diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2016-11-11 13:00:33 -0500 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-11-11 19:00:33 +0100 |
commit | b878b618adb8467f60992b5933a46e109a0939ab (patch) | |
tree | ab66a34e2cb42fb96761fa36635462ec6f0ea6e1 | |
parent | c58bd76a6af673196ad283131cbe3edcf2bf6291 (diff) |
units: disable /sys/fs/fuse/connections in private user namespaces (#4592)
The mount fails, even though CAP_SYS_ADMIN is granted.
Only file systems with FU_USERNS_MOUNT in .fs_flags may be mounted in userns,
and the patch to add that fusectl was rejected [1]. It would be nice if we
could check if the kernel has FU_USERNS_MOUNT for a given fs type, since this
could change over time, but this information doesn't seem to be exported.
So let's just skip this mount in userns to avoid an error during boot.
[1] https://patchwork.kernel.org/patch/2828269/
-rw-r--r-- | units/sys-fs-fuse-connections.mount | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/units/sys-fs-fuse-connections.mount b/units/sys-fs-fuse-connections.mount index e940beb09f..336b5f6277 100644 --- a/units/sys-fs-fuse-connections.mount +++ b/units/sys-fs-fuse-connections.mount @@ -12,6 +12,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems DefaultDependencies=no ConditionPathExists=/sys/fs/fuse/connections ConditionCapability=CAP_SYS_ADMIN +ConditionVirtualization=!private-users After=systemd-modules-load.service Before=sysinit.target |