Merge pull request #18329 from poettering/notify-chroot

chroot/sd_notify() fixes
author: Yu Watanabe <watanabe.yu+github@gmail.com> 2021-01-21 13:16:59 +0900
committer: GitHub <noreply@github.com> 2021-01-21 13:16:59 +0900
commit: 33f7b61ca59f9e002ee79bacd498a36eab20e6e9 (patch)
tree: c31f7b52e7b104d6d34fc0d06c560736599a9cc1
parent: 9807fdc1da8e037ddedfa4e2c6d2728b6e60051e (diff)
parent: fe239c7d7d6227209234100f4e0a36dd952a5587 (diff)
download: systemd-33f7b61ca59f9e002ee79bacd498a36eab20e6e9.tar.gz
12 files changed, 40 insertions, 12 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 663b15fa60..8f00ef555e 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -117,6 +117,20 @@
         <para>The <varname>MountAPIVFS=</varname> and <varname>PrivateUsers=</varname> settings are particularly useful
         in conjunction with <varname>RootDirectory=</varname>. For details, see below.</para>
 
+        <para>If <varname>RootDirectory=</varname>/<varname>RootImage=</varname> are used together with
+        <varname>NotifyAccess=</varname> the notification socket is automatically mounted from the host into
+        the root environment, to ensure the notification interface can work correctly.</para>
+
+        <para>Note that services using <varname>RootDirectory=</varname>/<varname>RootImage=</varname> will
+        not be able to log via the syslog or journal protocols to the host logging infrastructure, unless the
+        relevant sockets are mounted from the host, specifically:</para>
+
+        <example>
+          <title>Mounting logging sockets into root environment</title>
+
+          <programlisting>BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout</programlisting>
+        </example>
+
         <xi:include href="system-only.xml" xpointer="singular"/></listitem>
       </varlistentry>
 
diff --git a/src/core/execute.c b/src/core/execute.c
index 38235ec77e..c56a4ef03b 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3223,6 +3223,7 @@ static int apply_mount_namespace(
                             context->root_verity,
                             propagate_dir,
                             incoming_dir,
+                            root_dir || root_image ? params->notify_socket : NULL,
                             DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK,
                             error_path);
 
diff --git a/src/core/execute.h b/src/core/execute.h
index 2da4699df1..f8231ba773 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -384,6 +384,8 @@ struct ExecParameters {
 
         /* An fd that is closed by the execve(), and thus will result in EOF when the execve() is done */
         int exec_fd;
+
+        const char *notify_socket;
 };
 
 #include "unit.h"
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 4b5519e11b..12d9e4c867 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -1302,7 +1302,8 @@ static size_t namespace_calculate_mounts(
                 const char* var_tmp_dir,
                 const char *creds_path,
                 const char* log_namespace,
-                bool setup_propagate) {
+                bool setup_propagate,
+                const char* notify_socket) {
 
         size_t protect_home_cnt;
         size_t protect_system_cnt =
@@ -1329,7 +1330,6 @@ static size_t namespace_calculate_mounts(
                 n_bind_mounts +
                 n_mount_images +
                 n_temporary_filesystems +
-                (setup_propagate ? 1 : 0) + /* /run/systemd/incoming */
                 ns_info->private_dev +
                 (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
                 (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
@@ -1339,7 +1339,9 @@ static size_t namespace_calculate_mounts(
                 (ns_info->protect_hostname ? 2 : 0) +
                 (namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0) +
                 (creds_path ? 2 : 1) +
-                !!log_namespace;
+                !!log_namespace +
+                setup_propagate + /* /run/systemd/incoming */
+                !!notify_socket;
 }
 
 static void normalize_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) {
@@ -1491,6 +1493,7 @@ int setup_namespace(
                 const char *verity_data_path,
                 const char *propagate_dir,
                 const char *incoming_dir,
+                const char *notify_socket,
                 DissectImageFlags dissect_image_flags,
                 char **error_path) {
 
@@ -1593,7 +1596,8 @@ int setup_namespace(
                         tmp_dir, var_tmp_dir,
                         creds_path,
                         log_namespace,
-                        setup_propagate);
+                        setup_propagate,
+                        notify_socket);
 
         if (n_mounts > 0) {
                 m = mounts = new0(MountEntry, n_mounts);
@@ -1771,6 +1775,14 @@ int setup_namespace(
                                 .read_only = true,
                         };
 
+                if (notify_socket)
+                        *(m++) = (MountEntry) {
+                                .path_const = notify_socket,
+                                .source_const = notify_socket,
+                                .mode = BIND_MOUNT,
+                                .read_only = true,
+                        };
+
                 assert(mounts + n_mounts == m);
 
                 /* Prepend the root directory where that's necessary */
diff --git a/src/core/namespace.h b/src/core/namespace.h
index 91ee44cd51..8e07dd37bc 100644
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -129,6 +129,7 @@ int setup_namespace(
                 const char *root_verity,
                 const char *propagate_dir,
                 const char *incoming_dir,
+                const char *notify_socket,
                 DissectImageFlags dissected_image_flags,
                 char **error_path);
 
diff --git a/src/core/service.c b/src/core/service.c
index b1a4d0bf18..dbb50a9240 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1474,10 +1474,13 @@ static int service_spawn(
         if (!our_env)
                 return -ENOMEM;
 
-        if (service_exec_needs_notify_socket(s, flags))
+        if (service_exec_needs_notify_socket(s, flags)) {
                 if (asprintf(our_env + n_env++, "NOTIFY_SOCKET=%s", UNIT(s)->manager->notify_socket) < 0)
                         return -ENOMEM;
 
+                exec_params.notify_socket = UNIT(s)->manager->notify_socket;
+        }
+
         if (s->main_pid > 0)
                 if (asprintf(our_env + n_env++, "MAINPID="PID_FMT, s->main_pid) < 0)
                         return -ENOMEM;
diff --git a/src/portable/profile/default/service.conf b/src/portable/profile/default/service.conf
index 792be50229..230aa60781 100644
--- a/src/portable/profile/default/service.conf
+++ b/src/portable/profile/default/service.conf
@@ -2,8 +2,6 @@
 
 [Service]
 MountAPIVFS=yes
-TemporaryFileSystem=/run
-BindReadOnlyPaths=/run/systemd/notify
 BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
 BindReadOnlyPaths=/etc/machine-id
 BindReadOnlyPaths=/etc/resolv.conf
diff --git a/src/portable/profile/nonetwork/service.conf b/src/portable/profile/nonetwork/service.conf
index c81cebe03f..cd7f75c2e3 100644
--- a/src/portable/profile/nonetwork/service.conf
+++ b/src/portable/profile/nonetwork/service.conf
@@ -2,8 +2,6 @@
 
 [Service]
 MountAPIVFS=yes
-TemporaryFileSystem=/run
-BindReadOnlyPaths=/run/systemd/notify
 BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
 BindReadOnlyPaths=/etc/machine-id
 BindReadOnlyPaths=/run/dbus/system_bus_socket
diff --git a/src/portable/profile/strict/service.conf b/src/portable/profile/strict/service.conf
index d10fb5a1e8..f924e1096f 100644
--- a/src/portable/profile/strict/service.conf
+++ b/src/portable/profile/strict/service.conf
@@ -2,8 +2,6 @@
 
 [Service]
 MountAPIVFS=yes
-TemporaryFileSystem=/run
-BindReadOnlyPaths=/run/systemd/notify
 BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
 BindReadOnlyPaths=/etc/machine-id
 DynamicUser=yes
diff --git a/src/portable/profile/trusted/service.conf b/src/portable/profile/trusted/service.conf
index 9a6af70b93..cb859c4e27 100644
--- a/src/portable/profile/trusted/service.conf
+++ b/src/portable/profile/trusted/service.conf
@@ -2,6 +2,5 @@
 
 [Service]
 MountAPIVFS=yes
-BindPaths=/run
 BindReadOnlyPaths=/etc/machine-id
 BindReadOnlyPaths=/etc/resolv.conf
diff --git a/src/test/test-namespace.c b/src/test/test-namespace.c
index d92bcacfad..461dde5fa9 100644
--- a/src/test/test-namespace.c
+++ b/src/test/test-namespace.c
@@ -174,6 +174,7 @@ static void test_protect_kernel_logs(void) {
                                     NULL,
                                     NULL,
                                     NULL,
+                                    NULL,
                                     0,
                                     NULL);
                 assert_se(r == 0);
diff --git a/src/test/test-ns.c b/src/test/test-ns.c
index 88bdb437de..3b5836e980 100644
--- a/src/test/test-ns.c
+++ b/src/test/test-ns.c
@@ -89,6 +89,7 @@ int main(int argc, char *argv[]) {
                             NULL,
                             NULL,
                             NULL,
+                            NULL,
                             0,
                             NULL);
         if (r < 0) {
author	Yu Watanabe <watanabe.yu+github@gmail.com>	2021-01-21 13:16:59 +0900
committer	GitHub <noreply@github.com>	2021-01-21 13:16:59 +0900
commit	33f7b61ca59f9e002ee79bacd498a36eab20e6e9 (patch)
tree	c31f7b52e7b104d6d34fc0d06c560736599a9cc1
parent	9807fdc1da8e037ddedfa4e2c6d2728b6e60051e (diff)
parent	fe239c7d7d6227209234100f4e0a36dd952a5587 (diff)
download	systemd-33f7b61ca59f9e002ee79bacd498a36eab20e6e9.tar.gz