代码拉取完成,页面将自动刷新
同步操作将从 yangshicheng/systemd 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From c789d2f457d2e160d00760aa3ecfd6883c64cf5f Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 27 Nov 2021 12:51:39 +0200
Subject: [PATCH] namespace: allow ProcSubset=pid with some ProtectKernel
options
In case `/proc` is successfully mounted with pid tree subset only due to
`ProcSubset=pid`, the protective mounts for `ProtectKernelTunables=yes` and
`ProtectKernelLogs=yes` to non-pid `/proc` paths are failing because the paths
don't exist. But the pid only option may have failed gracefully (for example
because of ancient kernel), so let's try the mounts but it's not fatal if they
don't succeed.
(cherry picked from commit 788e720181aead8c85ba30fc7ec9a1455a865cbe)
Conflict:NA
Reference:https://github.com/systemd/systemd/commit/c789d2f457d2e160d00760aa3ecfd6883c64cf5f
---
src/core/namespace.c | 42 ++++++++++++++++++++++++++++++++++--------
1 file changed, 34 insertions(+), 8 deletions(-)
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 9251871384..b933d46cf6 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -101,7 +101,7 @@ static const MountEntry apivfs_table[] = {
};
/* ProtectKernelTunables= option and the related filesystem APIs */
-static const MountEntry protect_kernel_tunables_table[] = {
+static const MountEntry protect_kernel_tunables_proc_table[] = {
{ "/proc/acpi", READONLY, true },
{ "/proc/apm", READONLY, true }, /* Obsolete API, there's no point in permitting access to this, ever */
{ "/proc/asound", READONLY, true },
@@ -116,6 +116,9 @@ static const MountEntry protect_kernel_tunables_table[] = {
{ "/proc/sys", READONLY, true },
{ "/proc/sysrq-trigger", READONLY, true },
{ "/proc/timer_stats", READONLY, true },
+};
+
+static const MountEntry protect_kernel_tunables_sys_table[] = {
{ "/sys", READONLY, false },
{ "/sys/fs/bpf", READONLY, true },
{ "/sys/fs/cgroup", READWRITE_IMPLICIT, false }, /* READONLY is set by ProtectControlGroups= option */
@@ -133,8 +136,11 @@ static const MountEntry protect_kernel_modules_table[] = {
};
/* ProtectKernelLogs= option */
-static const MountEntry protect_kernel_logs_table[] = {
+static const MountEntry protect_kernel_logs_proc_table[] = {
{ "/proc/kmsg", INACCESSIBLE, true },
+};
+
+static const MountEntry protect_kernel_logs_dev_table[] = {
{ "/dev/kmsg", INACCESSIBLE, true },
};
@@ -1554,9 +1560,11 @@ static size_t namespace_calculate_mounts(
(n_extension_images > 0 ? n_hierarchies + n_extension_images : 0) + /* Mount each image plus an overlay per hierarchy */
n_temporary_filesystems +
ns_info->private_dev +
- (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
+ (ns_info->protect_kernel_tunables ?
+ ELEMENTSOF(protect_kernel_tunables_proc_table) + ELEMENTSOF(protect_kernel_tunables_sys_table) : 0) +
(ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
- (ns_info->protect_kernel_logs ? ELEMENTSOF(protect_kernel_logs_table) : 0) +
+ (ns_info->protect_kernel_logs ?
+ ELEMENTSOF(protect_kernel_logs_proc_table) + ELEMENTSOF(protect_kernel_logs_dev_table) : 0) +
(ns_info->protect_control_groups ? 1 : 0) +
protect_home_cnt + protect_system_cnt +
(ns_info->protect_hostname ? 2 : 0) +
@@ -2037,10 +2045,21 @@ int setup_namespace(
.flags = DEV_MOUNT_OPTIONS,
};
+ /* In case /proc is successfully mounted with pid tree subset only (ProcSubset=pid), the
+ protective mounts to non-pid /proc paths would fail. But the pid only option may have
+ failed gracefully, so let's try the mounts but it's not fatal if they don't succeed. */
+ bool ignore_protect_proc = ns_info->ignore_protect_paths || ns_info->proc_subset == PROC_SUBSET_PID;
if (ns_info->protect_kernel_tunables) {
r = append_static_mounts(&m,
- protect_kernel_tunables_table,
- ELEMENTSOF(protect_kernel_tunables_table),
+ protect_kernel_tunables_proc_table,
+ ELEMENTSOF(protect_kernel_tunables_proc_table),
+ ignore_protect_proc);
+ if (r < 0)
+ goto finish;
+
+ r = append_static_mounts(&m,
+ protect_kernel_tunables_sys_table,
+ ELEMENTSOF(protect_kernel_tunables_sys_table),
ns_info->ignore_protect_paths);
if (r < 0)
goto finish;
@@ -2057,8 +2076,15 @@ int setup_namespace(
if (ns_info->protect_kernel_logs) {
r = append_static_mounts(&m,
- protect_kernel_logs_table,
- ELEMENTSOF(protect_kernel_logs_table),
+ protect_kernel_logs_proc_table,
+ ELEMENTSOF(protect_kernel_logs_proc_table),
+ ignore_protect_proc);
+ if (r < 0)
+ goto finish;
+
+ r = append_static_mounts(&m,
+ protect_kernel_logs_dev_table,
+ ELEMENTSOF(protect_kernel_logs_dev_table),
ns_info->ignore_protect_paths);
if (r < 0)
goto finish;
--
2.33.0
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。