ryantimwilson / rpms / systemd

Forked from rpms/systemd 3 months ago
Clone
4cad4c
From d9ae3222cfbd5d2a48e6dbade6617085cc76f1c1 Mon Sep 17 00:00:00 2001
4cad4c
From: HATAYAMA Daisuke <d.hatayama@fujitsu.com>
4cad4c
Date: Tue, 25 Feb 2020 13:35:50 -0500
4cad4c
Subject: [PATCH] resolved: Recover missing PrivateTmp=yes and
4cad4c
 ProtectSystem=strict
4cad4c
4cad4c
Since the commit b61e8046ebcb28225423fc0073183d68d4c577c4,
4cad4c
systemd-resolved.service often fails to start with the following message:
4cad4c
4cad4c
    Failed at step NAMESPACE spawning /usr/bin/mount: Read-only file system
4cad4c
4cad4c
This is because dropping DynamicUser=yes dropped implicit PrivateTmp=yes and
4cad4c
also implicit After=systemd-tmpfiles-setup.service, and thus
4cad4c
systemd-resolved.service can start before systemd-remount-fs.service. As a
4cad4c
result, mount operations associated with PrivateDevices= can be performed to
4cad4c
still read-only filesystems.
4cad4c
4cad4c
To fix this issue, it's better to recover PrivateTmp=yes and
4cad4c
ProtectSystem=strict just as the upstream commit
4cad4c
62fb7e80fcc45a1530ed58a84980be8cfafa9b3e (Revert "resolve: enable DynamicUser=
4cad4c
for systemd-resolved.service").
4cad4c
4cad4c
Resolves: #1810869
4cad4c
---
4cad4c
 units/systemd-resolved.service.in | 2 ++
4cad4c
 1 file changed, 2 insertions(+)
4cad4c
4cad4c
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
4cad4c
index 6c2ad5ca86..aad1a53a5f 100644
4cad4c
--- a/units/systemd-resolved.service.in
4cad4c
+++ b/units/systemd-resolved.service.in
4cad4c
@@ -28,7 +28,9 @@ WatchdogSec=3min
4cad4c
 User=systemd-resolve
4cad4c
 CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
4cad4c
 AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
4cad4c
+PrivateTmp=yes
4cad4c
 PrivateDevices=yes
4cad4c
+ProtectSystems=strict
4cad4c
 ProtectHome=yes
4cad4c
 ProtectControlGroups=yes
4cad4c
 ProtectKernelTunables=yes