We used to have this but it was removed in the 232 upgrade:

    * Drop mount propagation patch, it only happens with libseccomp, OE
doesnt
      enable it

Is this not the case?  Or are you enabling seccomp?  Maybe this should be a
bbappend in meta-security?

Ross

On 22 February 2018 at 14:15, Hongzhi.Song <hongzhi.s...@windriver.com>
wrote:

> MountFlags's default value is shared in systemd-udevd.service. But upstream
> sets MountFlags with slave just for keeping mounts done by udev private to
> udevd, which causes block device mounted by udev unvisable but being busy
> for
> host. So we revert it to shared to be propagated to host.
>
> Signed-off-by: Hongzhi.Song <hongzhi.s...@windriver.com>
> ---
>  ...evd-re-enable-mount-propagation-for-udevd.patch | 33
> ++++++++++++++++++++++
>  meta/recipes-core/systemd/systemd_234.bb           |  1 +
>  2 files changed, 34 insertions(+)
>  create mode 100644 meta/recipes-core/systemd/systemd/systemd-udevd-re-
> enable-mount-propagation-for-udevd.patch
>
> diff --git a/meta/recipes-core/systemd/systemd/systemd-udevd-re-
> enable-mount-propagation-for-udevd.patch b/meta/recipes-core/systemd/
> systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
> new file mode 100644
> index 0000000000..fce7bdd796
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/systemd-udevd-re-
> enable-mount-propagation-for-udevd.patch
> @@ -0,0 +1,33 @@
> +From 11a3312d36109f5e5a7697ddb05c533c51e2cd75 Mon Sep 17 00:00:00 2001
> +From: "Hongzhi.Song" <hongzhi.s...@windriver.com>
> +Date: Mon, 19 Feb 2018 20:43:02 -0500
> +Subject: [PATCH] systemd-udevd: re-enable mount propagation for udevd
> +
> +Upstream-Status: Inappropriate [embedded specific]
> +
> +Change the mount propagation flag from MountFlags=slave to
> MountFlags=shared
> +(default). Use shared to ensure that mounts and unmounts are propagated
> from
> +systemd's namespace to the service's namespace and vice versa, while use
> slave
> +to run processes so that none of their mounts and unmounts will propagate
> to
> +the host.
> +
> +Signed-off-by: Hongzhi.Song <hongzhi.s...@windriver.com>
> +---
> + units/systemd-udevd.service.in | 1 -
> + 1 file changed, 1 deletion(-)
> +
> +diff --git a/units/systemd-udevd.service.in b/units/
> systemd-udevd.service.in
> +index fc037b5..841d7a8 100644
> +--- a/units/systemd-udevd.service.in
> ++++ b/units/systemd-udevd.service.in
> +@@ -24,7 +24,6 @@ ExecStart=@rootlibexecdir@/systemd-udevd
> + KillMode=mixed
> + WatchdogSec=3min
> + TasksMax=infinity
> +-MountFlags=slave
> + MemoryDenyWriteExecute=yes
> + RestrictRealtime=yes
> + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
> +--
> +2.8.1
> +
> diff --git a/meta/recipes-core/systemd/systemd_234.bb
> b/meta/recipes-core/systemd/systemd_234.bb
> index babc351cc8..42f4f1ec76 100644
> --- a/meta/recipes-core/systemd/systemd_234.bb
> +++ b/meta/recipes-core/systemd/systemd_234.bb
> @@ -32,6 +32,7 @@ SRC_URI += " \
>             
> file://0001-main-skip-many-initialization-steps-when-running-in-.patch
> \
>             file://CVE-2017-18078.patch \
>             
> file://0001-resolved-fix-loop-on-packets-with-pseudo-dns-types.patch
> \
> +          file://systemd-udevd-re-enable-mount-propagation-for-udevd.patch
> \
>             "
>  SRC_URI_append_qemuall = " file://0001-core-device.c-
> Change-the-default-device-timeout-to-2.patch"
>
> --
> 2.13.3
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Reply via email to