From ea63a260d43c27a6b5b5ae471a8d4617bb7be447 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Wed, 9 Mar 2022 02:07:34 +0000 Subject: core: support MountAPIVFS and RootDirectory in user manager The only piece missing was to somehow make /proc appear in the new user+mount namespace. It is not possible to mount a new /proc instance, not even with hidepid=invisible,subset=pid, in a user namespace unless a PID namespace is created too (and also at the same time as the other namespaces, it is not possible to mount a new /proc in a child process that creates a PID namespace forked from a parent that created a user+mount namespace, it has to happen at the same time). Use the host's /proc with a bind-mount as a fallback for this case. User session services would already run with it, so nothing is lost. --- man/systemd.exec.xml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) (limited to 'man/systemd.exec.xml') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 38220958b4..3b57f8d2f1 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -143,9 +143,7 @@ Mounting logging sockets into root environment BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout - - - + @@ -276,9 +274,7 @@ In order to allow propagating mounts at runtime in a safe manner, /run/systemd/propagate on the host will be used to set up new mounts, and /run/host/incoming/ in the private namespace - will be used as an intermediate step to store them before being moved to the final mount point. - - + will be used as an intermediate step to store them before being moved to the final mount point. @@ -364,9 +360,7 @@ InaccessiblePaths=, or under /home/ and other protected directories if ProtectHome=yes is specified. TemporaryFileSystem= with :ro or - ProtectHome=tmpfs should be used instead. - - + ProtectHome=tmpfs should be used instead. -- cgit v1.2.1