1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

man: specify that ProtectProc= does not work with root/cap_sys_ptrace

When using hidepid=invisible on procfs, the kernel will check if the
gid of the process trying to access /proc is the same as the gid of
the process that mounted the /proc instance, or if it has the ptrace
capability:

https://github.com/torvalds/linux/blob/v5.10/fs/proc/base.c#L723
https://github.com/torvalds/linux/blob/v5.10/fs/proc/root.c#L155

Given we set up the /proc instance as root for system services,
The same restriction applies to CAP_SYS_PTRACE, if a process runs with
it then hidepid=invisible has no effect.

ProtectProc effectively can only be used with User= or DynamicUser=yes,
without CAP_SYS_PTRACE.
Update the documentation to explicitly state these limitations.

Fixes #18997
This commit is contained in:
Luca Boccassi 2021-03-14 12:36:15 +00:00 committed by Luca Boccassi
parent b63dae3168
commit 301e7cd047

View File

@ -285,8 +285,11 @@
Filesystem</ulink>. It is generally recommended to run most system services with this option set to
<literal>invisible</literal>. This option is implemented via file system namespacing, and thus cannot
be used with services that shall be able to install mount points in the host file system
hierarchy. It also cannot be used for services that need to access metainformation about other users'
processes. This option implies <varname>MountAPIVFS=</varname>.</para>
hierarchy. Note that the root user is unaffected by this option, so to be effective it has to be used
together with <varname>User=</varname> or <varname>DynamicUser=yes</varname>, and also without the
<literal>CAP_SYS_PTRACE</literal> capability, which also allows a process to bypass this feature. It
cannot be used for services that need to access metainformation about other users' processes. This
option implies <varname>MountAPIVFS=</varname>.</para>
<para>If the kernel doesn't support per-mount point <option>hidepid=</option> mount options this
setting remains without effect, and the unit's processes will be able to access and see other process