units: conditionalize configfs and debugfs with CAP_SYS_RAWIO

We really don't want these in containers as they provide a too lowlevel look on the system. Conditionalize them with CAP_SYS_RAWIO since that's required to access /proc/kcore, /dev/kmem and similar, which feel similar in style. Also, npsawn containers lack that capability.
2014-07-04 03:10:09 +02:00 · 2014-07-04 03:10:09 +02:00 · fa229d0928
parent e0c74691c4
commit fa229d0928
2 changed files with 2 additions and 0 deletions
--- a/units/sys-kernel-config.mount
+++ b/units/sys-kernel-config.mount
@ -11,6 +11,7 @@ Documentation=https://www.kernel.org/doc/Documentation/filesystems/configfs/conf
 Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
 DefaultDependencies=no
 ConditionPathExists=/sys/kernel/config
+ConditionCapability=CAP_SYS_RAWIO
 After=systemd-modules-load.service
 Before=sysinit.target

--- a/units/sys-kernel-debug.mount
+++ b/units/sys-kernel-debug.mount
@ -11,6 +11,7 @@ Documentation=https://www.kernel.org/doc/Documentation/filesystems/debugfs.txt
 Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
 DefaultDependencies=no
 ConditionPathExists=/sys/kernel/debug
+ConditionCapability=CAP_SYS_RAWIO
 Before=sysinit.target

 [Mount]