On Fri, Jul 19, 2024 at 12:08:58AM +0300, Mantas Mikulėnas wrote:
> On Thu, Jul 18, 2024, 15:43 Thomas Köller wrote:
>
> > Am 18.07.24 um 14:04 schrieb Mantas Mikulėnas:
> > > Yes, but namespace persistence actually relies on filesystem access –
> > > it's implemented as a bind-mount of the names
On Thu, Jul 18, 2024, 15:43 Thomas Köller wrote:
> Am 18.07.24 um 14:04 schrieb Mantas Mikulėnas:
> > Yes, but namespace persistence actually relies on filesystem access –
> > it's implemented as a bind-mount of the namespace file descriptor (onto
> > /run/netns for the 'ip netns' tool), as other
On Thu, Jul 18, 2024 at 4:00 PM Thomas Köller wrote:
>
> Am 18.07.24 um 14:04 schrieb Mantas Mikulėnas:
> > Yes, but namespace persistence actually relies on filesystem access –
> > it's implemented as a bind-mount of the namespace file descriptor (onto
> > /run/netns for the 'ip netns' tool), as
Am 18.07.24 um 14:04 schrieb Mantas Mikulėnas:
Yes, but namespace persistence actually relies on filesystem access –
it's implemented as a bind-mount of the namespace file descriptor (onto
/run/netns for the 'ip netns' tool), as otherwise namespaces only exist
as long as processes that hold the
On Thu, Jul 18, 2024 at 2:14 PM Thomas Köller
wrote:
> > Does it use any hardening options at all?
>
> Thanks for the hint. As it seems this is an undocumented side effect of
> 'ProtectSystem = full'. From reading the docs I got the impression that
> only file system access is affected by this pa
Does it use any hardening options at all?
Thanks for the hint. As it seems this is an undocumented side effect of
'ProtectSystem = full'. From reading the docs I got the impression that
only file system access is affected by this parameter.
Am 18.07.24 um 12:18 schrieb Mantas Mikulėnas:
Would really like to see the contents of the .service file. Does it use
any hardening options at all?
root@htpc:~/netsu# cat /etc/systemd/system/network-setup.service
[Unit]
Before = systemd-networkd.service
Before = network-setup.service
[Service]
Would really like to see the contents of the .service file. Does it use any
hardening options at all?
On Thu, Jul 18, 2024 at 10:49 AM Thomas Köller
wrote:
> Hi,
>
> I have a problem creating a namespace from a systemd service. The
> service (type oneshot) invokes a shell script containing these
