units: conditionalize configfs and debugfs with CAP_SYS_RAWIO

We really don't want these in containers as they provide a too lowlevel look on the system. Conditionalize them with CAP_SYS_RAWIO since that's required to access /proc/kcore, /dev/kmem and similar, which feel similar in style. Also, npsawn containers lack that capability.
author: Lennart Poettering <lennart@poettering.net> 2014-07-04 03:10:09 +0200
committer: Lennart Poettering <lennart@poettering.net> 2014-07-04 03:24:42 +0200
commit: fa229d09281d435153b4cfd138a2a62fa66d889b (patch)
tree: f15b28718287883d2eb7f34785b43c9c6ea36c0a
parent: e0c74691c41a204eba2fd5f39615049fc9ff1648 (diff)
2 files changed, 2 insertions, 0 deletions
diff --git a/units/sys-kernel-config.mount b/units/sys-kernel-config.mount
index 020101c0d8..21648eff6a 100644
--- a/units/sys-kernel-config.mount
+++ b/units/sys-kernel-config.mount
@@ -11,6 +11,7 @@ Documentation=https://www.kernel.org/doc/Documentation/filesystems/configfs/conf
 Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
 DefaultDependencies=no
 ConditionPathExists=/sys/kernel/config
+ConditionCapability=CAP_SYS_RAWIO
 After=systemd-modules-load.service
 Before=sysinit.target
 
diff --git a/units/sys-kernel-debug.mount b/units/sys-kernel-debug.mount
index 5369728a9f..1e94387bac 100644
--- a/units/sys-kernel-debug.mount
+++ b/units/sys-kernel-debug.mount
@@ -11,6 +11,7 @@ Documentation=https://www.kernel.org/doc/Documentation/filesystems/debugfs.txt
 Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
 DefaultDependencies=no
 ConditionPathExists=/sys/kernel/debug
+ConditionCapability=CAP_SYS_RAWIO
 Before=sysinit.target
 
 [Mount]
author	Lennart Poettering <lennart@poettering.net>	2014-07-04 03:10:09 +0200
committer	Lennart Poettering <lennart@poettering.net>	2014-07-04 03:24:42 +0200
commit	fa229d09281d435153b4cfd138a2a62fa66d889b (patch)
tree	f15b28718287883d2eb7f34785b43c9c6ea36c0a
parent	e0c74691c41a204eba2fd5f39615049fc9ff1648 (diff)