Bug 752540
| Summary: | PrivateTmp does not work. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> | ||||||
| Component: | systemd | Assignee: | systemd-maint | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | rawhide | CC: | johannbg, lpoetter, metherid, notting, plautrba, systemd-maint | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | systemd-37-11.fc16 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-01-30 20:59:09 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Daniel Walsh
2011-11-09 19:40:32 UTC
Created attachment 532670 [details]
This is the program sandbox uses to mount private /tmp directories.
When you unshare, you have to first
mount -o bind /tmp /tmp
Then set the /tmp as private
mount --make-private /tmp
Then you can mount your /tmp over the /tmp directory.
mount -o bind /tmp/systemd-private... /tmp
Also you need to make sure you set all of the flags correctly.
MS_NODEV | MS_NOSUID | MS_NOEXEC;
Also you want to maintain the sticky bit and protections.
if (fchmod(fd_t, 01770) == -1) {
fprintf(stderr, _("Unable to change mode on %s: %s\n"), tmpdir, strerror(errno));
goto err;
}
Created attachment 550512 [details]
After talking with Al Viro this is the patch I believe you should need
Basically executing
if (mount("none", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) {
r = -errno;
goto fail;
}
Says that nothing in your new namespace will propagate out to the parent namespace.
Applying this patch causes apache with a private tmp to work without effecting the parent namespace. /run/systemd is still present. When I look at /proc/PIDOFHTTP/mountinfo I see # grep /tmp /proc/2826/mountinfo 105 79 0:33 / /tmp rw,relatime - tmpfs tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel 109 105 0:33 /systemd-namespace-jXSgbB/private /tmp rw,relatime - tmpfs tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel If I look at my mountinfo I see grep /tmp /proc/self/mountinfo 42 22 0:33 / /tmp rw,relatime - tmpfs tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel Fixed in systemd git. systemd-37-6.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/systemd-37-6.fc16 Package systemd-37-6.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing systemd-37-6.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-6.fc16 then log in and leave karma (feedback). Package systemd-37-7.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing systemd-37-7.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-7.fc16 then log in and leave karma (feedback). Package systemd-37-8.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing systemd-37-8.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-8.fc16 then log in and leave karma (feedback). Package systemd-37-10.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing systemd-37-10.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-10.fc16 then log in and leave karma (feedback). Package systemd-37-11.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing systemd-37-11.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-11.fc16 then log in and leave karma (feedback). systemd-37-11.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |