summaryrefslogtreecommitdiffstats
path: root/test/test-execute/exec-temporaryfilesystem-rw.service
diff options
context:
space:
mode:
authorAlan Jenkins <alan.christopher.jenkins@gmail.com>2018-08-30 01:32:54 +0200
committerAlan Jenkins <alan.christopher.jenkins@gmail.com>2018-08-30 12:17:16 +0200
commit69338c3dfb13d5f5e2d8b7f66f785daab8cbe190 (patch)
tree145833b48f9ca85890c356bff3c52e441aba80de /test/test-execute/exec-temporaryfilesystem-rw.service
parentMerge pull request #9950 from yuwata/macro-ref-unref (diff)
downloadsystemd-69338c3dfb13d5f5e2d8b7f66f785daab8cbe190.tar.xz
systemd-69338c3dfb13d5f5e2d8b7f66f785daab8cbe190.zip
namespace: don't try to remount superblocks
We can't remount the underlying superblocks, if we are inside a user namespace and running Linux <= 4.17. We can only change the per-mount flags (MS_REMOUNT | MS_BIND). This type of mount() call can only change the per-mount flags, so we don't have to worry about passing the right string options now. Fixes #9914 ("Since 1beab8b was merged, systemd has been failing to start systemd-resolved inside unprivileged containers" ... "Failed to re-mount '/run/systemd/unit-root/dev' read-only: Operation not permitted"). > It's basically my fault :-). I pointed out we could remount read-only > without MS_BIND when reviewing the PR that added TemporaryFilesystem=, > and poettering suggested to change PrivateDevices= at the same time. > I think it's safe to change back, and I don't expect anyone will notice > a difference in behaviour. > > It just surprised me to realize that > `TemporaryFilesystem=/tmp:size=10M,ro,nosuid` would not apply `ro` to the > superblock (underlying filesystem), like mount -osize=10M,ro,nosuid does. > Maybe a comment could note the kernel version (v4.18), that lets you > remount without MS_BIND inside a user namespace. This makes the code longer and I guess this function is still ugly, sorry. One obstacle to cleaning it up is the interaction between `PrivateDevices=yes` and `ReadOnlyPaths=/dev`. I've added a test for the existing behaviour, which I think is now the correct behaviour.
Diffstat (limited to 'test/test-execute/exec-temporaryfilesystem-rw.service')
0 files changed, 0 insertions, 0 deletions