]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b63dae3)
man: specify that ProtectProc= does not work with root/cap_sys_ptrace
authorLuca Boccassi <bluca@debian.org>
Sun, 14 Mar 2021 12:36:15 +0000 (12:36 +0000)
committerLuca Boccassi <luca.boccassi@gmail.com>
Mon, 15 Mar 2021 16:53:16 +0000 (16:53 +0000)
When using hidepid=invisible on procfs, the kernel will check if the
gid of the process trying to access /proc is the same as the gid of
the process that mounted the /proc instance, or if it has the ptrace
capability:

https://github.com/torvalds/linux/blob/v5.10/fs/proc/base.c#L723
https://github.com/torvalds/linux/blob/v5.10/fs/proc/root.c#L155

Given we set up the /proc instance as root for system services,
The same restriction applies to CAP_SYS_PTRACE, if a process runs with
it then hidepid=invisible has no effect.

ProtectProc effectively can only be used with User= or DynamicUser=yes,
without CAP_SYS_PTRACE.
Update the documentation to explicitly state these limitations.

Fixes #18997

man/systemd.exec.xml patch | blob | blame | history

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 8d4e1143e3e0c71f776477d9131452a5db561a11..5bb9af3e7da63682a8dd0affde0b04590d7fb6ea 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -285,8 +285,11 @@
         Filesystem</ulink>. It is generally recommended to run most system services with this option set to
         <literal>invisible</literal>. This option is implemented via file system namespacing, and thus cannot
         be used with services that shall be able to install mount points in the host file system
-        hierarchy. It also cannot be used for services that need to access metainformation about other users'
-        processes. This option implies <varname>MountAPIVFS=</varname>.</para>
+        hierarchy. Note that the root user is unaffected by this option, so to be effective it has to be used
+        together with <varname>User=</varname> or <varname>DynamicUser=yes</varname>, and also without the
+        <literal>CAP_SYS_PTRACE</literal> capability, which also allows a process to bypass this feature. It
+        cannot be used for services that need to access metainformation about other users' processes. This
+        option implies <varname>MountAPIVFS=</varname>.</para>
 
         <para>If the kernel doesn't support per-mount point <option>hidepid=</option> mount options this
         setting remains without effect, and the unit's processes will be able to access and see other process
Unnamed repository; edit this file 'description' to name the repository.