1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
From 297aba739cd689e4dc9f43bb1422ec88d481099a Mon Sep 17 00:00:00 2001
From: Paul Gortmaker <paul.gortmaker@windriver.com>
Date: Wed, 13 Jan 2021 21:09:33 +0000
Subject: [PATCH] proc: dont trigger mount error with invalid options on old
kernels
As of commit 4e39995371738b04d98d27b0d34ea8fe09ec9fab ("core: introduce
ProtectProc= and ProcSubset= to expose hidepid= and subset= procfs
mount options") kernels older than v5.8 generate multple warnings at
boot, as seen in this Yocto build from today:
qemux86-64 login: root
[ 65.829009] proc: Bad value for 'hidepid'
root@qemux86-64:~# dmesg|grep proc:
[ 16.990706] proc: Bad value for 'hidepid'
[ 28.060178] proc: Bad value for 'hidepid'
[ 28.874229] proc: Bad value for 'hidepid'
[ 32.685107] proc: Bad value for 'hidepid'
[ 65.829009] proc: Bad value for 'hidepid'
root@qemux86-64:~#
The systemd maintainer has dismissed this as something people should
simply ignore[1] and has no interest in trying to avoid it by
proactively checking the kernel version, so people can safely assume
that they will never see this version check commit upstream.
However, as can be seen above, telling people to just ignore it is not
an option, as we'll end up answering the same question and dealing with
the same bug over and over again.
The commit that triggers this is systemd v247-rc1~378^2~3 -- so any
systemd 247 and above plus kernel v5.7 or older will need this.
[1] https://github.com/systemd/systemd/issues/16896
Upstream-Status: Denied [https://github.com/systemd/systemd/issues/16896]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Index: git/src/core/namespace.c
===================================================================
--- git.orig/src/core/namespace.c
+++ git/src/core/namespace.c
@@ -4,7 +4,9 @@
#include <linux/loop.h>
#include <sched.h>
#include <stdio.h>
+#include <stdlib.h>
#include <sys/mount.h>
+#include <sys/utsname.h>
#include <unistd.h>
#include <linux/fs.h>
@@ -860,13 +862,32 @@ static int mount_sysfs(const MountEntry
static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) {
const char *entry_path;
- int r;
+ int r, major, minor;
+ struct utsname uts;
+ bool old = false;
assert(m);
assert(ns_info);
entry_path = mount_entry_path(m);
+ /* If uname says that the system is older than v5.8, then the textual hidepid= stuff is not
+ * supported by the kernel, and thus the per-instance hidepid= neither, which means we
+ * really don't want to use it, since it would affect our host's /proc * mount. Hence let's
+ * gracefully fallback to a classic, unrestricted version. */
+
+ r = uname(&uts);
+ if (r < 0)
+ return errno;
+
+ major = atoi(uts.release);
+ minor = atoi(strchr(uts.release, '.') + 1);
+
+ if (major < 5 || (major == 5 && minor < 8)) {
+ log_debug("Pre v5.8 kernel detected [v%d.%d] - skipping hidepid=", major, minor);
+ old = true;
+ }
+
/* Mount a new instance, so that we get the one that matches our user namespace, if we are running in
* one. i.e we don't reuse existing mounts here under any condition, we want a new instance owned by
* our user namespace and with our hidepid= settings applied. Hence, let's get rid of everything
@@ -875,8 +896,8 @@ static int mount_procfs(const MountEntry
(void) mkdir_p_label(entry_path, 0755);
(void) umount_recursive(entry_path, 0);
- if (ns_info->protect_proc != PROTECT_PROC_DEFAULT ||
- ns_info->proc_subset != PROC_SUBSET_ALL) {
+ if (!old && (ns_info->protect_proc != PROTECT_PROC_DEFAULT ||
+ ns_info->proc_subset != PROC_SUBSET_ALL)) {
_cleanup_free_ char *opts = NULL;
/* Starting with kernel 5.8 procfs' hidepid= logic is truly per-instance (previously it
|
