X Tutup
Skip to content

Commit fa229d0

Browse files
poetteringpoettering
committed
units: conditionalize configfs and debugfs with CAP_SYS_RAWIO
We really don't want these in containers as they provide a too lowlevel look on the system. Conditionalize them with CAP_SYS_RAWIO since that's required to access /proc/kcore, /dev/kmem and similar, which feel similar in style. Also, npsawn containers lack that capability.
1 parent e0c7469 commit fa229d0

File tree

2 files changed

+2
-0
lines changed

2 files changed

+2
-0
lines changed

units/sys-kernel-config.mount

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ Documentation=https://www.kernel.org/doc/Documentation/filesystems/configfs/conf
1111
Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
1212
DefaultDependencies=no
1313
ConditionPathExists=/sys/kernel/config
14+
ConditionCapability=CAP_SYS_RAWIO
1415
After=systemd-modules-load.service
1516
Before=sysinit.target
1617

units/sys-kernel-debug.mount

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ Documentation=https://www.kernel.org/doc/Documentation/filesystems/debugfs.txt
1111
Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
1212
DefaultDependencies=no
1313
ConditionPathExists=/sys/kernel/debug
14+
ConditionCapability=CAP_SYS_RAWIO
1415
Before=sysinit.target
1516

1617
[Mount]

0 commit comments

Comments
 (0)
X Tutup