[OE-core] [PATCH v3] systemd: re-enable mount propagation for udevd
Hongzhi, Song
hongzhi.song at windriver.com
Fri Feb 23 04:52:05 UTC 2018
What do you mean "it only happens with libseccomp"? I have tried to
enable or disable
seccomp via CONFIG_SECCOMP, buf the results were same unless I set
MountFlags=shared.
Without propagation patch, all block device, such as '/dev/sda*',
mounted by systemd-udev,
are unaccessible to outside namespace, which means root user cann't use
'/dev/sda*'. Do you
have any suggestions for me?
Thanks.
On 2018年02月22日 22:25, Burton, Ross wrote:
> We used to have this but it was removed in the 232 upgrade:
>
> * Drop mount propagation patch, it only happens with libseccomp,
> OE doesnt
> enable it
>
> Is this not the case? Or are you enabling seccomp? Maybe this should
> be a bbappend in meta-security?
>
> Ross
>
> On 22 February 2018 at 14:15, Hongzhi.Song <hongzhi.song at windriver.com
> <mailto:hongzhi.song at windriver.com>> wrote:
>
> MountFlags's default value is shared in systemd-udevd.service. But
> upstream
> sets MountFlags with slave just for keeping mounts done by udev
> private to
> udevd, which causes block device mounted by udev unvisable but
> being busy for
> host. So we revert it to shared to be propagated to host.
>
> Signed-off-by: Hongzhi.Song <hongzhi.song at windriver.com
> <mailto:hongzhi.song at windriver.com>>
> ---
> ...evd-re-enable-mount-propagation-for-udevd.patch | 33
> ++++++++++++++++++++++
> meta/recipes-core/systemd/systemd_234.bb <http://systemd_234.bb>
> | 1 +
> 2 files changed, 34 insertions(+)
> create mode 100644
> meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
>
> diff --git
> a/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
> b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
> new file mode 100644
> index 0000000000..fce7bdd796
> --- /dev/null
> +++
> b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
> @@ -0,0 +1,33 @@
> +From 11a3312d36109f5e5a7697ddb05c533c51e2cd75 Mon Sep 17 00:00:00
> 2001
> +From: "Hongzhi.Song" <hongzhi.song at windriver.com
> <mailto:hongzhi.song at windriver.com>>
> +Date: Mon, 19 Feb 2018 20:43:02 -0500
> +Subject: [PATCH] systemd-udevd: re-enable mount propagation for udevd
> +
> +Upstream-Status: Inappropriate [embedded specific]
> +
> +Change the mount propagation flag from MountFlags=slave to
> MountFlags=shared
> +(default). Use shared to ensure that mounts and unmounts are
> propagated from
> +systemd's namespace to the service's namespace and vice versa,
> while use slave
> +to run processes so that none of their mounts and unmounts will
> propagate to
> +the host.
> +
> +Signed-off-by: Hongzhi.Song <hongzhi.song at windriver.com
> <mailto:hongzhi.song at windriver.com>>
> +---
> + units/systemd-udevd.service.in <http://systemd-udevd.service.in>
> | 1 -
> + 1 file changed, 1 deletion(-)
> +
> +diff --git a/units/systemd-udevd.service.in
> <http://systemd-udevd.service.in> b/units/systemd-udevd.service.in
> <http://systemd-udevd.service.in>
> +index fc037b5..841d7a8 100644
> +--- a/units/systemd-udevd.service.in
> <http://systemd-udevd.service.in>
> ++++ b/units/systemd-udevd.service.in
> <http://systemd-udevd.service.in>
> +@@ -24,7 +24,6 @@ ExecStart=@rootlibexecdir@/systemd-udevd
> + KillMode=mixed
> + WatchdogSec=3min
> + TasksMax=infinity
> +-MountFlags=slave
> + MemoryDenyWriteExecute=yes
> + RestrictRealtime=yes
> + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
> +--
> +2.8.1
> +
> diff --git a/meta/recipes-core/systemd/systemd_234.bb
> <http://systemd_234.bb> b/meta/recipes-core/systemd/systemd_234.bb
> <http://systemd_234.bb>
> index babc351cc8..42f4f1ec76 100644
> --- a/meta/recipes-core/systemd/systemd_234.bb <http://systemd_234.bb>
> +++ b/meta/recipes-core/systemd/systemd_234.bb <http://systemd_234.bb>
> @@ -32,6 +32,7 @@ SRC_URI += " \
>
> file://0001-main-skip-many-initialization-steps-when-running-in-.patch
> \
> file://CVE-2017-18078.patch \
>
> file://0001-resolved-fix-loop-on-packets-with-pseudo-dns-types.patch \
> +
> file://systemd-udevd-re-enable-mount-propagation-for-udevd.patch \
> "
> SRC_URI_append_qemuall = "
> file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
>
> --
> 2.13.3
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> <mailto:Openembedded-core at lists.openembedded.org>
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
> <http://lists.openembedded.org/mailman/listinfo/openembedded-core>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20180223/f92bf12d/attachment-0002.html>
More information about the Openembedded-core
mailing list