[PATCH v3] systemd: re-enable mount propagation for udevd

[PATCH v3] systemd: re-enable mount propagation for udevd

[Hongzhi.Song]

MountFlags's default value is shared in systemd-udevd.service. But upstream
sets MountFlags with slave just for keeping mounts done by udev private to
udevd, which causes block device mounted by udev unvisable but being busy for
host. So we revert it to shared to be propagated to host.

Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com>
---
 ...evd-re-enable-mount-propagation-for-udevd.patch | 33 ++++++++++++++++++++++
 meta/recipes-core/systemd/systemd_234.bb           |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch

diff --git a/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
new file mode 100644
index 0000000000..fce7bdd796
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
@@ -0,0 +1,33 @@
+From 11a3312d36109f5e5a7697ddb05c533c51e2cd75 Mon Sep 17 00:00:00 2001
+From: "Hongzhi.Song" <hongzhi.song@windriver.com>
+Date: Mon, 19 Feb 2018 20:43:02 -0500
+Subject: [PATCH] systemd-udevd: re-enable mount propagation for udevd
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Change the mount propagation flag from MountFlags=slave to MountFlags=shared
+(default). Use shared to ensure that mounts and unmounts are propagated from 
+systemd's namespace to the service's namespace and vice versa, while use slave 
+to run processes so that none of their mounts and unmounts will propagate to 
+the host.
+
+Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com>
+---
+ units/systemd-udevd.service.in | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
+index fc037b5..841d7a8 100644
+--- a/units/systemd-udevd.service.in
++++ b/units/systemd-udevd.service.in
+@@ -24,7 +24,6 @@ ExecStart=@rootlibexecdir@/systemd-udevd
+ KillMode=mixed
+ WatchdogSec=3min
+ TasksMax=infinity
+-MountFlags=slave
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+-- 
+2.8.1
+
diff --git a/meta/recipes-core/systemd/systemd_234.bb b/meta/recipes-core/systemd/systemd_234.bb
index babc351cc8..42f4f1ec76 100644
--- a/meta/recipes-core/systemd/systemd_234.bb
+++ b/meta/recipes-core/systemd/systemd_234.bb
@@ -32,6 +32,7 @@ SRC_URI += " \
            file://0001-main-skip-many-initialization-steps-when-running-in-.patch \
            file://CVE-2017-18078.patch \
            file://0001-resolved-fix-loop-on-packets-with-pseudo-dns-types.patch \
+	   file://systemd-udevd-re-enable-mount-propagation-for-udevd.patch \
            "
 SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
 
-- 
2.13.3

Re: [PATCH v3] systemd: re-enable mount propagation for udevd

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 3702 bytes --]

We used to have this but it was removed in the 232 upgrade:

    * Drop mount propagation patch, it only happens with libseccomp, OE
doesnt
      enable it

Is this not the case?  Or are you enabling seccomp?  Maybe this should be a
bbappend in meta-security?

Ross

On 22 February 2018 at 14:15, Hongzhi.Song <hongzhi.song@windriver.com>
wrote:

> MountFlags's default value is shared in systemd-udevd.service. But upstream
> sets MountFlags with slave just for keeping mounts done by udev private to
> udevd, which causes block device mounted by udev unvisable but being busy
> for
> host. So we revert it to shared to be propagated to host.
>
> Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com>
> ---
>  ...evd-re-enable-mount-propagation-for-udevd.patch | 33
> ++++++++++++++++++++++
>  meta/recipes-core/systemd/systemd_234.bb           |  1 +
>  2 files changed, 34 insertions(+)
>  create mode 100644 meta/recipes-core/systemd/systemd/systemd-udevd-re-
> enable-mount-propagation-for-udevd.patch
>
> diff --git a/meta/recipes-core/systemd/systemd/systemd-udevd-re-
> enable-mount-propagation-for-udevd.patch b/meta/recipes-core/systemd/
> systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
> new file mode 100644
> index 0000000000..fce7bdd796
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/systemd-udevd-re-
> enable-mount-propagation-for-udevd.patch
> @@ -0,0 +1,33 @@
> +From 11a3312d36109f5e5a7697ddb05c533c51e2cd75 Mon Sep 17 00:00:00 2001
> +From: "Hongzhi.Song" <hongzhi.song@windriver.com>
> +Date: Mon, 19 Feb 2018 20:43:02 -0500
> +Subject: [PATCH] systemd-udevd: re-enable mount propagation for udevd
> +
> +Upstream-Status: Inappropriate [embedded specific]
> +
> +Change the mount propagation flag from MountFlags=slave to
> MountFlags=shared
> +(default). Use shared to ensure that mounts and unmounts are propagated
> from
> +systemd's namespace to the service's namespace and vice versa, while use
> slave
> +to run processes so that none of their mounts and unmounts will propagate
> to
> +the host.
> +
> +Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com>
> +---
> + units/systemd-udevd.service.in | 1 -
> + 1 file changed, 1 deletion(-)
> +
> +diff --git a/units/systemd-udevd.service.in b/units/
> systemd-udevd.service.in
> +index fc037b5..841d7a8 100644
> +--- a/units/systemd-udevd.service.in
> ++++ b/units/systemd-udevd.service.in
> +@@ -24,7 +24,6 @@ ExecStart=@rootlibexecdir@/systemd-udevd
> + KillMode=mixed
> + WatchdogSec=3min
> + TasksMax=infinity
> +-MountFlags=slave
> + MemoryDenyWriteExecute=yes
> + RestrictRealtime=yes
> + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
> +--
> +2.8.1
> +
> diff --git a/meta/recipes-core/systemd/systemd_234.bb
> b/meta/recipes-core/systemd/systemd_234.bb
> index babc351cc8..42f4f1ec76 100644
> --- a/meta/recipes-core/systemd/systemd_234.bb
> +++ b/meta/recipes-core/systemd/systemd_234.bb
> @@ -32,6 +32,7 @@ SRC_URI += " \
>             file://0001-main-skip-many-initialization-steps-when-running-in-.patch
> \
>             file://CVE-2017-18078.patch \
>             file://0001-resolved-fix-loop-on-packets-with-pseudo-dns-types.patch
> \
> +          file://systemd-udevd-re-enable-mount-propagation-for-udevd.patch
> \
>             "
>  SRC_URI_append_qemuall = " file://0001-core-device.c-
> Change-the-default-device-timeout-to-2.patch"
>
> --
> 2.13.3
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

[-- Attachment #2: Type: text/html, Size: 5579 bytes --]

✗ patchtest: failure for systemd: re-enable mount propagation for udevd (rev6)

[Patchwork]

== Series Details ==

Series: systemd: re-enable mount propagation for udevd (rev6)
Revision: 6
URL   : https://patchwork.openembedded.org/series/1447/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Series does not apply on top of target branch [test_series_merge_on_head] 
  Suggested fix    Rebase your series on top of targeted branch
  Targeted branch  master (currently at 709b60a5e3)



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: [PATCH v3] systemd: re-enable mount propagation for udevd

[Otavio Salvador]

On Thu, Feb 22, 2018 at 11:15 AM, Hongzhi.Song
<hongzhi.song@windriver.com> wrote:
> MountFlags's default value is shared in systemd-udevd.service. But upstream
> sets MountFlags with slave just for keeping mounts done by udev private to
> udevd, which causes block device mounted by udev unvisable but being busy for
> host. So we revert it to shared to be propagated to host.
>
> Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com>

This is what the mountflag does. This does not explain WHY you need this change.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

Re: [PATCH v3] systemd: re-enable mount propagation for udevd

[Hongzhi, Song]

If MountFlags=slave, systemd-udevd mounts all block device,  such as

'/dev/sda1' '/dev/mmcblk*' , in itself unit namespace. So other namespace,

such as 'root user', has no access to use block device mentioned above.


On 2018年02月23日 08:50, Otavio Salvador wrote:
> On Thu, Feb 22, 2018 at 11:15 AM, Hongzhi.Song
> <hongzhi.song@windriver.com> wrote:
>> MountFlags's default value is shared in systemd-udevd.service. But upstream
>> sets MountFlags with slave just for keeping mounts done by udev private to
>> udevd, which causes block device mounted by udev unvisable but being busy for
>> host. So we revert it to shared to be propagated to host.
>>
>> Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com>
> This is what the mountflag does. This does not explain WHY you need this change.
>

Re: [PATCH v3] systemd: re-enable mount propagation for udevd

[Hongzhi, Song]

[-- Attachment #1: Type: text/plain, Size: 5232 bytes --]

What do you mean "it only happens with libseccomp"? I have tried to 
enable or disable

seccomp via CONFIG_SECCOMP, buf the results were same unless I set 
MountFlags=shared.

Without propagation patch, all block device, such as '/dev/sda*', 
mounted by systemd-udev,

are unaccessible to outside namespace, which means root user cann't use 
'/dev/sda*'. Do you

have any suggestions for me?

Thanks.



On 2018年02月22日 22:25, Burton, Ross wrote:
> We used to have this but it was removed in the 232 upgrade:
>
>     * Drop mount propagation patch, it only happens with libseccomp, 
> OE doesnt
>       enable it
>
> Is this not the case?  Or are you enabling seccomp?  Maybe this should 
> be a bbappend in meta-security?
>
> Ross
>
> On 22 February 2018 at 14:15, Hongzhi.Song <hongzhi.song@windriver.com 
> <mailto:hongzhi.song@windriver.com>> wrote:
>
>     MountFlags's default value is shared in systemd-udevd.service. But
>     upstream
>     sets MountFlags with slave just for keeping mounts done by udev
>     private to
>     udevd, which causes block device mounted by udev unvisable but
>     being busy for
>     host. So we revert it to shared to be propagated to host.
>
>     Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com
>     <mailto:hongzhi.song@windriver.com>>
>     ---
>      ...evd-re-enable-mount-propagation-for-udevd.patch | 33
>     ++++++++++++++++++++++
>      meta/recipes-core/systemd/systemd_234.bb <http://systemd_234.bb>
>              |  1 +
>      2 files changed, 34 insertions(+)
>      create mode 100644
>     meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
>
>     diff --git
>     a/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
>     b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
>     new file mode 100644
>     index 0000000000..fce7bdd796
>     --- /dev/null
>     +++
>     b/meta/recipes-core/systemd/systemd/systemd-udevd-re-enable-mount-propagation-for-udevd.patch
>     @@ -0,0 +1,33 @@
>     +From 11a3312d36109f5e5a7697ddb05c533c51e2cd75 Mon Sep 17 00:00:00
>     2001
>     +From: "Hongzhi.Song" <hongzhi.song@windriver.com
>     <mailto:hongzhi.song@windriver.com>>
>     +Date: Mon, 19 Feb 2018 20:43:02 -0500
>     +Subject: [PATCH] systemd-udevd: re-enable mount propagation for udevd
>     +
>     +Upstream-Status: Inappropriate [embedded specific]
>     +
>     +Change the mount propagation flag from MountFlags=slave to
>     MountFlags=shared
>     +(default). Use shared to ensure that mounts and unmounts are
>     propagated from
>     +systemd's namespace to the service's namespace and vice versa,
>     while use slave
>     +to run processes so that none of their mounts and unmounts will
>     propagate to
>     +the host.
>     +
>     +Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com
>     <mailto:hongzhi.song@windriver.com>>
>     +---
>     + units/systemd-udevd.service.in <http://systemd-udevd.service.in>
>     | 1 -
>     + 1 file changed, 1 deletion(-)
>     +
>     +diff --git a/units/systemd-udevd.service.in
>     <http://systemd-udevd.service.in> b/units/systemd-udevd.service.in
>     <http://systemd-udevd.service.in>
>     +index fc037b5..841d7a8 100644
>     +--- a/units/systemd-udevd.service.in
>     <http://systemd-udevd.service.in>
>     ++++ b/units/systemd-udevd.service.in
>     <http://systemd-udevd.service.in>
>     +@@ -24,7 +24,6 @@ ExecStart=@rootlibexecdir@/systemd-udevd
>     + KillMode=mixed
>     + WatchdogSec=3min
>     + TasksMax=infinity
>     +-MountFlags=slave
>     + MemoryDenyWriteExecute=yes
>     + RestrictRealtime=yes
>     + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
>     +--
>     +2.8.1
>     +
>     diff --git a/meta/recipes-core/systemd/systemd_234.bb
>     <http://systemd_234.bb> b/meta/recipes-core/systemd/systemd_234.bb
>     <http://systemd_234.bb>
>     index babc351cc8..42f4f1ec76 100644
>     --- a/meta/recipes-core/systemd/systemd_234.bb <http://systemd_234.bb>
>     +++ b/meta/recipes-core/systemd/systemd_234.bb <http://systemd_234.bb>
>     @@ -32,6 +32,7 @@ SRC_URI += " \
>                
>     file://0001-main-skip-many-initialization-steps-when-running-in-.patch
>     \
>                 file://CVE-2017-18078.patch \
>                
>     file://0001-resolved-fix-loop-on-packets-with-pseudo-dns-types.patch \
>     +         
>     file://systemd-udevd-re-enable-mount-propagation-for-udevd.patch \
>                 "
>      SRC_URI_append_qemuall = "
>     file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
>
>     --
>     2.13.3
>
>     --
>     _______________________________________________
>     Openembedded-core mailing list
>     Openembedded-core@lists.openembedded.org
>     <mailto:Openembedded-core@lists.openembedded.org>
>     http://lists.openembedded.org/mailman/listinfo/openembedded-core
>     <http://lists.openembedded.org/mailman/listinfo/openembedded-core>
>
>


[-- Attachment #2: Type: text/html, Size: 9146 bytes --]

Re: [PATCH v3] systemd: re-enable mount propagation for udevd

[Vincent Prince]

[-- Attachment #1: Type: text/plain, Size: 1489 bytes --]

Hi all,

I have MountFlags=slave defined, and I use the following recipe to
automount usb stick without right issues:
https://github.com/nefethael/meta-random/blob/master/recipes-support/usbmount/usbmount_git.bb
I think we should keep this settings as it is.

What is the problematic use case?

Best regards,
Vincent

2018-02-23 2:23 GMT+01:00 Hongzhi, Song <hongzhi.song@windriver.com>:

> If MountFlags=slave, systemd-udevd mounts all block device,  such as
>
> '/dev/sda1' '/dev/mmcblk*' , in itself unit namespace. So other namespace,
>
> such as 'root user', has no access to use block device mentioned above.
>
>
> On 2018年02月23日 08:50, Otavio Salvador wrote:
>
>> On Thu, Feb 22, 2018 at 11:15 AM, Hongzhi.Song
>> <hongzhi.song@windriver.com> wrote:
>>
>>> MountFlags's default value is shared in systemd-udevd.service. But
>>> upstream
>>> sets MountFlags with slave just for keeping mounts done by udev private
>>> to
>>> udevd, which causes block device mounted by udev unvisable but being
>>> busy for
>>> host. So we revert it to shared to be propagated to host.
>>>
>>> Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com>
>>>
>> This is what the mountflag does. This does not explain WHY you need this
>> change.
>>
>>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

[-- Attachment #2: Type: text/html, Size: 2695 bytes --]