FUSE can make our fs namespacing service sandboxing fail #9872
Description
systemd version the issue has been seen with
v238
Used distribution
Fedora Workstation 28.
Please note, I used setenforce 0. Otherwise the test unit failed with a SELinux denial.
Expected behaviour you didn't see
System service starts successfully, even if nested FUSE mounts died uncleanly.
Unexpected behaviour you saw
System service fails with "NAMESPACE" error, if nested FUSE mounts have died uncleanly.
Steps to reproduce the problem
bindfs /mnt /mntbindfs /mnt/mnt /mnt/mntkillall -9 bindfssystemctl start test.service
(To cleanup, run umount -l /mnt).
Test service is same as from #9844.
This reproducer is not quite so urgent as #9844. You need root to setup the mounts this way, unless you have user_allow_other in fuse.conf. But I think it is still undesirable.
Maybe there are other case(s), where unprivileged users are allowed to create nested FUSE mounts, in the main namespace, but I haven't found one yet.
# /etc/systemd/system/test.service
[Service]
DynamicUser=yes
User=test-service
StateDirectory=test-service
ProtectSystem=strict
Type=oneshot
ExecStart=/bin/touch /var/lib/test-service