summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2016-11-11 13:00:33 -0500
committerLennart Poettering <lennart@poettering.net>2016-11-11 19:00:33 +0100
commitb878b618adb8467f60992b5933a46e109a0939ab (patch)
treeab66a34e2cb42fb96761fa36635462ec6f0ea6e1
parentc58bd76a6af673196ad283131cbe3edcf2bf6291 (diff)
units: disable /sys/fs/fuse/connections in private user namespaces (#4592)
The mount fails, even though CAP_SYS_ADMIN is granted. Only file systems with FU_USERNS_MOUNT in .fs_flags may be mounted in userns, and the patch to add that fusectl was rejected [1]. It would be nice if we could check if the kernel has FU_USERNS_MOUNT for a given fs type, since this could change over time, but this information doesn't seem to be exported. So let's just skip this mount in userns to avoid an error during boot. [1] https://patchwork.kernel.org/patch/2828269/
-rw-r--r--units/sys-fs-fuse-connections.mount1
1 files changed, 1 insertions, 0 deletions
diff --git a/units/sys-fs-fuse-connections.mount b/units/sys-fs-fuse-connections.mount
index e940beb09f..336b5f6277 100644
--- a/units/sys-fs-fuse-connections.mount
+++ b/units/sys-fs-fuse-connections.mount
@@ -12,6 +12,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
DefaultDependencies=no
ConditionPathExists=/sys/fs/fuse/connections
ConditionCapability=CAP_SYS_ADMIN
+ConditionVirtualization=!private-users
After=systemd-modules-load.service
Before=sysinit.target