Question concerning ProtectKernelModules setting in systemd service #378
Labels
No Label
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: borgmatic-collective/borgmatic#378
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What I'm trying to do and why
I run borgmatic via systemd and the borgmatic.timer and borgmatic.service in order to make a full backup of my system. When running
borgmatic create
the directory/usr/lib/modules
is included, but when running the automatic backup via the systemd service the content of the directory is missing, I guess due to theProtectKernelModules=yes
setting. Do I have to turn this to "off" in order to backup this directory too?Steps to reproduce (if a bug)
My systemd service and timer are unchanged from here.
Actual behavior (if a bug)
Expected behavior (if a bug)
Other notes / implementation ideas
Environment
My version information is unchanged from here.
I just read over #352 and #354. Is ProtectKernelModule just a recommendation here? @palto42 could you check this?
@csteinforth I don't think that your issue is related to ProtectKernelModules since this is about dynamic loading of kernel modules (as the same suggests).
My first thought was that the reason why some
/usr/lib/modules
are exclued is more likely the setting of ProtectSystem, but from the documentation this should onyl make that paths read-only. Currently it's not clear to why any of this settings may exclude/usr/lib/modules
.I would disable (comment-out with #) all the systemd service security settings and if this solves the problem, re-enable them one by one to check which one causes your problem.
All this settings are optional to improve system security, so you can disable some if it causes issues for your use case.
@palto42 thanks four answer. According to the documentation
/usr/lib/modules
is made inaccessible (whatever that means), so I will start with this one to comment out actually.Edit: I disabled
ProtectKernelModule
and/usr/lib/modules
is part of my backup. So this seems to solve the problem.This is a really valuable information. I suspected that those settings are mandatory somehow, but if disabling is possible this should solve my issue here.
@witten do you think it would be a good idea to add a comment on this to the system example file?
@csteinforth You are right, I overlooked the hint in the ProtectKernelModules description that it makes
/usr/lib/modules
inaccessible.Not fully sure, but it seems to me that it's not possible to allow read-only access to this path with the setting of
ReadOnlyPaths=
as it mentions that theInaccessiblePaths
don't support nestedReadOnlyPaths
.So only optin seems to disable ProtectKernelModules in order to backup
/usr/lib/modules
.Good idea.. Done! I'll mark this ticket as resolved.. Let me know if there's anything else. Thanks @palto42 for fielding it.