5-fw
systemd[28731]: Bind-mounting /CHROOTS/my_debug on /CHROOTS/my_debug
(MS_BIND|MS_REC "")... sep 28 11:48:17 s5-fw systemd[1]: Starting
my_debug.service... sep 28 11:48:17 s5-fw systemd[28731]: Applying
namespace mount on /CHROOTS/my_debug/CHROOTS/my_debug/lib sep 28
11:48:17 s5-fw systemd[28731]: Followed source symlinks /lib → /lib.
sep 28 11:48:17 s5-fw systemd[28731]: Bind-mounting /lib on
/CHROOTS/my_debug/CHROOTS/my_debug/lib (MS_BIND|MS_REC "")... sep 28
11:48:17 s5-fw systemd[28731]: Successfully mounted /lib to
/CHROOTS/my_debug/CHROOTS/my_debug/lib sep 28 11:48:17 s5-fw
systemd[28731]: Applying namespace mount on
/CHROOTS/my_debug/CHROOTS/my_debug/lib64 sep 28 11:48:17 s5-fw
systemd[28731]: Followed source symlinks /lib64 → /lib64. sep 28
11:48:17 s5-fw systemd[28731]: Bind-mounting /lib64 on
/CHROOTS/my_debug/CHROOTS/my_debug/lib64 (MS_BIND|MS_REC "")... sep 28
11:48:17 s5-fw systemd[28731]: Successfully mounted /lib64 to
/CHROOTS/my_debug/CHROOTS/my_debug/lib64 sep 28 11:48:17 s5-fw
systemd[28731]: Applying namespace mount on
/CHROOTS/my_debug/CHROOTS/my_debug/usr/lib sep 28 11:48:17 s5-fw
systemd[28731]: Followed source symlinks /usr/lib → /usr/lib. sep 28
11:48:17 s5-fw systemd[28731]: Bind-mounting /usr/lib on
/CHROOTS/my_debug/CHROOTS/my_debug/usr/lib (MS_BIND|MS_REC "")... sep
28 11:48:17 s5-fw systemd[28731]: Successfully mounted /usr/lib to
/CHROOTS/my_debug/CHROOTS/my_debug/usr/lib sep 28 11:48:17 s5-fw
systemd[28731]: Applying namespace mount on
/CHROOTS/my_debug/CHROOTS/my_debug/usr/lib64 sep 28 11:48:17 s5-fw
systemd[28731]: Followed source symlinks /usr/lib64 → /usr/lib64. sep
28 11:48:17 s5-fw systemd[28731]: Bind-mounting /usr/lib64 on
/CHROOTS/my_debug/CHROOTS/my_debug/usr/lib64 (MS_BIND|MS_REC "")... sep
28 11:48:17 s5-fw systemd[28731]: Successfully mounted /usr/lib64 to
/CHROOTS/my_debug/CHROOTS/my_debug/usr/lib64 sep 28 11:48:17 s5-fw
systemd[28731]: Applying namespace mount on
/CHROOTS/my_debug/CHROOTS/my_debug/usr/local/bin/my_debug sep 28
11:48:17 s5-fw systemd[28731]: Followed source symlinks
/usr/local/bin/my_debug → /usr/local/bin/my_debug. sep 28 11:48:17
s5-fw systemd[28731]: Bind-mounting /usr/local/bin/my_debug on
/CHROOTS/my_debug/CHROOTS/my_debug/usr/local/bin/my_debug (MS_BIN> sep
28 11:48:17 s5-fw systemd[28731]: Successfully mounted
/usr/local/bin/my_debug to
/CHROOTS/my_debug/CHROOTS/my_debug/usr/local/bin/my_debug sep 28
11:48:17 s5-fw systemd[28731]: Applying namespace mount on
/CHROOTS/my_debug/dev sep 28 11:48:17 s5-fw systemd[28731]:
Bind-mounting /dev on /CHROOTS/my_debug/dev (MS_BIND|MS_REC "")... sep
28 11:48:17 s5-fw systemd[28731]: Applying namespace mount on
/CHROOTS/my_debug/proc sep 28 11:48:17 s5-fw systemd[28731]: Mounting
proc (proc) on /CHROOTS/my_debug/proc (MS_NOSUID|MS_NODEV|MS_NOEXEC
"")... sep 28 11:48:17 s5-fw systemd[28731]: Applying namespace mount
on /CHROOTS/my_debug/run sep 28 11:48:17 s5-fw systemd[28731]: Mounting
tmpfs (tmpfs) on /CHROOTS/my_debug/run (0 "")... sep 28 11:48:17 s5-fw
systemd[28731]: Applying namespace mount on
/CHROOTS/my_debug/run/credentials sep 28 11:48:17 s5-fw systemd[28731]:
Applying namespace mount on /CHROOTS/my_debug/run/systemd/incoming sep
28 11:48:17 s5-fw systemd[28731]: Followed source symlinks
/run/systemd/propagate/my_debug.service →
/run/systemd/propagate/my_debug.service. sep 28 11:48:17 s5-fw
systemd[28731]: Bind-mounting /run/systemd/propagate/my_debug.service
on /CHROOTS/my_debug/run/systemd/incoming (MS_BIND "> sep 28 11:48:17
s5-fw systemd[28731]: Failed to mount
/run/systemd/propagate/my_debug.service (type n/a) on
/CHROOTS/my_debug/run/systemd/incomi> sep 28 11:48:17 s5-fw
systemd[28731]: Bind-mounting /run/systemd/propagate/my_debug.service
on /CHROOTS/my_debug/run/systemd/incoming (MS_BIND "> sep 28 11:48:17
s5-fw systemd[28731]: Successfully mounted
/run/systemd/propagate/my_debug.service to
/CHROOTS/my_debug/run/systemd/incoming sep 28 11:48:17 s5-fw
systemd[28731]: Applying namespace mount on /CHROOTS/my_debug/sys sep
28 11:48:17 s5-fw systemd[28731]: Bind-mounting /sys on
/CHROOTS/my_debug/sys (MS_BIND|MS_REC "")... sep 28 11:48:17 s5-fw
systemd[28731]: Remounted /CHROOTS/my_debug/run/systemd/incoming. sep
28 11:48:17 s5-fw systemd[28731]: Remounted /CHROOTS/my_debug/proc. sep
28 11:48:17 s5-fw systemd[28731]: Remounted
/CHROOTS/my_debug/sys/fs/fuse/connections. sep 28 11:48:17 s5-fw
systemd[28731]: Remounted /CHROOTS/my_debug/sys/kernel/debug. sep 28
11:48:17 s5-fw systemd[28731]: Remounted
/CHROOTS/my_debug/sys/fs/selinux. sep 28 11:48:17 s5-fw systemd[28731]:
Remounted /CHROOTS/my_debug/sys/fs/bpf. sep 28 11:48:17 s5-fw
systemd[28731]: Remounted /CHROOTS/my_debug/sys/fs/cgroup. sep 28
11:48:17 s5-fw systemd[28731]: Remounted /CHROOTS/my_debug/sys. sep 28
11:48:17 s5-fw systemd[1]: my_debug.service: got exec-fd event sep 28
11:48:17 s5-fw systemd[1]: my_debug.service: Got EOF on exec-fd while
it was disabled, ignoring.
****************************************************************
More information about the systemd-devel
mailing list