From c6e9ff6b84ae3f77f827f67410911f2b33ad57a8 Mon Sep 17 00:00:00 2001 From: Arvin Schnell Date: Tue, 11 May 2021 10:02:08 +0200 Subject: [PATCH 1/2] - fixed systemd sandboxing (gh#openSUSE/snapper#651) --- data/boot.service | 3 --- data/cleanup.service | 3 --- data/snapperd.service | 3 --- data/systemd-sandboxing.txt | 7 ++++++- data/timeline.service | 3 --- package/snapper.changes | 5 +++++ 6 files changed, 11 insertions(+), 13 deletions(-) diff --git a/data/boot.service b/data/boot.service index ef8b8a38..cce5c467 100644 --- a/data/boot.service +++ b/data/boot.service @@ -10,9 +10,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN LockPersonality=true NoNewPrivileges=false PrivateNetwork=true -ProtectControlGroups=true ProtectHostname=true -ProtectKernelLogs=true -ProtectKernelTunables=true RestrictAddressFamilies=AF_UNIX RestrictRealtime=true diff --git a/data/cleanup.service b/data/cleanup.service index b4f5f240..2baab5c0 100644 --- a/data/cleanup.service +++ b/data/cleanup.service @@ -13,9 +13,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN LockPersonality=true NoNewPrivileges=false PrivateNetwork=true -ProtectControlGroups=true ProtectHostname=true -ProtectKernelLogs=true -ProtectKernelTunables=true RestrictAddressFamilies=AF_UNIX RestrictRealtime=true diff --git a/data/snapperd.service b/data/snapperd.service index 206ed312..48f75dd5 100644 --- a/data/snapperd.service +++ b/data/snapperd.service @@ -11,9 +11,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN LockPersonality=true NoNewPrivileges=false PrivateNetwork=true -ProtectControlGroups=true ProtectHostname=true -ProtectKernelLogs=true -ProtectKernelTunables=true RestrictAddressFamilies=AF_UNIX RestrictRealtime=true diff --git a/data/systemd-sandboxing.txt b/data/systemd-sandboxing.txt index ef0893bd..8a90dc3d 100644 --- a/data/systemd-sandboxing.txt +++ b/data/systemd-sandboxing.txt @@ -14,10 +14,15 @@ ProtectKernelModules=true breaks LVM. CapabilityBoundingSet=CAP_SYS_NICE is also needed by LVM. -ProtectHome=true breaks diff for LVM. +ProtectHome=true, ProtectControlGroups=true, ProtectKernelLogs=true +and ProtectKernelTunables=true breaks diff for LVM. SystemCallFilter=@mount breaks almost everything with older systemd, e.g. on SLE15 SP1. CapabilityBoundingSet=CAP_FOWNER is needed if for home directories. +Finally do not forget the hooks. + +Have a lot of fun... + diff --git a/data/timeline.service b/data/timeline.service index 44005103..66c3bb01 100644 --- a/data/timeline.service +++ b/data/timeline.service @@ -11,9 +11,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN LockPersonality=true NoNewPrivileges=false PrivateNetwork=true -ProtectControlGroups=true ProtectHostname=true -ProtectKernelLogs=true -ProtectKernelTunables=true RestrictAddressFamilies=AF_UNIX RestrictRealtime=true diff --git a/package/snapper.changes b/package/snapper.changes index 4e322258..20ab1f08 100644 --- a/package/snapper.changes +++ b/package/snapper.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue May 11 10:01:30 CEST 2021 - aschnell@suse.com + +- fixed systemd sandboxing (gh#openSUSE/snapper#651) + ------------------------------------------------------------------- Tue May 04 08:35:28 CEST 2021 - aschnell@suse.com From 44a6e4c5e606f25206b14d1cd6122d0cdb8b4740 Mon Sep 17 00:00:00 2001 From: Arvin Schnell Date: Tue, 11 May 2021 10:04:23 +0200 Subject: [PATCH 2/2] - disable automake silent rules --- configure.ac | 4 ---- 1 file changed, 4 deletions(-) diff --git a/configure.ac b/configure.ac index 06e47211..7d195e17 100644 --- a/configure.ac +++ b/configure.ac @@ -51,10 +51,6 @@ AC_DEFINE_UNQUOTED([LVCHANGEBIN], ["$LVCHANGEBIN"], [Path of lvchange program.]) AC_DEFINE_UNQUOTED([LVMBIN], ["$LVMBIN"], [Path of lvm program.]) AC_DEFINE_UNQUOTED([LVRENAMEBIN], ["$LVRENAMEBIN"], [Path of lvrename program.]) -dnl Automake 1.11 enables silent compilation -dnl Disable it by "configure --disable-silent-rules" or "make V=1" -m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) - CFLAGS="${CFLAGS} -std=c99 -Wall -Wextra -Wformat -Wmissing-prototypes -Wno-unused-parameter" CXXFLAGS="${CXXFLAGS} -std=c++11 -Wall -Wextra -Wformat -Wnon-virtual-dtor -Wno-unused-parameter"