[systemd-devel] ProtectSystem, ReadWritePaths and remounting the underlying file system
Marek Szuba
marecki at gentoo.org
Sun Aug 20 14:45:20 UTC 2023
Dear everyone,
TL;DR: It appears that a systemd unit containing
ProtectSystem=full
SystemCallFilter=~@mount
ReadWritePaths=-/boot/EFI
and launched on a system where /boot is initially mounted ro, keeps
thinking /boot is read-only even after it has been remounted rw; it is
necessary for the unit to be restarted for the change in question to
take effect. Is this intentional? Is there some way such a change could
be propagated to the unit's filesystem namespace? Or failing that, at
least so that remounting /boot automatically stops (it's a
dbus-activated unit so it will come back up when needed) fwupd.service.
The wider context here is that I have seen this happening for quite a
while with fwupd, see e.g. https://github.com/fwupd/fwupd/issues/6046 ,
where it makes unattended BIOS updates a bit more convoluted.
Thanks in advance!
--
MS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20230820/f5e5e5a6/attachment.sig>
More information about the systemd-devel
mailing list