units: disable /sys/fs/fuse/connections in private user namespaces (#4592)

The mount fails, even though CAP_SYS_ADMIN is granted. Only file systems with FU_USERNS_MOUNT in .fs_flags may be mounted in userns, and the patch to add that fusectl was rejected [1]. It would be nice if we could check if the kernel has FU_USERNS_MOUNT for a given fs type, since this could change over time, but this information doesn't seem to be exported. So let's just skip this mount in userns to avoid an error during boot. [1] https://patchwork.kernel.org/patch/2828269/
2016-11-11 13:00:33 -05:00 · 2016-11-11 13:00:33 -05:00 · b878b618ad
parent c58bd76a6a
commit b878b618ad
1 changed files with 1 additions and 0 deletions
--- a/units/sys-fs-fuse-connections.mount
+++ b/units/sys-fs-fuse-connections.mount
@ -12,6 +12,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
 DefaultDependencies=no
 ConditionPathExists=/sys/fs/fuse/connections
 ConditionCapability=CAP_SYS_ADMIN
+ConditionVirtualization=!private-users
 After=systemd-modules-load.service
 Before=sysinit.target