units: conditionalize configfs and debugfs with CAP_SYS_RAWIO

We really don't want these in containers as they provide a too lowlevel
look on the system.

Conditionalize them with CAP_SYS_RAWIO since that's required to access
/proc/kcore, /dev/kmem and similar, which feel similar in style. Also,
npsawn containers lack that capability.

diff --git a/units/sys-kernel-config.mount b/units/sys-kernel-config.mount
index 020101c0d8fb9c4946562eb874adfb03f752e961..21648eff6af7a59ff7cf97f6d2ac419bc461f382 100644 (file)
--- a/units/sys-kernel-config.mount
+++ b/units/sys-kernel-config.mount
@@ -11,6 +11,7 @@ Documentation=https://www.kernel.org/doc/Documentation/filesystems/configfs/conf
 Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
 DefaultDependencies=no
 ConditionPathExists=/sys/kernel/config
 Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
 DefaultDependencies=no
 ConditionPathExists=/sys/kernel/config

+ConditionCapability=CAP_SYS_RAWIO

 After=systemd-modules-load.service
 Before=sysinit.target
 
 After=systemd-modules-load.service
 Before=sysinit.target
 

diff --git a/units/sys-kernel-debug.mount b/units/sys-kernel-debug.mount
index 5369728a9f09ed2d2dea3df43e8d909530b1e52e..1e94387bacb988b35c76c5781090a10676ff9259 100644 (file)
--- a/units/sys-kernel-debug.mount
+++ b/units/sys-kernel-debug.mount
@@ -11,6 +11,7 @@ Documentation=https://www.kernel.org/doc/Documentation/filesystems/debugfs.txt
 Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
 DefaultDependencies=no
 ConditionPathExists=/sys/kernel/debug
 Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
 DefaultDependencies=no
 ConditionPathExists=/sys/kernel/debug

+ConditionCapability=CAP_SYS_RAWIO

 Before=sysinit.target
 
 [Mount]
 Before=sysinit.target
 
 [Mount]