[systemd-devel] ioctl calls from within sandboxed unit
Moritz Sanft
moritz.sanft at outlook.de
Mon Jun 10 11:20:12 UTC 2024
Hi,
I'm currently trying to execute systemd-dissect from within a quite
sandboxed service. I've set PrivateDevices = "no" and DeviceAllow to
block-loop and loop-control. However, systemd-dissect still runs into an
error when trying to talk to the loop device:
ioctl(6, BLKPG, ***op=BLKPG_DEL_PARTITION, flags=0, datalen=152,
data=***start=0, length=0, pno=1, devname="/dev/loop0p1", volname=""***)
= -1 EACCES (Permission denied)
Do you guys have any pointers on which other sandboxing settings I need
to tweak? I've fiddled around with capabilities and syscall filters
(which both shouldn't be a problem), but no luck.
For reference, the (presumably) relevant parts of the service config:
SecureBits=0
User=root
DynamicUser=no
SetLoginEnvironment=no
RemoveIPC=yes
PrivateTmp=yes
PrivateDevices=no
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
PrivateNetwork=no
PrivateUsers=yes
PrivateMounts=yes
PrivateIPC=no
ProtectHome=yes
ProtectSystem=strict
SameProcessGroup=no
UtmpMode=init
IgnoreSIGPIPE=yes
NoNewPrivileges=yes
MemoryDenyWriteExecute=no
RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
ProtectProc=invisible
ProcSubset=all
ProtectHostname=yes
Moritz Sanft
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240610/724801c2/attachment.htm>
More information about the systemd-devel
mailing list