[systemd-devel] namespace problem
Mantas Mikulėnas
grawity at gmail.com
Thu Jul 18 12:04:35 UTC 2024
On Thu, Jul 18, 2024 at 2:14 PM Thomas Köller <thomas at koeller.dyndns.org>
wrote:
> > Does it use any hardening options at all?
>
> Thanks for the hint. As it seems this is an undocumented side effect of
> 'ProtectSystem = full'. From reading the docs I got the impression that
> only file system access is affected by this parameter.
>
Yes, but namespace persistence actually relies on filesystem access – it's
implemented as a bind-mount of the namespace file descriptor (onto
/run/netns for the 'ip netns' tool), as otherwise namespaces only exist as
long as processes that hold them.
So if you have any service options that cause a new *mount* namespace to be
created (preventing its filesystem mounts from being visible outside the
unit), then it cannot pin persistent network namespaces.
(It's also a bit overkill to use ProtectSystem for this kind of script,
really.)
--
Mantas Mikulėnas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240718/15d474a4/attachment.htm>
More information about the systemd-devel
mailing list