From 9e5545876e1fa37417e0875c0cc61bd6bc126976 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Tue, 8 Oct 2024 13:18:55 -0700 Subject: [PATCH 1/2] memfd-bind: fixup systemd unit file and README MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The example of starting memfd-bind via systemd in README did not work for me (Fedora 40, systemd 255): # systemctl status memfd-bind@/usr/bin/runc Invalid unit name "memfd-bind@/usr/bin/runc" escaped as "memfd-bind@-usr-bin-runc" (maybe you should use systemd-escape?). ○ memfd-bind@-usr-bin-runc.service Loaded: bad-setting (Reason: Unit memfd-bind@-usr-bin-runc.service has a bad unit file setting.) Active: inactive (dead) Docs: https://github.com/opencontainers/runc So, let's use systemd-escape -p ("path") in the README example, and use %f in the systemd unit file to prepend the slash to the filename. Signed-off-by: Kir Kolyshkin --- contrib/cmd/memfd-bind/README.md | 2 +- contrib/cmd/memfd-bind/memfd-bind@.service | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/contrib/cmd/memfd-bind/README.md b/contrib/cmd/memfd-bind/README.md index 8123c897006..c4887fa7f0e 100644 --- a/contrib/cmd/memfd-bind/README.md +++ b/contrib/cmd/memfd-bind/README.md @@ -25,7 +25,7 @@ The provided `memfd-bind@.service` file can be used to get systemd to manage this daemon. You can supply the path like so: ``` -% systemctl start memfd-bind@/usr/bin/runc +% systemctl start memfd-bind@$(systemd-escape -p /usr/bin/runc) ``` Thus, there are three ways of protecting against CVE-2019-5736, in order of how diff --git a/contrib/cmd/memfd-bind/memfd-bind@.service b/contrib/cmd/memfd-bind/memfd-bind@.service index 591548ea4d9..796d05cb445 100644 --- a/contrib/cmd/memfd-bind/memfd-bind@.service +++ b/contrib/cmd/memfd-bind/memfd-bind@.service @@ -1,11 +1,11 @@ [Unit] -Description=Manage memfd-bind of %I +Description=Manage memfd-bind of %f Documentation=https://github.com/opencontainers/runc [Service] Type=simple -ExecStart=memfd-bind "%I" -ExecStop=memfd-bind --cleanup "%I" +ExecStart=memfd-bind "%f" +ExecStop=memfd-bind --cleanup "%f" [Install] WantedBy=multi-user.target From 4fdd56169d9a44f037c801810ac355db4c6d442b Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Tue, 8 Oct 2024 13:30:59 -0700 Subject: [PATCH 2/2] memfd-bind: more specific doc URL Let's point to the relevant README directly in the systemd unit file, as it is hard to find in the whole nine yards of the runc repo. Signed-off-by: Kir Kolyshkin --- contrib/cmd/memfd-bind/memfd-bind@.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/cmd/memfd-bind/memfd-bind@.service b/contrib/cmd/memfd-bind/memfd-bind@.service index 796d05cb445..89086902651 100644 --- a/contrib/cmd/memfd-bind/memfd-bind@.service +++ b/contrib/cmd/memfd-bind/memfd-bind@.service @@ -1,6 +1,6 @@ [Unit] Description=Manage memfd-bind of %f -Documentation=https://github.com/opencontainers/runc +Documentation=https://github.com/opencontainers/runc/blob/main/contrib/cmd/memfd-bind/README.md [Service] Type=simple