Skip to content

systemd-generator: some more exceptions #950

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

systemd-generator: some more exceptions #950

wants to merge 1 commit into from

Conversation

@bugness-chl
Copy link

@bugness-chl bugness-chl commented Oct 18, 2025

Hello,

this pull-request is a work in progress. Feel free to comment, and overtake it or discard it after a week without activity.

It adds some more systemd exceptions in the lxc.generator script for the program nullmailer in Debian 13 Trixie.

I think I tested with a pretty standard configuration, both in privileged and unprivileged containers , except for lxc.apparmor.profile where the generated setting fails with unprivileged containers (even with /usr/sbin/apparmor_parser in the $PATH):

#lxc.apparmor.profile = generated
lxc.apparmor.profile = lxc-container-default-cgns

I am still studying the reason of the if is_lxc_privileged_container... at line 102-104 because unprivileged containers also need those configurations and I tend to replace it with a if true; then (hoping it doesn't decrease security too much...)

And, for reference, here is the (heavily sandboxed) nullmailer's systemd service file on Debian 13:

[Unit]
Description=Nullmailer relay-only MTA
After=network.target
RequiresMountsFor=/var/spool/nullmailer
ConditionPathExists=/var/spool/nullmailer/queue
Documentation=man:nullmailer(7)

[Service]
WorkingDirectory=/var/spool/nullmailer
ExecStart=/usr/sbin/nullmailer-send
User=mail
Group=mail
Restart=always
SyslogFacility=mail

# Sandboxing
CapabilityBoundingSet=
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
ReadWriteDirectories=-/var/log
ReadWriteDirectories=-/var/run
ReadWriteDirectories=-/var/spool/nullmailer
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes

[Install]
WantedBy=multi-user.target

@bugness-chl
systemd-generator: some more exceptions
c9ae6b3 
Those exceptions are for nullmailer on Debian 13.

Signed-off-by: Ch. Larose <chl-dev@bugness.org>
@stgraber
Copy link
Member

stgraber commented Oct 18, 2025

I think there's possibly a difference in handling between Incus and LXC.

I suspect the dynamic AppArmor profile generated for unprivileged containers on Incus is more permissive and doesn't need those workarounds unless the container is running in privileged mode and has therefore a stricter AppArmor profile.

I like keeping the workarounds to a minimum, so if it's an issue with LXC specifically, we should tweak the conditions in the script to detect that specifically (possibly by looking at /proc/self/attr/current) and only applying the extra rules in that case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bugness-chl @stgraber