*Directory= directives override *Paths= directives

[injust]

Submission type

Bug report

systemd version the issue has been seen with

235

Used distribution

Arch Linux

Unexpected behaviour you saw

RuntimeDirectory= and similar directives, e.g. CacheDirectory= and LogsDirectory=, override the directives InaccessiblePaths=, ReadOnlyPaths=, and ReadWritePaths=. This was introduced in version 235; bug cannot be replicated in version 234.

In case of bug report: Steps to reproduce the problem

Given a service file that writes to /var/log/test:

Does not work

InaccessiblePaths=/

Works, InaccessiblePaths= is overridden by RuntimeDirectory=

InaccessiblePaths=/
RuntimeDirectory=test

Does not work, CacheDirectory= overrides ReadWritePaths=

CacheDirectory=test
ProtectSystem=strict
ReadWritePaths=/var/log/test

Does not work, similar to case above

RuntimeDirectory=test
ProtectSystem=strict
ReadWritePaths=/var/log/test

Works because LogsDirectory= whitelists /var/log/test

LogsDirectory=test
ProtectSystem=strict
ReadWritePaths=/var/log/test

Works because ReadWritePaths= is not overridden

ProtectSystem=strict
ReadWritePaths=/var/log/test

[yuwata]

Confirmed. The following service fails:

$ systemctl cat hoge.service
# /etc/systemd/system/hoge.service
[Service]
Type=oneshot
RuntimeDirectory=test
ProtectSystem=strict
ReadWritePaths=/var/log/test
ExecStart=/bin/touch /run/test/hoge
ExecStart=/bin/touch /var/log/test/hoge

while the following succeeds:

$ systemctl cat foo.service
# /etc/systemd/system/foo.service
[Service]
Type=oneshot
ProtectSystem=strict
ReadWritePaths=/var/log/test
ExecStart=/bin/touch /var/log/test/foo

[yuwata]

Also, ReadWritePaths= does not work with BindPaths=, e.g.,

$ systemctl cat ver.service
# /etc/systemd/system/ver.service
[Service]
Type=oneshot
BindPaths=/tmp:/tmp/aaa
ProtectSystem=strict
ReadWritePaths=/var/log/test
ExecStart=/bin/touch /var/log/test/ver

By setting log level to debug, I got the following debug messages.
With the above ver.service,

Oct 12 12:57:40 systemd[1]: Starting ver.service...
Oct 12 12:57:40 systemd[3114]: /var/log/test is outside of root directory.

With the above hoge.service

Oct 12 12:38:51 systemd[1]: Starting hoge.service...
Oct 12 12:38:51 systemd[1700]: /run/test is outside of root directory.
Oct 12 12:38:51 systemd[1700]: /var/log/test is outside of root directory.

From 6c47cd7, RuntimeDirectory= and friends implies BindPaths=, which are bind-mounted. If at least one bind mount is requested, then systemd behaves like with RootDirectory=. So, the directories specified in ReadWritePaths= are not seen from the root directory.
See the following.

systemd/src/core/namespace.c

Lines 1020 to 1029 in 35d379b

	else if (root_image || n_bind_mounts > 0) {
	/* If we are booting from an image, create a mount point for the image, if it's still missing. We use
	* the same mount point for all images, which is safe, since they all live in their own namespaces
	* after all, and hence won't see each other. We also use such a root directory whenever there are bind
	* mounts configured, so that their source mounts are never obstructed by mounts we already applied
	* while we are applying them. */
	root = "/run/systemd/unit-root";
	(void) mkdir_label(root, 0700);

[yuwata]

Workaround for this problem is

1. use + prefix for ReadWritePaths=, or
2. use BindPaths= instead of ReadWritePaths=.

The following two examples work fine.

[Service]
Type=oneshot
RuntimeDirectory=test
ProtectSystem=strict
ReadWritePaths=+/var/log/test
ExecStart=/bin/touch /run/test/hoge
ExecStart=/bin/touch /var/log/test/hoge

[Service]
Type=oneshot
RuntimeDirectory=test
ProtectSystem=strict
BindPaths=/var/log/test
ExecStart=/bin/touch /run/test/hoge
ExecStart=/bin/touch /var/log/test/hoge

[YmrDtnJu]

There are quite a lot of features of systemd that require a separate mount namespace for a service. It seems to me, that most of those problems come from missing management code that controlls the mount namespace for all those features at one central point.

Additionally, the ordering of mounts is unclear. One example:
I like to have apparmor support within an nspawn container. Therefore, I need /sys/module/apparmor/parameters/enabled available in the container for systemd to detect enabled apparmor support in the kernel and additionally /sys/kernel/security/apparmor to get apparmor profiles enabled within the container (I use a separate apparmor namespace for each container). This works fine, but I have to use "--bind=/sys/kernel/security/apparmor:/sys/apparmor", because "--bind=/sys/kernel/security/apparmor" does not work because /sys is mounted after all the --bind options on the command line. I rewrote my script that enables apparmor profiles to also look for /sys/apparmor, so that it works with either path.

[yuwata]

@injust and @YmrDtnJu I've created PR #7088 for this issue. If possible, please test it.
I confirm that my above examples works fine.

[injust]

@yuwata LGTM. I can confirm that it works with my test cases.

[yuwata]

@injust Thanks.