Forked from
pkg / systemd
105 commits behind the upstream repository.
-
Michael Biebl authoredsystemd (241-7~deb10u2) buster; urgency=medium * core: never propagate reload failure to service result. Fixes a regression introduced in v239 where the main process of a service unit gets killed on reload if ExecReload fails. (Closes: #936032) * shared/seccomp: add sync_file_range2. Some architectures need the arguments to be reordered because of alignment issues. Otherwise, it's the same as sync_file_range. Fixes sync_file_range failures in nspawn containers on arm, ppc. (Closes: #935091) * core: factor root_directory application out of apply_working_directory. Fixes RootDirectory not working when used in combination with User. (Closes: #939408) * shared/bus-util: drop trusted annotation from bus_open_system_watch_bind_with_description(). This ensures that access controls on systemd-resolved's D-Bus interface are enforced properly. (CVE-2019-15718, Closes: #939353) * login: add a missing error check for session_set_leader() Fixes assertion due to insufficient function return check. (Closes: #939998) * d/e/r/73-usb-net-by-mac.rules: import net.ifnames only for network devices (Closes: #934589) * d/e/r/73-usb-net-by-mac.rules: skip if iface name was provided by user-space * namespace: make MountFlags=shared work again (Closes: #939551) * mount/generators: do not make unit wanted by its device unit. Among other things, this fixes StopWhenUnneeded=true being broken for mount units. (Closes: #941758)Michael Biebl authoredsystemd (241-7~deb10u2) buster; urgency=medium * core: never propagate reload failure to service result. Fixes a regression introduced in v239 where the main process of a service unit gets killed on reload if ExecReload fails. (Closes: #936032) * shared/seccomp: add sync_file_range2. Some architectures need the arguments to be reordered because of alignment issues. Otherwise, it's the same as sync_file_range. Fixes sync_file_range failures in nspawn containers on arm, ppc. (Closes: #935091) * core: factor root_directory application out of apply_working_directory. Fixes RootDirectory not working when used in combination with User. (Closes: #939408) * shared/bus-util: drop trusted annotation from bus_open_system_watch_bind_with_description(). This ensures that access controls on systemd-resolved's D-Bus interface are enforced properly. (CVE-2019-15718, Closes: #939353) * login: add a missing error check for session_set_leader() Fixes assertion due to insufficient function return check. (Closes: #939998) * d/e/r/73-usb-net-by-mac.rules: import net.ifnames only for network devices (Closes: #934589) * d/e/r/73-usb-net-by-mac.rules: skip if iface name was provided by user-space * namespace: make MountFlags=shared work again (Closes: #939551) * mount/generators: do not make unit wanted by its device unit. Among other things, this fixes StopWhenUnneeded=true being broken for mount units. (Closes: #941758)
namespace-make-MountFlags-shared-work-again.patch 2.08 KiB
From: Franck Bui <fbui@suse.com>
Date: Wed, 13 Feb 2019 18:45:36 +0100
Subject: namespace: make MountFlags=shared work again
Since commit 0722b359342d2a9f9e0d453875624387a0ba1be2, the root mountpoint is
unconditionnally turned to slave which breaks units that are using explicitly
MountFlags=shared (and no other options that would implicitly require a slave
root mountpoint).
Here is a test case:
$ systemctl cat test-shared-mount-flag.service
# /etc/systemd/system/test-shared-mount-flag.service
[Service]
Type=simple
ExecStartPre=/usr/bin/mkdir -p /mnt/tmp
ExecStart=/bin/sh -c "/usr/bin/mount -t tmpfs -o size=10M none /mnt/tmp && sleep infinity"
ExecStop=-/bin/sh -c "/usr/bin/umount /mnt/tmp"
MountFlags=shared
$ systemctl start test-shared-mount-flag.service
$ findmnt /mnt/tmp
$
Mount on /mnt/tmp is not visible from the host although MountFlags=shared was
used.
This patch fixes that and turns the root mountpoint to slave when it's really
required.
(cherry picked from commit 37ed15d7edaf59a1fc7c9e3552cd93a83f3814ef)
---
src/core/execute.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/core/execute.c b/src/core/execute.c
index 47518f4..f2a4c54 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1839,7 +1839,7 @@ static bool exec_needs_mount_namespace(
if (context->n_temporary_filesystems > 0)
return true;
- if (context->mount_flags != 0)
+ if (!IN_SET(context->mount_flags, 0, MS_SHARED))
return true;
if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
@@ -2435,6 +2435,9 @@ static int apply_mount_namespace(
else
ns_info = (NamespaceInfo) {};
+ if (context->mount_flags == MS_SHARED)
+ log_unit_debug(u, "shared mount propagation hidden by other fs namespacing unit settings: ignoring");
+
r = setup_namespace(root_dir, root_image,
&ns_info, context->read_write_paths,
needs_sandboxing ? context->read_only_paths : NULL,