]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 32b69b1) | patch
core/namespace: stop applying mount options on private cgroupfs mount
authorMike Yuan <me@yhndnzj.com>
Sun, 16 Mar 2025 20:55:29 +0000 (21:55 +0100)
committerMike Yuan <me@yhndnzj.com>
Sun, 30 Mar 2025 16:57:18 +0000 (18:57 +0200)
commit1614d0c45190eed6cccae3b98856cefcd9f0bcbc
treef3fdca3c191d380d718f64619191c5863b2827f8tree | snapshot
parent32b69b190b74c0e03416572dffa31b598511e33fcommit | diff
core/namespace: stop applying mount options on private cgroupfs mount

We always unshare cgroup ns for ProtectControlGroups=private/strict,
while the mount options only apply to the cgroupfs instance
in initial cgns (c.f.
https://github.com/torvalds/linux/blob/b69bb476dee99d564d65d418e9a20acca6f32c3f/kernel/cgroup/cgroup.c#L1984)
Hence let's drop the thing wholesale.

Also, as noted in the comment already, mount_private_apivfs()
internally enforces nosuid/noexec, so drop explicit flags too.
src/core/namespace.c diff | blob | blame | history
src/shared/mount-setup.c diff | blob | blame | history
src/shared/mount-setup.h diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.