mirror of
https://github.com/systemd/systemd.git
synced 2024-11-24 02:33:36 +08:00
man: specify that ProtectProc= does not work with root/cap_sys_ptrace
When using hidepid=invisible on procfs, the kernel will check if the gid of the process trying to access /proc is the same as the gid of the process that mounted the /proc instance, or if it has the ptrace capability: https://github.com/torvalds/linux/blob/v5.10/fs/proc/base.c#L723 https://github.com/torvalds/linux/blob/v5.10/fs/proc/root.c#L155 Given we set up the /proc instance as root for system services, The same restriction applies to CAP_SYS_PTRACE, if a process runs with it then hidepid=invisible has no effect. ProtectProc effectively can only be used with User= or DynamicUser=yes, without CAP_SYS_PTRACE. Update the documentation to explicitly state these limitations. Fixes #18997
This commit is contained in:
parent
b63dae3168
commit
301e7cd047
@ -285,8 +285,11 @@
|
||||
Filesystem</ulink>. It is generally recommended to run most system services with this option set to
|
||||
<literal>invisible</literal>. This option is implemented via file system namespacing, and thus cannot
|
||||
be used with services that shall be able to install mount points in the host file system
|
||||
hierarchy. It also cannot be used for services that need to access metainformation about other users'
|
||||
processes. This option implies <varname>MountAPIVFS=</varname>.</para>
|
||||
hierarchy. Note that the root user is unaffected by this option, so to be effective it has to be used
|
||||
together with <varname>User=</varname> or <varname>DynamicUser=yes</varname>, and also without the
|
||||
<literal>CAP_SYS_PTRACE</literal> capability, which also allows a process to bypass this feature. It
|
||||
cannot be used for services that need to access metainformation about other users' processes. This
|
||||
option implies <varname>MountAPIVFS=</varname>.</para>
|
||||
|
||||
<para>If the kernel doesn't support per-mount point <option>hidepid=</option> mount options this
|
||||
setting remains without effect, and the unit's processes will be able to access and see other process
|
||||
|
Loading…
Reference in New Issue
Block a user