[OE-core] [PATCH v3] systemd: re-enable mount propagation for udevd

Hongzhi, Song hongzhi.song at windriver.com
Fri Feb 23 04:52:05 UTC 2018 

What do you mean "it only happens with libseccomp"? I have tried to 
enable or disable

seccomp via CONFIG_SECCOMP, buf the results were same unless I set 
MountFlags=shared.

Without propagation patch, all block device, such as '/dev/sda*', 
mounted by systemd-udev,

are unaccessible to outside namespace, which means root user cann't use 
'/dev/sda*'. Do you

have any suggestions for me?

Thanks.



On 2018年02月22日 22:25, Burton, Ross wrote:
> We used to have this but it was removed in the 232 upgrade:
>
>     * Drop mount propagation patch, it only happens with libseccomp, 
> OE doesnt
>       enable it
>
> Is this not the case?  Or are you enabling seccomp?  Maybe this should 
> be a bbappend in meta-security?
>
> Ross
>
> On 22 February 2018 at 14:15, Hongzhi.Song <hongzhi.song at windriver.com 
> <mailto:hongzhi.song at windriver.com>> wrote:
>
>     MountFlags's default value is shared in systemd-udevd.service. But
>     upstream
>     sets MountFlags with slave just for keeping mounts done by udev
>     private to
>     udevd, which causes block device mounted by udev unvisable but
>     being busy for
>     host. So we revert it to shared to be propagated to host.
>
>     Signed-off-by: Hongzhi.Song <hongzhi.song at windriver.com
>     <mailto:hongzhi.song at windriver.com>>
>     ---
>      ...evd-re-enable-mount-propagation-for-udevd.patch | 33
>     ++++++++++++++++++++++
>      meta/recipes-core/systemd/systemd_234.bb <http://systemd_234.bb>
>              |  1 +
>      2 files changed, 34 insertions(+)
>      create mode 100644
>     meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
>
>     diff --git
>     a/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
>     b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
>     new file mode 100644
>     index 0000000000..fce7bdd796
>     --- /dev/null
>     +++
>     b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
>     @@ -0,0 +1,33 @@
>     +From 11a3312d36109f5e5a7697ddb05c533c51e2cd75 Mon Sep 17 00:00:00
>     2001
>     +From: "Hongzhi.Song" <hongzhi.song at windriver.com
>     <mailto:hongzhi.song at windriver.com>>
>     +Date: Mon, 19 Feb 2018 20:43:02 -0500
>     +Subject: [PATCH] systemd-udevd: re-enable mount propagation for udevd
>     +
>     +Upstream-Status: Inappropriate [embedded specific]
>     +
>     +Change the mount propagation flag from MountFlags=slave to
>     MountFlags=shared
>     +(default). Use shared to ensure that mounts and unmounts are
>     propagated from
>     +systemd's namespace to the service's namespace and vice versa,
>     while use slave
>     +to run processes so that none of their mounts and unmounts will
>     propagate to
>     +the host.
>     +
>     +Signed-off-by: Hongzhi.Song <hongzhi.song at windriver.com
>     <mailto:hongzhi.song at windriver.com>>
>     +---
>     + units/systemd-udevd.service.in <http://systemd-udevd.service.in>
>     | 1 -
>     + 1 file changed, 1 deletion(-)
>     +
>     +diff --git a/units/systemd-udevd.service.in
>     <http://systemd-udevd.service.in> b/units/systemd-udevd.service.in
>     <http://systemd-udevd.service.in>
>     +index fc037b5..841d7a8 100644
>     +--- a/units/systemd-udevd.service.in
>     <http://systemd-udevd.service.in>
>     ++++ b/units/systemd-udevd.service.in
>     <http://systemd-udevd.service.in>
>     +@@ -24,7 +24,6 @@ ExecStart=@rootlibexecdir@/systemd-udevd
>     + KillMode=mixed
>     + WatchdogSec=3min
>     + TasksMax=infinity
>     +-MountFlags=slave
>     + MemoryDenyWriteExecute=yes
>     + RestrictRealtime=yes
>     + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
>     +--
>     +2.8.1
>     +
>     diff --git a/meta/recipes-core/systemd/systemd_234.bb
>     <http://systemd_234.bb> b/meta/recipes-core/systemd/systemd_234.bb
>     <http://systemd_234.bb>
>     index babc351cc8..42f4f1ec76 100644
>     --- a/meta/recipes-core/systemd/systemd_234.bb <http://systemd_234.bb>
>     +++ b/meta/recipes-core/systemd/systemd_234.bb <http://systemd_234.bb>
>     @@ -32,6 +32,7 @@ SRC_URI += " \
>                
>     file://0001-main-skip-many-initialization-steps-when-running-in-.patch
>     \
>                 file://CVE-2017-18078.patch \
>                
>     file://0001-resolved-fix-loop-on-packets-with-pseudo-dns-types.patch \
>     +         
>     file://systemd-udevd-re-enable-mount-propagation-for-udevd.patch \
>                 "
>      SRC_URI_append_qemuall = "
>     file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
>
>     --
>     2.13.3
>
>     --
>     _______________________________________________
>     Openembedded-core mailing list
>     Openembedded-core at lists.openembedded.org
>     <mailto:Openembedded-core at lists.openembedded.org>
>     http://lists.openembedded.org/mailman/listinfo/openembedded-core
>     <http://lists.openembedded.org/mailman/listinfo/openembedded-core>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20180223/f92bf12d/attachment-0002.html>

More information about the Openembedded-core mailing list