[v249] make pid1 namespace code independent of umask#148
Merged
keszybz merged 5 commits intosystemd:v249-stablefrom Jan 11, 2022
Merged
[v249] make pid1 namespace code independent of umask#148keszybz merged 5 commits intosystemd:v249-stablefrom
keszybz merged 5 commits intosystemd:v249-stablefrom
Conversation
(cherry picked from commit 52f05ef)
(cherry picked from commit d73020f)
… umask Let's reset the umask during the whole namespace_setup() logic, so that all our mkdir() + mknod() are not subjected to whatever umask might currently be set. This mostly moves the umask save/restore logic out of mount_private_dev() and into the stack frame of namespace_setup() that is further out. Fixes #19899 (cherry picked from commit cdf42f9)
Let's make all code in namespace.c robust towards weird umask. This doesn't matter too much given that the parent dirs we deal here almost certainly exist anyway, but let's clean this up anyway and make it fully clean. (cherry picked from commit 3044343)
Inspired by the test case described in #19899 (cherry picked from commit 875afa0)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On NixOS we have a special confinement mode which creates a chroot of all the individual store paths needed for the services as
BindReadOnlyPaths. This works fine unless the services in question use a more restrictiveUMask, which then gets applied to all the directories leading up to the mount point. We tracked this in NixOS/nixpkgs#147599 and after this got reported in systemd/systemd#21548, it turned out that the fix for this is already in the main branch.In systemd/systemd#21548 (comment), we got pointed to systemd/systemd#21320 which indeed fixes our issue.
We do currently have a very limited workaround to address the issue, but it involves adding dummy
tmpfsinstances and doesn't work for all bind mounts.In NixOS/nixpkgs#147639 (comment) the original reporter and I already had a discussion on how to proceed and while I'm not sure on what's the policy on backports, I decided to hereby propose to backport systemd/systemd#21320.
Cc: @martinetd