@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b MountAPIVFS = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+ readonly b BindJournalSockets = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s KeyringMode = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectProc = '...';
<!--property MountAPIVFS is not documented!-->
+ <!--property BindJournalSockets is not documented!-->
+
<!--property KeyringMode is not documented!-->
<!--property ProtectProc is not documented!-->
<variablelist class="dbus-property" generated="True" extra-ref="MountAPIVFS"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="BindJournalSockets"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="KeyringMode"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectProc"/>
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b MountAPIVFS = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+ readonly b BindJournalSockets = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s KeyringMode = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectProc = '...';
<!--property MountAPIVFS is not documented!-->
+ <!--property BindJournalSockets is not documented!-->
+
<!--property KeyringMode is not documented!-->
<!--property ProtectProc is not documented!-->
<variablelist class="dbus-property" generated="True" extra-ref="MountAPIVFS"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="BindJournalSockets"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="KeyringMode"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectProc"/>
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b MountAPIVFS = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+ readonly b BindJournalSockets = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s KeyringMode = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectProc = '...';
<!--property MountAPIVFS is not documented!-->
+ <!--property BindJournalSockets is not documented!-->
+
<!--property KeyringMode is not documented!-->
<!--property ProtectProc is not documented!-->
<variablelist class="dbus-property" generated="True" extra-ref="MountAPIVFS"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="BindJournalSockets"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="KeyringMode"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectProc"/>
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b MountAPIVFS = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+ readonly b BindJournalSockets = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s KeyringMode = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s ProtectProc = '...';
<!--property MountAPIVFS is not documented!-->
+ <!--property BindJournalSockets is not documented!-->
+
<!--property KeyringMode is not documented!-->
<!--property ProtectProc is not documented!-->
<variablelist class="dbus-property" generated="True" extra-ref="MountAPIVFS"/>
+ <variablelist class="dbus-property" generated="True" extra-ref="BindJournalSockets"/>
+
<variablelist class="dbus-property" generated="True" extra-ref="KeyringMode"/>
<variablelist class="dbus-property" generated="True" extra-ref="ProtectProc"/>
<para><varname>StatusBusError</varname>,
<varname>StatusVarlinkError</varname>,
<varname>LiveMountResult</varname>,
- <varname>PrivateTmpEx</varname>, and
- <varname>ImportCredentialEx</varname> were added in version 257.</para>
+ <varname>PrivateTmpEx</varname>,
+ <varname>ImportCredentialEx</varname>, and
+ <varname>BindJournalSockets</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Socket Unit Objects</title>
<varname>EffectiveTasksMax</varname>,
<varname>MemoryZSwapWriteback</varname>, and
<varname>PassFileDescriptorsToExec</varname> were added in version 256.</para>
- <para><varname>PrivateTmpEx</varname>, and
- <varname>ImportCredentialEx</varname> were added in version 257.</para>
+ <para><varname>PrivateTmpEx</varname>,
+ <varname>ImportCredentialEx</varname>, and
+ <varname>BindJournalSockets</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Mount Unit Objects</title>
<varname>EffectiveMemoryMax</varname>,
<varname>EffectiveTasksMax</varname>, and
<varname>MemoryZSwapWriteback</varname> were added in version 256.</para>
- <para><varname>PrivateTmpEx</varname>, and
- <varname>ImportCredentialEx</varname> were added in version 257.</para>
+ <para><varname>PrivateTmpEx</varname>,
+ <varname>ImportCredentialEx</varname>, and
+ <varname>BindJournalSockets</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Swap Unit Objects</title>
<varname>EffectiveMemoryMax</varname>,
<varname>EffectiveTasksMax</varname>, and
<varname>MemoryZSwapWriteback</varname> were added in version 256.</para>
- <para><varname>PrivateTmpEx</varname>, and
- <varname>ImportCredentialEx</varname> were added in version 257.</para>
+ <para><varname>PrivateTmpEx</varname>,
+ <varname>ImportCredentialEx</varname>, and
+ <varname>BindJournalSockets</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Slice Unit Objects</title>
<xi:include href="version-info.xml" xpointer="v233"/></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>BindJournalSockets=</varname></term>
+
+ <listitem><para>Takes a boolean argument. If true, sockets from <citerefentry>
+ <refentrytitle>systemd-journald.socket</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ will be bind mounted into the mount namespace. This is particularly useful when a different instance
+ of <filename>/run/</filename> is employed, to make sure processes running in the namespace
+ can still make use of <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ </para>
+
+ <para>This option is implied when <varname>LogNamespace=</varname> is used,
+ when <varname>MountAPIVFS=yes</varname>, or when <varname>PrivateDevices=yes</varname> is used
+ in conjunction with either <varname>RootDirectory=</varname> or <varname>RootImage=</varname>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v257"/></listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>ProtectProc=</varname></term>
static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_personality, personality, unsigned long);
static BUS_DEFINE_PROPERTY_GET(property_get_ioprio, "i", ExecContext, exec_context_get_effective_ioprio);
static BUS_DEFINE_PROPERTY_GET(property_get_mount_apivfs, "b", ExecContext, exec_context_get_effective_mount_apivfs);
+static BUS_DEFINE_PROPERTY_GET(property_get_bind_journal_sockets, "b", ExecContext, exec_context_get_effective_bind_journal_sockets);
static BUS_DEFINE_PROPERTY_GET2(property_get_ioprio_class, "i", ExecContext, exec_context_get_effective_ioprio, ioprio_prio_class);
static BUS_DEFINE_PROPERTY_GET2(property_get_ioprio_priority, "i", ExecContext, exec_context_get_effective_ioprio, ioprio_prio_data);
static BUS_DEFINE_PROPERTY_GET_GLOBAL(property_get_empty_string, "s", NULL);
SD_BUS_PROPERTY("BindReadOnlyPaths", "a(ssbt)", property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("TemporaryFileSystem", "a(ss)", property_get_temporary_filesystems, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("MountAPIVFS", "b", property_get_mount_apivfs, 0, SD_BUS_VTABLE_PROPERTY_CONST),
+ SD_BUS_PROPERTY("BindJournalSockets", "b", property_get_bind_journal_sockets, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("KeyringMode", "s", property_get_exec_keyring_mode, offsetof(ExecContext, keyring_mode), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ProtectProc", "s", property_get_protect_proc, offsetof(ExecContext, protect_proc), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ProcSubset", "s", property_get_proc_subset, offsetof(ExecContext, proc_subset), SD_BUS_VTABLE_PROPERTY_CONST),
if (streq(name, "MountAPIVFS"))
return bus_set_transient_tristate(u, name, &c->mount_apivfs, message, flags, error);
+ if (streq(name, "BindJournalSockets"))
+ return bus_set_transient_tristate(u, name, &c->bind_journal_sockets, message, flags, error);
+
if (streq(name, "PrivateNetwork"))
return bus_set_transient_bool(u, name, &c->private_network, message, flags, error);
.private_tmp = needs_sandboxing ? context->private_tmp : false,
.mount_apivfs = needs_sandboxing && exec_context_get_effective_mount_apivfs(context),
+ .bind_journal_sockets = needs_sandboxing && exec_context_get_effective_bind_journal_sockets(context),
/* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */
.mount_nosuid = needs_sandboxing && context->no_new_privileges && !mac_selinux_use(),
context->ipc_namespace_path ||
context->private_mounts > 0 ||
context->mount_apivfs > 0 ||
+ context->bind_journal_sockets > 0 ||
context->n_bind_mounts > 0 ||
context->n_temporary_filesystems > 0 ||
context->root_directory ||
if (r < 0)
return r;
+ r = serialize_item_tristate(f, "exec-context-bind-journal-sockets", c->bind_journal_sockets);
+ if (r < 0)
+ return r;
+
r = serialize_item_tristate(f, "exec-context-memory-ksm", c->memory_ksm);
if (r < 0)
return r;
r = safe_atoi(val, &c->mount_apivfs);
if (r < 0)
return r;
+ } else if ((val = startswith(l, "exec-context-bind-journal-sockets="))) {
+ r = safe_atoi(val, &c->bind_journal_sockets);
+ if (r < 0)
+ return r;
} else if ((val = startswith(l, "exec-context-memory-ksm="))) {
r = safe_atoi(val, &c->memory_ksm);
if (r < 0)
context->directories[EXEC_DIRECTORY_LOGS].n_items > 0))
return true;
- if (context->log_namespace)
+ if (exec_context_get_effective_bind_journal_sockets(context))
return true;
return false;
.tty_cols = UINT_MAX,
.private_mounts = -1,
.mount_apivfs = -1,
+ .bind_journal_sockets = -1,
.memory_ksm = -1,
.set_login_environment = -1,
};
"%sProtectHome: %s\n"
"%sProtectSystem: %s\n"
"%sMountAPIVFS: %s\n"
+ "%sBindJournalSockets: %s\n"
"%sIgnoreSIGPIPE: %s\n"
"%sMemoryDenyWriteExecute: %s\n"
"%sRestrictRealtime: %s\n"
prefix, protect_home_to_string(c->protect_home),
prefix, protect_system_to_string(c->protect_system),
prefix, yes_no(exec_context_get_effective_mount_apivfs(c)),
+ prefix, yes_no(exec_context_get_effective_bind_journal_sockets(c)),
prefix, yes_no(c->ignore_sigpipe),
prefix, yes_no(c->memory_deny_write_execute),
prefix, yes_no(c->restrict_realtime),
return false;
}
+bool exec_context_get_effective_bind_journal_sockets(const ExecContext *c) {
+ assert(c);
+
+ /* If log namespace is specified, "/run/systemd/journal.namespace/" would be bind mounted to
+ * "/run/systemd/journal/", which effectively means BindJournalSockets=yes */
+ if (c->log_namespace)
+ return true;
+
+ if (c->bind_journal_sockets >= 0)
+ return c->bind_journal_sockets > 0;
+
+ if (exec_context_get_effective_mount_apivfs(c))
+ return true;
+
+ /* When PrivateDevices=yes, /dev/log gets symlinked to /run/systemd/journal/dev-log */
+ if (exec_context_with_rootfs(c) && c->private_devices)
+ return true;
+
+ return false;
+}
+
void exec_context_free_log_extra_fields(ExecContext *c) {
assert(c);
int private_mounts;
int mount_apivfs;
+ int bind_journal_sockets;
int memory_ksm;
PrivateTmp private_tmp;
bool private_network;
int exec_context_get_effective_ioprio(const ExecContext *c);
bool exec_context_get_effective_mount_apivfs(const ExecContext *c);
+bool exec_context_get_effective_bind_journal_sockets(const ExecContext *c);
void exec_context_free_log_extra_fields(ExecContext *c);
{{type}}.ProtectHome, config_parse_protect_home, 0, offsetof({{type}}, exec_context.protect_home)
{{type}}.MountFlags, config_parse_exec_mount_propagation_flag, 0, offsetof({{type}}, exec_context.mount_propagation_flag)
{{type}}.MountAPIVFS, config_parse_tristate, 0, offsetof({{type}}, exec_context.mount_apivfs)
+{{type}}.BindJournalSockets, config_parse_tristate, 0, offsetof({{type}}, exec_context.bind_journal_sockets)
{{type}}.Personality, config_parse_personality, 0, offsetof({{type}}, exec_context.personality)
{{type}}.RuntimeDirectoryPreserve, config_parse_exec_preserve_mode, 0, offsetof({{type}}, exec_context.runtime_directory_preserve_mode)
{{type}}.RuntimeDirectoryMode, config_parse_mode, 0, offsetof({{type}}, exec_context.directories[EXEC_DIRECTORY_RUNTIME].mode)
const char *path_const; /* Memory allocated on stack or static */
MountMode mode;
bool ignore:1; /* Ignore if path does not exist? */
- bool has_prefix:1; /* Already is prefixed by the root dir? */
+ bool has_prefix:1; /* Already prefixed by the root dir? */
bool read_only:1; /* Shall this mount point be read-only? */
bool nosuid:1; /* Shall set MS_NOSUID on the mount itself */
bool noexec:1; /* Shall set MS_NOEXEC on the mount itself */
size_t n_mounts;
} MountList;
+static const BindMount bind_journal_sockets_table[] = {
+ { (char*) "/run/systemd/journal/socket", (char*) "/run/systemd/journal/socket", .read_only = true, .ignore_enoent = true },
+ { (char*) "/run/systemd/journal/stdout", (char*) "/run/systemd/journal/stdout", .read_only = true, .ignore_enoent = true },
+ { (char*) "/run/systemd/journal/dev-log", (char*) "/run/systemd/journal/dev-log", .read_only = true, .ignore_enoent = true },
+};
+
/* If MountAPIVFS= is used, let's mount /sys, /proc, /dev and /run into the it, but only as a fallback if the user hasn't mounted
* something there already. These mounts are hence overridden by any other explicitly configured mounts. */
static const MountEntry apivfs_table[] = {
.read_only = true,
.source_malloc = TAKE_PTR(q),
};
+
+ } else if (p->bind_journal_sockets) {
+ r = append_bind_mounts(&ml, bind_journal_sockets_table, ELEMENTSOF(bind_journal_sockets_table));
+ if (r < 0)
+ return r;
}
/* Will be used to add bind mounts at runtime */
bool private_ipc;
bool mount_apivfs;
+ bool bind_journal_sockets;
bool mount_nosuid;
ProtectHome protect_home;
"ProtectClock",
"ProtectControlGroups",
"MountAPIVFS",
+ "BindJournalSockets",
"CPUSchedulingResetOnFork",
"LockPersonality",
"ProtectHostname",
projects / thirdparty / systemd.git / commitdiff
