From: Christian Brauner Date: Fri, 21 Jan 2022 12:08:19 +0000 (+0100) Subject: core/namespace: allow using ProtectSubset=pid and ProtectHostname=true together X-Git-Tag: v251-rc1~465^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1361f015773e3b4d74e382edf1565f3315a3396b;p=thirdparty%2Fsystemd.git core/namespace: allow using ProtectSubset=pid and ProtectHostname=true together If a service requests both ProtectSubset=pid and ProtectHostname=true then it will currently fail to start. The ProcSubset=pid option instructs systemd to mount procfs for the service with subset=pid which hides all entries other than /proc/. Consequently trying to interact with the two files /proc/sys/kernel/{hostname,domainname} covered by ProtectHostname=true will fail. Fix this by only performing this check when ProtectSubset=pid is not requested. Essentially ProtectSubset=pid implies/provides ProtectHostname=true. --- diff --git a/src/core/namespace.c b/src/core/namespace.c index ecbd23833c6..e55e9df702c 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -2157,14 +2157,19 @@ int setup_namespace( goto finish; } + /* Note, if proc is mounted with subset=pid then neither of the + * two paths will exist, i.e. they are implicitly protected by + * the mount option. */ if (ns_info->protect_hostname) { *(m++) = (MountEntry) { .path_const = "/proc/sys/kernel/hostname", .mode = READONLY, + .ignore = ignore_protect_proc, }; *(m++) = (MountEntry) { .path_const = "/proc/sys/kernel/domainname", .mode = READONLY, + .ignore = ignore_protect_proc, }; }