Hi,
I'm currently trying to execute systemd-dissect from within a
quite sandboxed service. I've set PrivateDevices = "no" and DeviceAllow
to block-loop and loop-control. However, systemd-dissect still
runs into an error when trying to talk to the loop device:
ioctl(6, BLKPG, ***op=BLKPG_DEL_PARTITION, flags=0, datalen=152, data="" length=0, pno=1, devname="/dev/loop0p1", volname=""***) = -1 EACCES (Permission denied)
Do you guys have any pointers on which other sandboxing settings I need to tweak? I've fiddled around with capabilities and syscall filters (which both shouldn't be a problem), but no luck.
For reference, the (presumably) relevant parts of the service
config:
SecureBits=0
User=root
DynamicUser=no
SetLoginEnvironment=no
RemoveIPC=yes
PrivateTmp=yes
PrivateDevices=no
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
PrivateNetwork=no
PrivateUsers=yes
PrivateMounts=yes
PrivateIPC=no
ProtectHome=yes
ProtectSystem=strict
SameProcessGroup=no
UtmpMode=init
IgnoreSIGPIPE=yes
NoNewPrivileges=yes
MemoryDenyWriteExecute=no
RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
ProtectProc=invisible
ProcSubset=all
ProtectHostname=yes
Moritz Sanft
