Bug 1010673 - PrivateTmp keeps the whole filesystem as MS_SLAVE
Summary: PrivateTmp keeps the whole filesystem as MS_SLAVE
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-22 11:59 UTC by Etsuji Nakai
Modified: 2014-06-20 06:30 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-19 18:45:47 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Etsuji Nakai 2013-09-22 11:59:51 UTC 
Description of problem:

Under the current F19 kernel, once filesystem is marked as MS_SLAVE, it cannot be converted to MS_SHARED again. I filed the bz entry 1010669 for that:

https://bugzilla.redhat.com/show_bug.cgi?id=1010669

I'm not yet sure if this is the intended behavior or not. But anyway, because of this, the following code for the PrivateTmp mechanism doesn't work as intended.

src/core/namespace.c
------
    203 int setup_namespace(char** read_write_dirs,
...
    245         /* Remount / as SLAVE so that nothing now mounted in the namespace
    246            shows up in the parent */
    247         if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0)
    248                 return -errno;
...
    262         /* Remount / as the desired mode */
    263         if (mount(NULL, "/", NULL, mount_flags | MS_REC, NULL) < 0) {
                                        /* mount_flags = MS_SHARED for default */
    264                 r = -errno;
    265                 goto undo_mounts;
    266         }
------

Although remounting / as MS_SHARED in line 263, / still behaves as MS_SLAVE. If you bind-mount some directory from the daemon running under PrivateTmp, the bind-mount cannot seen from other processes.

I checked it with the following simple service.

/etc/systemd/system/test.service
------------------
[Unit]
Description=PrivateTmp option test

[Service]
ExecStart=/root/bin/test.sh
PrivateTmp=true

[Install]
WantedBy=multi-user.target
------------------

/root/bin/test.sh
------------------
#!/bin/sh
mkdir -p /root/bind
mount --bind /tmp /root/bind
sleep 120
umount /root/bind
------------------

If PrivateTmp=false,
------------------
# systemctl start test.service
# ls /root/bind       ## /root/bind is binded to /tmp outside the daemon.
yum_save_tx.2013-09-22.04-53.Cu432Q.yumtx
------------------

If PrivateTmp=true,
------------------
# systemctl start test.service
# ls /root/bind       ## /root/bind is _not_ binded to /tmp outside the daemon.
------------------

Version-Release number of selected component (if applicable):

# rpm -q systemd
systemd-204-15.fc19.x86_64
Comment 2 Trevor Cordes 2014-01-20 13:40:32 UTC 
Would this also cause a service (say httpd) that was started with PrivateTmp=true to keep using a private tmp even when changed to PrivateTmp=false and daemon-reload and httpd stop / start?  I'm seeing such behavior and can't explain it.  Thanks
Comment 4 Lennart Poettering 2014-06-18 09:36:41 UTC 
if you use PrivateTmp= then mount propagation from the service to the host is disabled. sandboxes set up like that must have MS_SLAVE, and the host must have MS_SHARED for privatetmp= to work (privatedevices= and the others, the same).
Comment 5 Lennart Poettering 2014-06-19 18:45:47 UTC 
I don't think there's anything to fix here. Closing. Feel free to reopen if there's actually something to fix.
Note You need to log in before you can comment on or make changes to this bug.