From 0762f129c6a9c7bbdb5d575c486d5cf4f7fdae8d Mon Sep 17 00:00:00 2001

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Date: Tue, 16 Feb 2021 12:17:36 +0000

Subject: [PATCH] proc: dont trigger mount error with invalid options on old

 kernels

As of commit 4e39995371738b04d98d27b0d34ea8fe09ec9fab ("core: introduce

ProtectProc= and ProcSubset= to expose hidepid= and subset= procfs

mount options") kernels older than v5.8 generate multple warnings at

boot, as seen in this Yocto build from today:

     qemux86-64 login: root

     [   65.829009] proc: Bad value for 'hidepid'

     root@qemux86-64:~# dmesg|grep proc:

     [   16.990706] proc: Bad value for 'hidepid'

     [   28.060178] proc: Bad value for 'hidepid'

     [   28.874229] proc: Bad value for 'hidepid'

     [   32.685107] proc: Bad value for 'hidepid'

     [   65.829009] proc: Bad value for 'hidepid'

     root@qemux86-64:~#

We see reports of the issue as in general its hard to someone to tell

the difference between an error in dmesg which they should worry about and

one that is harmless. This adds support burden to developers so Yocto

Project has added this patch.

The commit that triggers this is systemd v247-rc1~378^2~3 -- so any

systemd 247 and above plus kernel v5.7 or older will need this.

As noted in https://github.com/systemd/systemd/issues/16896

it is possible changes could be backported to different kernel versions

so the test isn't 100% foolproof but does give better results than a

continual stream of bug reports.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Changes from Anita Zhang <the.anitazha@gmail.com>

- Use 5.6.13-0_fbk9 version comparison for FB build

---

 src/core/namespace.c | 22 ++++++++++++++++++++--

 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/core/namespace.c b/src/core/namespace.c

index d47531408b..8be8352a8e 100644

--- a/src/core/namespace.c

+++ b/src/core/namespace.c

@@ -4,7 +4,9 @@

 #include <linux/loop.h>

 #include <sched.h>

 #include <stdio.h>

+#include <stdlib.h>

 #include <sys/mount.h>

+#include <sys/utsname.h>

 #include <unistd.h>

 #include <linux/fs.h>

@@ -1018,12 +1020,28 @@ static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) {

         _cleanup_free_ char *opts = NULL;

         const char *entry_path;

         int r, n;

+        struct utsname uts;

+        bool old = false;

         assert(m);

         assert(ns_info);

-        if (ns_info->protect_proc != PROTECT_PROC_DEFAULT ||

-            ns_info->proc_subset != PROC_SUBSET_ALL) {

+        /* If uname says that the system is older than v5.6.13-0_fbk9, then the textual hidepid= stuff is not

+         * supported by the kernel, and thus the per-instance hidepid= neither, which means we

+         * really don't want to use it, since it would affect our host's /proc * mount. Hence let's

+         * gracefully fallback to a classic, unrestricted version. */

+

+        r = uname(&uts;;

+        if (r < 0)

+               return -errno;

+

+        if (strverscmp(uts.release, "5.6.13-0_fbk9") < 0) {

+                log_debug("Pre v5.6.13-0_fbk9 kernel detected [v%s] - skipping hidepid=", uts.release);

+                old = true;

+        }

+

+        if (!old && (ns_info->protect_proc != PROTECT_PROC_DEFAULT ||

+            ns_info->proc_subset != PROC_SUBSET_ALL)) {

                 /* Starting with kernel 5.8 procfs' hidepid= logic is truly per-instance (previously it

                  * pretended to be per-instance but actually was per-namespace), hence let's make use of it

-- 

2.30.2