What do you mean "it only happens with libseccomp"? I have tried to enable or disable

seccomp via CONFIG_SECCOMP, buf the results were same unless I set MountFlags=shared.

Without propagation patch, all block device, such as '/dev/sda*', mounted by systemd-udev,

are unaccessible to outside namespace, which means root user cann't use '/dev/sda*'. Do you

have any suggestions for me?

Thanks.



On 2018年02月22日 22:25, Burton, Ross wrote:
We used to have this but it was removed in the 232 upgrade:

    * Drop mount propagation patch, it only happens with libseccomp, OE doesnt
      enable it

Is this not the case?  Or are you enabling seccomp?  Maybe this should be a bbappend in meta-security?

Ross

On 22 February 2018 at 14:15, Hongzhi.Song <hongzhi.s...@windriver.com <mailto:hongzhi.s...@windriver.com>> wrote:

    MountFlags's default value is shared in systemd-udevd.service. But
    upstream
    sets MountFlags with slave just for keeping mounts done by udev
    private to
    udevd, which causes block device mounted by udev unvisable but
    being busy for
    host. So we revert it to shared to be propagated to host.

    Signed-off-by: Hongzhi.Song <hongzhi.s...@windriver.com
    <mailto:hongzhi.s...@windriver.com>>
    ---
     ...evd-re-enable-mount-propagation-for-udevd.patch | 33
    ++++++++++++++++++++++
     meta/recipes-core/systemd/systemd_234.bb <http://systemd_234.bb>
             |  1 +
     2 files changed, 34 insertions(+)
     create mode 100644
    
meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch

    diff --git
    
a/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
    
b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
    new file mode 100644
    index 0000000000..fce7bdd796
    --- /dev/null
    +++
    
b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
    @@ -0,0 +1,33 @@
    +From 11a3312d36109f5e5a7697ddb05c533c51e2cd75 Mon Sep 17 00:00:00
    2001
    +From: "Hongzhi.Song" <hongzhi.s...@windriver.com
    <mailto:hongzhi.s...@windriver.com>>
    +Date: Mon, 19 Feb 2018 20:43:02 -0500
    +Subject: [PATCH] systemd-udevd: re-enable mount propagation for udevd
    +
    +Upstream-Status: Inappropriate [embedded specific]
    +
    +Change the mount propagation flag from MountFlags=slave to
    MountFlags=shared
    +(default). Use shared to ensure that mounts and unmounts are
    propagated from
    +systemd's namespace to the service's namespace and vice versa,
    while use slave
    +to run processes so that none of their mounts and unmounts will
    propagate to
    +the host.
    +
    +Signed-off-by: Hongzhi.Song <hongzhi.s...@windriver.com
    <mailto:hongzhi.s...@windriver.com>>
    +---
    + units/systemd-udevd.service.in <http://systemd-udevd.service.in>
    | 1 -
    + 1 file changed, 1 deletion(-)
    +
    +diff --git a/units/systemd-udevd.service.in
    <http://systemd-udevd.service.in> b/units/systemd-udevd.service.in
    <http://systemd-udevd.service.in>
    +index fc037b5..841d7a8 100644
    +--- a/units/systemd-udevd.service.in
    <http://systemd-udevd.service.in>
    ++++ b/units/systemd-udevd.service.in
    <http://systemd-udevd.service.in>
    +@@ -24,7 +24,6 @@ ExecStart=@rootlibexecdir@/systemd-udevd
    + KillMode=mixed
    + WatchdogSec=3min
    + TasksMax=infinity
    +-MountFlags=slave
    + MemoryDenyWriteExecute=yes
    + RestrictRealtime=yes
    + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
    +--
    +2.8.1
    +
    diff --git a/meta/recipes-core/systemd/systemd_234.bb
    <http://systemd_234.bb> b/meta/recipes-core/systemd/systemd_234.bb
    <http://systemd_234.bb>
    index babc351cc8..42f4f1ec76 100644
    --- a/meta/recipes-core/systemd/systemd_234.bb <http://systemd_234.bb>
    +++ b/meta/recipes-core/systemd/systemd_234.bb <http://systemd_234.bb>
    @@ -32,6 +32,7 @@ SRC_URI += " \
               
    file://0001-main-skip-many-initialization-steps-when-running-in-.patch
    \
                file://CVE-2017-18078.patch \
               
    file://0001-resolved-fix-loop-on-packets-with-pseudo-dns-types.patch \
    +         
    file://systemd-udevd-re-enable-mount-propagation-for-udevd.patch \
                "
     SRC_URI_append_qemuall = "
    file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"

    --
    2.13.3

    --
    _______________________________________________
    Openembedded-core mailing list
    Openembedded-core@lists.openembedded.org
    <mailto:Openembedded-core@lists.openembedded.org>
    http://lists.openembedded.org/mailman/listinfo/openembedded-core
    <http://lists.openembedded.org/mailman/listinfo/openembedded-core>



-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Reply via email to