core/namespace: stop applying mount options on private cgroupfs mount

author Mike Yuan <me@yhndnzj.com>

Sun, 16 Mar 2025 20:55:29 +0000 (21:55 +0100)

committer Mike Yuan <me@yhndnzj.com>

Sun, 30 Mar 2025 16:57:18 +0000 (18:57 +0200)
author Mike Yuan <me@yhndnzj.com>
Sun, 16 Mar 2025 20:55:29 +0000 (21:55 +0100)
committer Mike Yuan <me@yhndnzj.com>
Sun, 30 Mar 2025 16:57:18 +0000 (18:57 +0200)
diff --git a/src/core/namespace.c b/src/core/namespace.c

index 56a3f93c3ea7369425f6afe301a27db7bb13fc11..aecc827797fb1c2a6717354df25079a5b51f6aa3 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -26,7 +26,6 @@
  #include "loopback-setup.h"
  #include "missing_syscall.h"
  #include "mkdir-label.h"
-#include "mount-setup.h"
  #include "mount-util.h"
  #include "mountpoint-util.h"
  #include "namespace-util.h"
@@ -207,14 +206,14 @@ static const MountEntry protect_control_groups_yes_table[] = {
  };
  
  /* ProtectControlGroups=private table. Note mount_private_apivfs() always use MS_NOSUID|MS_NOEXEC|MS_NODEV so
- * flags is not set here. nsdelegate has been supported since kernels >= 4.13 so it is safe to use. */
+ * flags is not set here. */
  static const MountEntry protect_control_groups_private_table[] = {
-        { "/sys/fs/cgroup",      MOUNT_PRIVATE_CGROUP2FS, false, .read_only = false, .nosuid = true, .noexec = true, .options_const = "nsdelegate"  },
+        { "/sys/fs/cgroup",      MOUNT_PRIVATE_CGROUP2FS, false, .read_only = false },
  };
  
  /* ProtectControlGroups=strict table */
  static const MountEntry protect_control_groups_strict_table[] = {
-        { "/sys/fs/cgroup",      MOUNT_PRIVATE_CGROUP2FS, false, .read_only = true,  .nosuid = true, .noexec = true, .options_const = "nsdelegate"  },
+        { "/sys/fs/cgroup",      MOUNT_PRIVATE_CGROUP2FS, false, .read_only = true },
  };
  
  /* ProtectSystem=yes table */
@@ -338,7 +337,7 @@ static bool mount_entry_read_only(const MountEntry *p) {
  static bool mount_entry_noexec(const MountEntry *p) {
          assert(p);
  
-        return p->noexec || IN_SET(p->mode, MOUNT_NOEXEC, MOUNT_INACCESSIBLE, MOUNT_PRIVATE_SYSFS, MOUNT_BIND_SYSFS, MOUNT_PROCFS);
+        return p->noexec || IN_SET(p->mode, MOUNT_NOEXEC, MOUNT_INACCESSIBLE, MOUNT_PRIVATE_SYSFS, MOUNT_BIND_SYSFS, MOUNT_PROCFS, MOUNT_PRIVATE_CGROUP2FS);
  }
  
  static bool mount_entry_exec(const MountEntry *p) {
@@ -1375,18 +1374,9 @@ static int mount_private_sysfs(const MountEntry *m, const NamespaceParameters *p
  }
  
  static int mount_private_cgroup2fs(const MountEntry *m, const NamespaceParameters *p) {
-        _cleanup_free_ char *opts = NULL;
-
          assert(m);
          assert(p);
-
-        if (cgroupfs_recursiveprot_supported()) {
-                opts = strextend_with_separator(NULL, ",", mount_entry_options(m) ?: POINTER_MAX, "memory_recursiveprot");
-                if (!opts)
-                        return -ENOMEM;
-        }
-
-        return mount_private_apivfs("cgroup2", mount_entry_path(m), "/sys/fs/cgroup", opts ?: mount_entry_options(m), p->runtime_scope);
+        return mount_private_apivfs("cgroup2", mount_entry_path(m), "/sys/fs/cgroup", /* opts = */ NULL, p->runtime_scope);
  }
  
  static int mount_procfs(const MountEntry *m, const NamespaceParameters *p) {
diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c

index db963df39e6d4e2cd242d7431b6df4f2f7577992..c628c879420e2aa667f5f2b51c3782f5fc511e82 100644 (file)
--- a/src/shared/mount-setup.c
+++ b/src/shared/mount-setup.c
@@ -52,7 +52,7 @@ typedef struct MountPoint {
          MountMode mode;
  } MountPoint;
  
-bool cgroupfs_recursiveprot_supported(void) {
+static bool cgroupfs_recursiveprot_supported(void) {
          int r;
  
          /* Added in kernel 5.7 */
diff --git a/src/shared/mount-setup.h b/src/shared/mount-setup.h

index c07fe86364d510861ab8f761e22a187c490067d1..34de1dad0beff3eff80722a9b4df149b0841505e 100644 (file)
--- a/src/shared/mount-setup.h
+++ b/src/shared/mount-setup.h
@@ -8,5 +8,3 @@ bool mount_point_ignore(const char *path);
  
  int mount_setup_early(void);
  int mount_setup(bool loaded_policy, bool leave_propagation);
-
-bool cgroupfs_recursiveprot_supported(void);
author	Mike Yuan <me@yhndnzj.com>
	Sun, 16 Mar 2025 20:55:29 +0000 (21:55 +0100)
committer	Mike Yuan <me@yhndnzj.com>
	Sun, 30 Mar 2025 16:57:18 +0000 (18:57 +0200)
src/core/namespace.c		patch \| blob \| blame \| history
src/shared/mount-setup.c		patch \| blob \| blame \| history
src/shared/mount-setup.h		patch \| blob \| blame \| history