Re: namespace problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Would really like to see the contents of the .service file. Does it use any hardening options at all?

On Thu, Jul 18, 2024 at 10:49 AM Thomas Köller <thomas@xxxxxxxxxxxxxxxxxx> wrote:
Hi,

I have a problem creating a namespace from a systemd service. The
service (type oneshot) invokes a shell script containing these two lines:

     ip netns add vpnlink
     iw phy phy0 set netns name vpnlink

Both commands succeed, meaning they do not return an error, and so the
service start is successful. However, the newly created network
namespace is apparently unusable. Invoking the script from a root shell
outside of the systemd service successfully creates the namespace. The
log below illustrates the problem:

root@htpc:~/netsu# ip netns list
root@htpc:~/netsu# ./netsu
root@htpc:~/netsu# ip netns list
vpnlink (id: 0)
root@htpc:~/netsu# ip netns exec vpnlink ip link show
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group
default qlen 1000
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4: wlan_usb: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode
DEFAULT group default qlen 1000
     link/ether 00:0f:60:06:7f:3b brd ff:ff:ff:ff:ff:ff
root@htpc:~/netsu# ip netns del vpnlink
root@htpc:~/netsu# ip netns list
root@htpc:~/netsu# systemctl restart network-setup.service
root@htpc:~/netsu# systemctl status network-setup.service
● network-setup.service
      Loaded: loaded (/etc/systemd/system/network-setup.service;
enabled; preset: disabled)
     Drop-In: /usr/lib/systemd/system/service.d
              └─10-timeout-abort.conf
      Active: active (exited) since Thu 2024-07-18 09:34:55 CEST; 14s ago
     Process: 3320 ExecStart=/root/netsu/netsu (code=exited,
status=0/SUCCESS)
    Main PID: 3320 (code=exited, status=0/SUCCESS)
         CPU: 29ms

Jul 18 09:34:55 htpc systemd[1]: Starting network-setup.service...
Jul 18 09:34:55 htpc systemd[1]: Finished network-setup.service.
root@htpc:~/netsu# ip netns list
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
vpnlink
root@htpc:~/netsu# ip netns exec vpnlink ip link show
setting the network namespace "vpnlink" failed: Invalid argument
root@htpc:~/netsu# ip netns del vpnlink

Am I missing something? Of course, the process running the root shell
invoked from the command line is ultimately also a child of systemd,
which is the system's init process.


--
Mantas Mikulėnas
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux