[PATCH] systemd: re-enable mount propagation for udevd

[PATCH] systemd: re-enable mount propagation for udevd

[Hongzhi.Song]

With MountFlags=slave, those mounts then become private to the systemd-udevd
namespace and are no longer accessible from outside the namespace, which is
not expected.

Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com>
---
 ...evd-re-enable-mount-propagation-for-udevd.patch | 33 ++++++++++++++++++++++
 meta/recipes-core/systemd/systemd_234.bb           |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch

diff --git a/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
new file mode 100644
index 0000000000..fce7bdd796
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
@@ -0,0 +1,33 @@
+From 11a3312d36109f5e5a7697ddb05c533c51e2cd75 Mon Sep 17 00:00:00 2001
+From: "Hongzhi.Song" <hongzhi.song@windriver.com>
+Date: Mon, 19 Feb 2018 20:43:02 -0500
+Subject: [PATCH] systemd-udevd: re-enable mount propagation for udevd
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Change the mount propagation flag from MountFlags=slave to MountFlags=shared
+(default). Use shared to ensure that mounts and unmounts are propagated from 
+systemd's namespace to the service's namespace and vice versa, while use slave 
+to run processes so that none of their mounts and unmounts will propagate to 
+the host.
+
+Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com>
+---
+ units/systemd-udevd.service.in | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
+index fc037b5..841d7a8 100644
+--- a/units/systemd-udevd.service.in
++++ b/units/systemd-udevd.service.in
+@@ -24,7 +24,6 @@ ExecStart=@rootlibexecdir@/systemd-udevd
+ KillMode=mixed
+ WatchdogSec=3min
+ TasksMax=infinity
+-MountFlags=slave
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+-- 
+2.8.1
+
diff --git a/meta/recipes-core/systemd/systemd_234.bb b/meta/recipes-core/systemd/systemd_234.bb
index babc351cc8..42f4f1ec76 100644
--- a/meta/recipes-core/systemd/systemd_234.bb
+++ b/meta/recipes-core/systemd/systemd_234.bb
@@ -32,6 +32,7 @@ SRC_URI += " \
            file://0001-main-skip-many-initialization-steps-when-running-in-.patch \
            file://CVE-2017-18078.patch \
            file://0001-resolved-fix-loop-on-packets-with-pseudo-dns-types.patch \
+	   file://systemd-udevd-re-enable-mount-propagation-for-udevd.patch \
            "
 SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
 
-- 
2.13.3

✗ patchtest: failure for systemd: re-enable mount propagation for udevd (rev4)

[Patchwork]

== Series Details ==

Series: systemd: re-enable mount propagation for udevd (rev4)
Revision: 4
URL   : https://patchwork.openembedded.org/series/1447/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Series does not apply on top of target branch [test_series_merge_on_head] 
  Suggested fix    Rebase your series on top of targeted branch
  Targeted branch  master (currently at 709b60a5e3)



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

[PATCH] systemd: re-enable mount propagation for udevd

[Hongzhi.Song]

With MountFlags=slave, those mounts then become private to the systemd-udevd
namespace and are no longer accessible from outside the namespace, which is
not expected.

Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com>
---
 ...evd-re-enable-mount-propagation-for-udevd.patch | 33 ++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch

diff --git a/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
new file mode 100644
index 0000000000..5349ecedf7
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
@@ -0,0 +1,33 @@
+From 11a3312d36109f5e5a7697ddb05c533c51e2cd75 Mon Sep 17 00:00:00 2001
+From: "Hongzhi.Song" <hongzhi.song@windriver.com>
+Date: Mon, 19 Feb 2018 20:43:02 -0500
+Subject: [PATCH] systemd-udevd: re-enable mount propagation for udevd
+
+Upstream-Status: Pending
+
+Change the mount propagation flag from MountFlags=slave to MountFlags=shared
+(default). Use shared to ensure that mounts and unmounts are propagated from 
+systemd's namespace to the service's namespace and vice versa, while use slave 
+to run processes so that none of their mounts and unmounts will propagate to 
+the host.
+
+Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com>
+---
+ units/systemd-udevd.service.in | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
+index fc037b5..841d7a8 100644
+--- a/units/systemd-udevd.service.in
++++ b/units/systemd-udevd.service.in
+@@ -24,7 +24,6 @@ ExecStart=@rootlibexecdir@/systemd-udevd
+ KillMode=mixed
+ WatchdogSec=3min
+ TasksMax=infinity
+-MountFlags=slave
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+-- 
+2.8.1
+
-- 
2.13.3

Re: [PATCH] systemd: re-enable mount propagation for udevd

[Christopher Larson]

[-- Attachment #1: Type: text/plain, Size: 730 bytes --]

On Tue, May 24, 2016 at 9:37 AM, Christopher Larson <clarson@kergoth.com>
wrote:

> On Mon, May 9, 2016 at 7:09 PM, <rongqing.li@windriver.com> wrote:
>
>> From: Roy Li <rongqing.li@windriver.com>
>>
>> With MountFlags=slave, those mounts then become private to the systemd-
>> udevd
>> namespace and are no longer accessible from outside the namespace, which
>> is
>> not expected
>>
>> Signed-off-by: Roy Li <rongqing.li@windriver.com>
>>
>
> What's the status of this? Mentor is carrying this patch too :)


Nevermind, I see this is on ross/mut.
-- 
Christopher Larson
clarson at kergoth dot com
Founder - BitBake, OpenEmbedded, OpenZaurus
Maintainer - Tslib
Senior Software Engineer, Mentor Graphics

[-- Attachment #2: Type: text/html, Size: 1525 bytes --]

Re: [PATCH] systemd: re-enable mount propagation for udevd

[Christopher Larson]

[-- Attachment #1: Type: text/plain, Size: 582 bytes --]

On Mon, May 9, 2016 at 7:09 PM, <rongqing.li@windriver.com> wrote:

> From: Roy Li <rongqing.li@windriver.com>
>
> With MountFlags=slave, those mounts then become private to the
> systemd-udevd
> namespace and are no longer accessible from outside the namespace, which is
> not expected
>
> Signed-off-by: Roy Li <rongqing.li@windriver.com>
>

What's the status of this? Mentor is carrying this patch too :)
-- 
Christopher Larson
clarson at kergoth dot com
Founder - BitBake, OpenEmbedded, OpenZaurus
Maintainer - Tslib
Senior Software Engineer, Mentor Graphics

[-- Attachment #2: Type: text/html, Size: 1119 bytes --]

[PATCH] systemd: re-enable mount propagation for udevd

[rongqing.li]

From: Roy Li <rongqing.li@windriver.com>

With MountFlags=slave, those mounts then become private to the systemd-udevd
namespace and are no longer accessible from outside the namespace, which is
not expected

Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...dev-re-enable-mount-propagation-for-udevd.patch | 31 ++++++++++++++++++++++
 meta/recipes-core/systemd/systemd_229.bb           |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/udev-re-enable-mount-propagation-for-udevd.patch

diff --git a/meta/recipes-core/systemd/systemd/udev-re-enable-mount-propagation-for-udevd.patch b/meta/recipes-core/systemd/systemd/udev-re-enable-mount-propagation-for-udevd.patch
new file mode 100644
index 0000000..23e22d4
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/udev-re-enable-mount-propagation-for-udevd.patch
@@ -0,0 +1,31 @@
+From: Michael Biebl <biebl@debian.org>
+Date: Sat, 27 Sep 2014 04:19:24 +0200
+Subject: udev: re-enable mount propagation for udevd
+
+Upstream-Status: Backport [http://http.debian.net/debian/pool/main/s/systemd/systemd_215-17+deb8u4.debian.tar.xz]
+
+laptop-mode-tools remounts file systems from within a udev rule to apply
+certain mount options. With MountFlags=slave, those mounts then become private
+to the systemd-udevd namespace and are no longer accessible from outside the
+namespace.
+While the root cause is the broken behaviour of laptop-mode-tools, with mount
+propagation turned off, this can result in a read-only root file system.
+Therefore revert the relevant parts from commit
+c2c13f2df42e0691aecabe3979ea81cd7faa35c7 to re-enable mount propagation for
+udevd.
+
+Once affected packages have been fixed, this patch should be dropped
+again.
+
+Closes: #762018
+diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
+index e7216d6..1e9a600 100644
+--- a/units/systemd-udevd.service.in
++++ b/units/systemd-udevd.service.in
+@@ -21,6 +21,5 @@ Sockets=systemd-udevd-control.socket systemd-udevd-kernel.socket
+ Restart=always
+ RestartSec=0
+ ExecStart=@rootlibexecdir@/systemd-udevd
+-MountFlags=slave
+ KillMode=mixed
+ WatchdogSec=1min
diff --git a/meta/recipes-core/systemd/systemd_229.bb b/meta/recipes-core/systemd/systemd_229.bb
index c23c749..78692c4 100644
--- a/meta/recipes-core/systemd/systemd_229.bb
+++ b/meta/recipes-core/systemd/systemd_229.bb
@@ -54,6 +54,7 @@ SRC_URI = "git://github.com/systemd/systemd.git;protocol=git \
            file://0021-include-missing.h-for-getting-secure_getenv-definiti.patch \
            file://0022-socket-util-don-t-fail-if-libc-doesn-t-support-IDN.patch \
            file://0023-build-sys-fix-build-with-libgrcypt-disabled.patch \
+           file://udev-re-enable-mount-propagation-for-udevd.patch \
 "
 SRC_URI_append_libc-uclibc = "\
            file://0002-units-Prefer-getty-to-agetty-in-console-setup-system.patch \
-- 
2.8.1