mirror of
https://github.com/systemd/systemd
synced 2024-10-04 15:21:01 +00:00
units: conditionalize configfs and debugfs with CAP_SYS_RAWIO
We really don't want these in containers as they provide a too lowlevel look on the system. Conditionalize them with CAP_SYS_RAWIO since that's required to access /proc/kcore, /dev/kmem and similar, which feel similar in style. Also, npsawn containers lack that capability.
This commit is contained in:
parent
e0c74691c4
commit
fa229d0928
|
@ -11,6 +11,7 @@ Documentation=https://www.kernel.org/doc/Documentation/filesystems/configfs/conf
|
||||||
Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
|
Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
|
||||||
DefaultDependencies=no
|
DefaultDependencies=no
|
||||||
ConditionPathExists=/sys/kernel/config
|
ConditionPathExists=/sys/kernel/config
|
||||||
|
ConditionCapability=CAP_SYS_RAWIO
|
||||||
After=systemd-modules-load.service
|
After=systemd-modules-load.service
|
||||||
Before=sysinit.target
|
Before=sysinit.target
|
||||||
|
|
||||||
|
|
|
@ -11,6 +11,7 @@ Documentation=https://www.kernel.org/doc/Documentation/filesystems/debugfs.txt
|
||||||
Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
|
Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
|
||||||
DefaultDependencies=no
|
DefaultDependencies=no
|
||||||
ConditionPathExists=/sys/kernel/debug
|
ConditionPathExists=/sys/kernel/debug
|
||||||
|
ConditionCapability=CAP_SYS_RAWIO
|
||||||
Before=sysinit.target
|
Before=sysinit.target
|
||||||
|
|
||||||
[Mount]
|
[Mount]
|
||||||
|
|
Loading…
Reference in a new issue