ReadWritePath does not work anymore with DynamicUser. #7080
Description
Submission type
- Bug report
systemd version the issue has been seen with
235
Used distribution
Gentoo
In case of bug report: Expected behaviour you didn't see
ReadWritePaths works with DynamicUser.
In case of bug report: Unexpected behaviour you saw
ReadWritePaths does not work anymore with DynamicUser.
In case of bug report: Steps to reproduce the problem
Please see the attached unit file. I wrote it using version 234. It does not work anymore with version 235, because ReadWritePaths seems to be ignored now with DynamicUser. qemu complains about the disk image /var/lib/machines/%i.raw being on a read only filesystem. I reverted to version 234, did a daemon-reexec and the unit file works fine again.
I hope it is a mistake on my side. If it is, please tell me what changes are required to the unit file to make it work with version 235.
Some additional thoughts:
- Using /run/private may not be a good idea. It may be the case, that a service creates a unix socket to interact with users that are not root. This used to work with version 234 but does not work anymore with version 235 because /run/private is 0700 and owned by root. I think, this may make the DynamicUser feature less attractive than before.
In my unit the script in ExecStopPost changes access rights on the disk image after qemu has stopped to prevent any other dynamic user created afterwards to access the disk file in /var/lib/machines. - PrivateDevices should respect DeviceAllow and create device files for all DeviceAllow directives. (I can create a seperate report for that, if there is any hope for that feature.)
Unit File:
[Unit]
Description=Virtual Machine %i
Documentation=man:qemu
After=apparmor@vm@%i.service
Wants=apparmor@vm@%i.service
RequiresMountsFor=/var/lib/machines
[Service]
User=vm@%i
Group=vm@%i
SupplementaryGroups=kvm
DynamicUser=true
RuntimeDirectory=vm@%i
RuntimeDirectoryMode=0755
Environment="INSTANCE=%i"
Environment="KEYBOARD=de"
#This writes a small config for the virtual hardware to /run/vm@%i/config and creates the tap interface.
ExecStartPre=/usr/bin/vm prepare "%i"
ExecStart=/usr/bin/qemu-system-x86_64 -no-user-config -nodefaults -readconfig "/run/vm@%i/config" -machine accel=kvm -balloon virtio -boot order=cn,menu=on -device i6300esb -watchdog-action reset -k $KEYBOARD -chardev "socket,id=monitor,path=/run/vm@%i/monitor,server,nowait" -mon chardev=monitor -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vgamem_mb=16 -device virtio-serial-pci -chardev "socket,path=/run/vm@%i/console,server,nowait,id=virtconsole" -device virtconsole,chardev=virtconsole,name=org.fedoraproject.console
ExecStopPost=/usr/bin/vm cleanup "%i"
#qemu was built with a patch to enable acpi shutdown with SIGINT
KillMode=process
KillSignal=SIGINT
TimeoutStopSec=600s
Restart=on-abnormal
RestartSec=60s
PermissionsStartOnly=true
AppArmorProfile=-vm@%i
#PrivateUsers=true
PrivateTmp=true
PrivateDevices=false
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=false
ProtectKernelModules=true
ProtectControlGroups=true
CapabilityBoundingSet=
NoNewPrivileges=true
#LockPersonality=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @obsolete @swap
SystemCallErrorNumber=EPERM
#IPAddressAllow=127.0.0.1/8 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 100.64.0.0/10
#IPAddressDeny=any
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true
MemoryDenyWriteExecute=true
DevicePolicy=closed
DeviceAllow=/dev/kvm rw
DeviceAllow=/dev/net/tun rw
DeviceAllow=/dev/vhost-net rw
ReadWritePaths=/var/lib/machines/%i.raw
ReadWritePaths=/proc/sys/net/ipv4/conf
SyslogIdentifier=vm@%i
[Install]
WantedBy=machines.target