readonly workdir prevent binder to start

Description

During its start, when a binder implements the HTTP server, it checks that the upload directory is accessible and writable and refuse to start if it is not the case.

When trying to use systemd's DynamicUser for platform services, it has the effect to forbid service to run.

Environment

None

Activity

Walt Miner 
June 25, 2019 at 3:54 PM

Close for HH RC1

Stephane Desneux 
May 28, 2019 at 2:44 PM

works for me

jose bollo 
May 28, 2019 at 2:10 PM

I propose to accept that patch that fallback to /tmp for the following reason:

  • it is protected by smack and DAC (umask = 0077)

  • /tmp can be mounted by application by systemd using PrivateTmp=true

  • this is a fallback

  • this is traditionnal (see function tmpfile of glibc)

Stephane Desneux 
May 24, 2019 at 4:55 PM

Question: do we have to create a subfolder per app in /tmp or not ?

This boils down to : do a file created by App1 in /tmp is readable/writable/visible by App2 ? This depends obviously on the set of smack rules which are set per application.

And the same would apply for multiple users running the same app BTW.

A stupid solution would be to create a tempdir per user and per app: something like /run/user/<uid>/tmp/<appname>/ but what about cleanup?

Fixed

Details

Assignee

Reporter

Fix versions

Labels

Contract ID

Components

Priority

Created May 23, 2019 at 8:27 AM
Updated September 19, 2019 at 12:06 PM
Resolved June 20, 2019 at 8:47 AM