fix(scripts): make /usr writable #2398
Conversation
| @@ -13,7 +13,6 @@ RestartSec=15s | |||
| Restart=on-failure | |||
| PrivateTmp=true | |||
| NoNewPrivileges=yes | |||
| ProtectSystem=true | |||
There was a problem hiding this comment.
Can we try ReadWritePaths instead?
There was a problem hiding this comment.
It looks like ReadWritePaths was introduced in systemd 231: https://github.com/systemd/systemd/blob/main/NEWS#L9059
I think we should use ReadWriteDirectories that is kept for backward compatibility:
The old names of these settings remain
available for compatibility.
|
/milestone 0.34.0 |
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
| @@ -19,7 +19,7 @@ NoNewPrivileges=yes | |||
| ProtectHome=read-only | |||
| ProtectSystem=full | |||
| ProtectKernelTunables=true | |||
| ReadWritePaths=/sys/module/falco | |||
| ReadWriteDirectories=/sys/module/falco | |||
There was a problem hiding this comment.
Thanks!
@Andreagit97 we will need a quick test of the falco-kmod service after this change (from packages built by this pr ci)
This should work with super old versions of systemd as well (it was not working before 231).
|
LGTM label has been added. Git tree hash: c9ba6465ca4efea9721fa5012dc3ec7e9004f1c7
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: FedeDP, leogr, therealbobo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Roberto Scolaro roberto.scolaro21@gmail.com
What type of PR is this?
/kind bug
Any specific area of the project related to this PR?
What this PR does / why we need it:
ProtectSystemdirective makes/usrdirectory read-only. By the wayfalcoctlneeds write permission.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: