Package: systemd Version: 214-1 Severity: normal Tags: patch systemd's ProtectSystem= option should cover /bin, /sbin, /lib and /lib64 (if it exists) on Debian systems where these are not symlinks to /usr.
A patch is attached. Please also backport 0f625d0b87139fc18cd565c9b6da05c53a0eb7ab. Otherwise ProtectSystem=full is broken (and treated as ProtectSystem=false). Ansgar
From: Ansgar Burchardt <[email protected]> Date: Thu, 24 Jul 2014 19:38:07 +0200 Subject: Include additional directories in ProtectSystem --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -371,7 +371,7 @@ strv_length(inaccessible_dirs) + private_dev + (protect_home != PROTECT_HOME_NO ? 3 : 0) + - (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) + + (protect_system != PROTECT_SYSTEM_NO ? 6 : 0) + (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0); if (n > 0) { @@ -413,7 +413,7 @@ } if (protect_system != PROTECT_SYSTEM_NO) { - r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "-/boot", "/etc") : STRV_MAKE("/usr", "-/boot"), READONLY); + r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "/bin", "/sbin", "/lib", "-/lib64", "-/boot", "/etc") : STRV_MAKE("/usr", "/bin", "/sbin", "/lib", "-/lib64", "-/boot"), READONLY); if (r < 0) return r; }
