Re: [OE-core] [PATCH v3] systemd: re-enable mount propagation for udevd

2018-02-23 Thread Vincent Prince 
Hi all,

I have MountFlags=slave defined, and I use the following recipe to
automount usb stick without right issues:
https://github.com/nefethael/meta-random/blob/master/recipes-support/usbmount/usbmount_git.bb
I think we should keep this settings as it is.

What is the problematic use case?

Best regards,
Vincent

2018-02-23 2:23 GMT+01:00 Hongzhi, Song :

> If MountFlags=slave, systemd-udevd mounts all block device,  such as
>
> '/dev/sda1' '/dev/mmcblk*' , in itself unit namespace. So other namespace,
>
> such as 'root user', has no access to use block device mentioned above.
>
>
> On 2018年02月23日 08:50, Otavio Salvador wrote:
>
>> On Thu, Feb 22, 2018 at 11:15 AM, Hongzhi.Song
>>  wrote:
>>
>>> MountFlags's default value is shared in systemd-udevd.service. But
>>> upstream
>>> sets MountFlags with slave just for keeping mounts done by udev private
>>> to
>>> udevd, which causes block device mounted by udev unvisable but being
>>> busy for
>>> host. So we revert it to shared to be propagated to host.
>>>
>>> Signed-off-by: Hongzhi.Song 
>>>
>> This is what the mountflag does. This does not explain WHY you need this
>> change.
>>
>>
> --
> ___
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH v3] systemd: re-enable mount propagation for udevd

2018-02-22 Thread Hongzhi, Song 
What do you mean "it only happens with libseccomp"? I have tried to 
enable or disable


seccomp via CONFIG_SECCOMP, buf the results were same unless I set 
MountFlags=shared.


Without propagation patch, all block device, such as '/dev/sda*', 
mounted by systemd-udev,


are unaccessible to outside namespace, which means root user cann't use 
'/dev/sda*'. Do you


have any suggestions for me?

Thanks.



On 2018年02月22日 22:25, Burton, Ross wrote:

We used to have this but it was removed in the 232 upgrade:

    * Drop mount propagation patch, it only happens with libseccomp, 
OE doesnt

      enable it

Is this not the case?  Or are you enabling seccomp?  Maybe this should 
be a bbappend in meta-security?


Ross

On 22 February 2018 at 14:15, Hongzhi.Song > wrote:


MountFlags's default value is shared in systemd-udevd.service. But
upstream
sets MountFlags with slave just for keeping mounts done by udev
private to
udevd, which causes block device mounted by udev unvisable but
being busy for
host. So we revert it to shared to be propagated to host.

Signed-off-by: Hongzhi.Song >
---
 ...evd-re-enable-mount-propagation-for-udevd.patch | 33
++
 meta/recipes-core/systemd/systemd_234.bb 
         |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644

meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch

diff --git

a/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch

b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
new file mode 100644
index 00..fce7bdd796
--- /dev/null
+++

b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
@@ -0,0 +1,33 @@
+From 11a3312d36109f5e5a7697ddb05c533c51e2cd75 Mon Sep 17 00:00:00
2001
+From: "Hongzhi.Song" >
+Date: Mon, 19 Feb 2018 20:43:02 -0500
+Subject: [PATCH] systemd-udevd: re-enable mount propagation for udevd
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Change the mount propagation flag from MountFlags=slave to
MountFlags=shared
+(default). Use shared to ensure that mounts and unmounts are
propagated from
+systemd's namespace to the service's namespace and vice versa,
while use slave
+to run processes so that none of their mounts and unmounts will
propagate to
+the host.
+
+Signed-off-by: Hongzhi.Song >
+---
+ units/systemd-udevd.service.in 
| 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/units/systemd-udevd.service.in
 b/units/systemd-udevd.service.in

+index fc037b5..841d7a8 100644
+--- a/units/systemd-udevd.service.in

 b/units/systemd-udevd.service.in

+@@ -24,7 +24,6 @@ ExecStart=@rootlibexecdir@/systemd-udevd
+ KillMode=mixed
+ WatchdogSec=3min
+ TasksMax=infinity
+-MountFlags=slave
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+--
+2.8.1
+
diff --git a/meta/recipes-core/systemd/systemd_234.bb
 b/meta/recipes-core/systemd/systemd_234.bb

index babc351cc8..42f4f1ec76 100644
--- a/meta/recipes-core/systemd/systemd_234.bb 
+++ b/meta/recipes-core/systemd/systemd_234.bb 
@@ -32,6 +32,7 @@ SRC_URI += " \
           
file://0001-main-skip-many-initialization-steps-when-running-in-.patch
\
            file://CVE-2017-18078.patch \
           
file://0001-resolved-fix-loop-on-packets-with-pseudo-dns-types.patch \
+         
file://systemd-udevd-re-enable-mount-propagation-for-udevd.patch \
            "
 SRC_URI_append_qemuall = "
file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"

--
2.13.3

--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org

http://lists.openembedded.org/mailman/listinfo/openembedded-core





-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org

Re: [OE-core] [PATCH v3] systemd: re-enable mount propagation for udevd

2018-02-22 Thread Hongzhi, Song 

If MountFlags=slave, systemd-udevd mounts all block device,  such as

'/dev/sda1' '/dev/mmcblk*' , in itself unit namespace. So other namespace,

such as 'root user', has no access to use block device mentioned above.


On 2018年02月23日 08:50, Otavio Salvador wrote:

On Thu, Feb 22, 2018 at 11:15 AM, Hongzhi.Song
 wrote:

MountFlags's default value is shared in systemd-udevd.service. But upstream
sets MountFlags with slave just for keeping mounts done by udev private to
udevd, which causes block device mounted by udev unvisable but being busy for
host. So we revert it to shared to be propagated to host.

Signed-off-by: Hongzhi.Song 

This is what the mountflag does. This does not explain WHY you need this change.



--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH v3] systemd: re-enable mount propagation for udevd

2018-02-22 Thread Otavio Salvador 
On Thu, Feb 22, 2018 at 11:15 AM, Hongzhi.Song
 wrote:
> MountFlags's default value is shared in systemd-udevd.service. But upstream
> sets MountFlags with slave just for keeping mounts done by udev private to
> udevd, which causes block device mounted by udev unvisable but being busy for
> host. So we revert it to shared to be propagated to host.
>
> Signed-off-by: Hongzhi.Song 

This is what the mountflag does. This does not explain WHY you need this change.

-- 
Otavio Salvador O.S. Systems
http://www.ossystems.com.brhttp://code.ossystems.com.br
Mobile: +55 (53) 9981-7854Mobile: +1 (347) 903-9750
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH v3] systemd: re-enable mount propagation for udevd

2018-02-22 Thread Burton, Ross 
We used to have this but it was removed in the 232 upgrade:

* Drop mount propagation patch, it only happens with libseccomp, OE
doesnt
  enable it

Is this not the case?  Or are you enabling seccomp?  Maybe this should be a
bbappend in meta-security?

Ross

On 22 February 2018 at 14:15, Hongzhi.Song 
wrote:

> MountFlags's default value is shared in systemd-udevd.service. But upstream
> sets MountFlags with slave just for keeping mounts done by udev private to
> udevd, which causes block device mounted by udev unvisable but being busy
> for
> host. So we revert it to shared to be propagated to host.
>
> Signed-off-by: Hongzhi.Song 
> ---
>  ...evd-re-enable-mount-propagation-for-udevd.patch | 33
> ++
>  meta/recipes-core/systemd/systemd_234.bb   |  1 +
>  2 files changed, 34 insertions(+)
>  create mode 100644 meta/recipes-core/systemd/systemd/systemd-udevd-re-
> enable-mount-propagation-for-udevd.patch
>
> diff --git a/meta/recipes-core/systemd/systemd/systemd-udevd-re-
> enable-mount-propagation-for-udevd.patch b/meta/recipes-core/systemd/
> systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
> new file mode 100644
> index 00..fce7bdd796
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/systemd-udevd-re-
> enable-mount-propagation-for-udevd.patch
> @@ -0,0 +1,33 @@
> +From 11a3312d36109f5e5a7697ddb05c533c51e2cd75 Mon Sep 17 00:00:00 2001
> +From: "Hongzhi.Song" 
> +Date: Mon, 19 Feb 2018 20:43:02 -0500
> +Subject: [PATCH] systemd-udevd: re-enable mount propagation for udevd
> +
> +Upstream-Status: Inappropriate [embedded specific]
> +
> +Change the mount propagation flag from MountFlags=slave to
> MountFlags=shared
> +(default). Use shared to ensure that mounts and unmounts are propagated
> from
> +systemd's namespace to the service's namespace and vice versa, while use
> slave
> +to run processes so that none of their mounts and unmounts will propagate
> to
> +the host.
> +
> +Signed-off-by: Hongzhi.Song 
> +---
> + units/systemd-udevd.service.in | 1 -
> + 1 file changed, 1 deletion(-)
> +
> +diff --git a/units/systemd-udevd.service.in b/units/
> systemd-udevd.service.in
> +index fc037b5..841d7a8 100644
> +--- a/units/systemd-udevd.service.in
>  b/units/systemd-udevd.service.in
> +@@ -24,7 +24,6 @@ ExecStart=@rootlibexecdir@/systemd-udevd
> + KillMode=mixed
> + WatchdogSec=3min
> + TasksMax=infinity
> +-MountFlags=slave
> + MemoryDenyWriteExecute=yes
> + RestrictRealtime=yes
> + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
> +--
> +2.8.1
> +
> diff --git a/meta/recipes-core/systemd/systemd_234.bb
> b/meta/recipes-core/systemd/systemd_234.bb
> index babc351cc8..42f4f1ec76 100644
> --- a/meta/recipes-core/systemd/systemd_234.bb
> +++ b/meta/recipes-core/systemd/systemd_234.bb
> @@ -32,6 +32,7 @@ SRC_URI += " \
> 
> file://0001-main-skip-many-initialization-steps-when-running-in-.patch
> \
> file://CVE-2017-18078.patch \
> 
> file://0001-resolved-fix-loop-on-packets-with-pseudo-dns-types.patch
> \
> +  file://systemd-udevd-re-enable-mount-propagation-for-udevd.patch
> \
> "
>  SRC_URI_append_qemuall = " file://0001-core-device.c-
> Change-the-default-device-timeout-to-2.patch"
>
> --
> 2.13.3
>
> --
> ___
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH v3] systemd: re-enable mount propagation for udevd

2018-02-22 Thread Hongzhi.Song 
MountFlags's default value is shared in systemd-udevd.service. But upstream
sets MountFlags with slave just for keeping mounts done by udev private to
udevd, which causes block device mounted by udev unvisable but being busy for
host. So we revert it to shared to be propagated to host.

Signed-off-by: Hongzhi.Song 
---
 ...evd-re-enable-mount-propagation-for-udevd.patch | 33 ++
 meta/recipes-core/systemd/systemd_234.bb   |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 
meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch

diff --git 
a/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
 
b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
new file mode 100644
index 00..fce7bdd796
--- /dev/null
+++ 
b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
@@ -0,0 +1,33 @@
+From 11a3312d36109f5e5a7697ddb05c533c51e2cd75 Mon Sep 17 00:00:00 2001
+From: "Hongzhi.Song" 
+Date: Mon, 19 Feb 2018 20:43:02 -0500
+Subject: [PATCH] systemd-udevd: re-enable mount propagation for udevd
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Change the mount propagation flag from MountFlags=slave to MountFlags=shared
+(default). Use shared to ensure that mounts and unmounts are propagated from 
+systemd's namespace to the service's namespace and vice versa, while use slave 
+to run processes so that none of their mounts and unmounts will propagate to 
+the host.
+
+Signed-off-by: Hongzhi.Song 
+---
+ units/systemd-udevd.service.in | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
+index fc037b5..841d7a8 100644
+--- a/units/systemd-udevd.service.in
 b/units/systemd-udevd.service.in
+@@ -24,7 +24,6 @@ ExecStart=@rootlibexecdir@/systemd-udevd
+ KillMode=mixed
+ WatchdogSec=3min
+ TasksMax=infinity
+-MountFlags=slave
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+-- 
+2.8.1
+
diff --git a/meta/recipes-core/systemd/systemd_234.bb 
b/meta/recipes-core/systemd/systemd_234.bb
index babc351cc8..42f4f1ec76 100644
--- a/meta/recipes-core/systemd/systemd_234.bb
+++ b/meta/recipes-core/systemd/systemd_234.bb
@@ -32,6 +32,7 @@ SRC_URI += " \

file://0001-main-skip-many-initialization-steps-when-running-in-.patch \
file://CVE-2017-18078.patch \

file://0001-resolved-fix-loop-on-packets-with-pseudo-dns-types.patch \
+  file://systemd-udevd-re-enable-mount-propagation-for-udevd.patch \
"
 SRC_URI_append_qemuall = " 
file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
 
-- 
2.13.3

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core