加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
backport-namespace-allow-ProcSubset-pid-with-some-ProtectKern.patch 6.21 KB
一键复制 编辑 原始数据 按行查看 历史
From c789d2f457d2e160d00760aa3ecfd6883c64cf5f Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 27 Nov 2021 12:51:39 +0200
Subject: [PATCH] namespace: allow ProcSubset=pid with some ProtectKernel
options
In case `/proc` is successfully mounted with pid tree subset only due to
`ProcSubset=pid`, the protective mounts for `ProtectKernelTunables=yes` and
`ProtectKernelLogs=yes` to non-pid `/proc` paths are failing because the paths
don't exist. But the pid only option may have failed gracefully (for example
because of ancient kernel), so let's try the mounts but it's not fatal if they
don't succeed.
(cherry picked from commit 788e720181aead8c85ba30fc7ec9a1455a865cbe)
Conflict:NA
Reference:https://github.com/systemd/systemd/commit/c789d2f457d2e160d00760aa3ecfd6883c64cf5f
---
src/core/namespace.c | 42 ++++++++++++++++++++++++++++++++++--------
1 file changed, 34 insertions(+), 8 deletions(-)
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 9251871384..b933d46cf6 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -101,7 +101,7 @@ static const MountEntry apivfs_table[] = {
};
/* ProtectKernelTunables= option and the related filesystem APIs */
-static const MountEntry protect_kernel_tunables_table[] = {
+static const MountEntry protect_kernel_tunables_proc_table[] = {
{ "/proc/acpi", READONLY, true },
{ "/proc/apm", READONLY, true }, /* Obsolete API, there's no point in permitting access to this, ever */
{ "/proc/asound", READONLY, true },
@@ -116,6 +116,9 @@ static const MountEntry protect_kernel_tunables_table[] = {
{ "/proc/sys", READONLY, true },
{ "/proc/sysrq-trigger", READONLY, true },
{ "/proc/timer_stats", READONLY, true },
+};
+
+static const MountEntry protect_kernel_tunables_sys_table[] = {
{ "/sys", READONLY, false },
{ "/sys/fs/bpf", READONLY, true },
{ "/sys/fs/cgroup", READWRITE_IMPLICIT, false }, /* READONLY is set by ProtectControlGroups= option */
@@ -133,8 +136,11 @@ static const MountEntry protect_kernel_modules_table[] = {
};
/* ProtectKernelLogs= option */
-static const MountEntry protect_kernel_logs_table[] = {
+static const MountEntry protect_kernel_logs_proc_table[] = {
{ "/proc/kmsg", INACCESSIBLE, true },
+};
+
+static const MountEntry protect_kernel_logs_dev_table[] = {
{ "/dev/kmsg", INACCESSIBLE, true },
};
@@ -1554,9 +1560,11 @@ static size_t namespace_calculate_mounts(
(n_extension_images > 0 ? n_hierarchies + n_extension_images : 0) + /* Mount each image plus an overlay per hierarchy */
n_temporary_filesystems +
ns_info->private_dev +
- (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
+ (ns_info->protect_kernel_tunables ?
+ ELEMENTSOF(protect_kernel_tunables_proc_table) + ELEMENTSOF(protect_kernel_tunables_sys_table) : 0) +
(ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
- (ns_info->protect_kernel_logs ? ELEMENTSOF(protect_kernel_logs_table) : 0) +
+ (ns_info->protect_kernel_logs ?
+ ELEMENTSOF(protect_kernel_logs_proc_table) + ELEMENTSOF(protect_kernel_logs_dev_table) : 0) +
(ns_info->protect_control_groups ? 1 : 0) +
protect_home_cnt + protect_system_cnt +
(ns_info->protect_hostname ? 2 : 0) +
@@ -2037,10 +2045,21 @@ int setup_namespace(
.flags = DEV_MOUNT_OPTIONS,
};
+ /* In case /proc is successfully mounted with pid tree subset only (ProcSubset=pid), the
+ protective mounts to non-pid /proc paths would fail. But the pid only option may have
+ failed gracefully, so let's try the mounts but it's not fatal if they don't succeed. */
+ bool ignore_protect_proc = ns_info->ignore_protect_paths || ns_info->proc_subset == PROC_SUBSET_PID;
if (ns_info->protect_kernel_tunables) {
r = append_static_mounts(&m,
- protect_kernel_tunables_table,
- ELEMENTSOF(protect_kernel_tunables_table),
+ protect_kernel_tunables_proc_table,
+ ELEMENTSOF(protect_kernel_tunables_proc_table),
+ ignore_protect_proc);
+ if (r < 0)
+ goto finish;
+
+ r = append_static_mounts(&m,
+ protect_kernel_tunables_sys_table,
+ ELEMENTSOF(protect_kernel_tunables_sys_table),
ns_info->ignore_protect_paths);
if (r < 0)
goto finish;
@@ -2057,8 +2076,15 @@ int setup_namespace(
if (ns_info->protect_kernel_logs) {
r = append_static_mounts(&m,
- protect_kernel_logs_table,
- ELEMENTSOF(protect_kernel_logs_table),
+ protect_kernel_logs_proc_table,
+ ELEMENTSOF(protect_kernel_logs_proc_table),
+ ignore_protect_proc);
+ if (r < 0)
+ goto finish;
+
+ r = append_static_mounts(&m,
+ protect_kernel_logs_dev_table,
+ ELEMENTSOF(protect_kernel_logs_dev_table),
ns_info->ignore_protect_paths);
if (r < 0)
goto finish;
--
2.33.0
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化