borgmatic-collective/borgmatic
borgmatic-collective
/
borgmatic
15
57
Fork 40
Code Issues 53 Pull Requests 1 Actions Packages Releases 121 Activity

Question concerning ProtectKernelModules setting in systemd service #378

New Issue
Closed
opened 2020-12-08 07:17:44 +00:00 by csteinforth · 5 comments
csteinforth commented 2020-12-08 07:17:44 +00:00
Copy Link

What I'm trying to do and why

I run borgmatic via systemd and the borgmatic.timer and borgmatic.service in order to make a full backup of my system. When running borgmatic create the directory /usr/lib/modules is included, but when running the automatic backup via the systemd service the content of the directory is missing, I guess due to the ProtectKernelModules=yessetting. Do I have to turn this to "off" in order to backup this directory too?

Steps to reproduce (if a bug)

location:
    source_directories:
        - /

    repositories:
        - /mnt/data/EOSSystem

    exclude_patterns:
        - /dev
        - /run
        - /sys
        - /home
        - ...

My systemd service and timer are unchanged from here.

Actual behavior (if a bug)

Expected behavior (if a bug)

Other notes / implementation ideas

Environment

My version information is unchanged from here.

#### What I'm trying to do and why I run borgmatic via systemd and the borgmatic.timer and borgmatic.service in order to make a full backup of my system. When running `borgmatic create` the directory `/usr/lib/modules` is included, but when running the automatic backup via the systemd service the content of the directory is missing, I guess due to the `ProtectKernelModules=yes`setting. Do I have to turn this to "off" in order to backup this directory too? #### Steps to reproduce (if a bug) ``` location: source_directories: - / repositories: - /mnt/data/EOSSystem exclude_patterns: - /dev - /run - /sys - /home - ... ``` My systemd service and timer are unchanged from [here](https://projects.torsion.org/witten/borgmatic/issues/376#issue-563). #### Actual behavior (if a bug) --- #### Expected behavior (if a bug) --- #### Other notes / implementation ideas #### Environment My version information is unchanged from [here](https://projects.torsion.org/witten/borgmatic/issues/376#issue-563).
csteinforth commented 2020-12-08 13:17:46 +00:00
Author
Copy Link

I just read over #352 and #354. Is ProtectKernelModule just a recommendation here? @palto42 could you check this?

I just read over #352 and #354. Is ProtectKernelModule just a recommendation here? @palto42 could you check this?
palto42 commented 2020-12-08 18:32:56 +00:00
Contributor
Copy Link

@csteinforth I don't think that your issue is related to ProtectKernelModules since this is about dynamic loading of kernel modules (as the same suggests).

My first thought was that the reason why some /usr/lib/modules are exclued is more likely the setting of ProtectSystem, but from the documentation this should onyl make that paths read-only. Currently it's not clear to why any of this settings may exclude /usr/lib/modules.

I would disable (comment-out with #) all the systemd service security settings and if this solves the problem, re-enable them one by one to check which one causes your problem.

All this settings are optional to improve system security, so you can disable some if it causes issues for your use case.

@csteinforth I don't think that your issue is related to [ProtectKernelModules](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=) since this is about dynamic loading of kernel modules (as the same suggests). My first thought was that the reason why some `/usr/lib/modules` are exclued is more likely the setting of [ProtectSystem](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=), but from the documentation this should onyl make that paths read-only. Currently it's not clear to why any of this settings may exclude `/usr/lib/modules`. I would disable (comment-out with #) all the systemd service security settings and if this solves the problem, re-enable them one by one to check which one causes your problem. All this settings are optional to improve system security, so you can disable some if it causes issues for your use case.
csteinforth commented 2020-12-08 19:05:09 +00:00
Author
Copy Link

@palto42 thanks four answer. According to the documentation /usr/lib/modules is made inaccessible (whatever that means), so I will start with this one to comment out actually.

Edit: I disabled ProtectKernelModuleand /usr/lib/modules is part of my backup. So this seems to solve the problem.

All this settings are optional to improve system security, so you can disable some if it causes issues for your use case.

This is a really valuable information. I suspected that those settings are mandatory somehow, but if disabling is possible this should solve my issue here.

@witten do you think it would be a good idea to add a comment on this to the system example file?

@palto42 thanks four answer. According to the [documentation](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=) `/usr/lib/modules` is made inaccessible (whatever that means), so I will start with this one to comment out actually. Edit: I disabled `ProtectKernelModule`and `/usr/lib/modules` is part of my backup. So this seems to solve the problem. > All this settings are optional to improve system security, so you can disable some if it causes issues for your use case. This is a really valuable information. I suspected that those settings are mandatory somehow, but if disabling is possible this should solve my issue here. @witten do you think it would be a good idea to add a comment on this to the system example file?
palto42 commented 2020-12-08 19:36:31 +00:00
Contributor
Copy Link

@csteinforth You are right, I overlooked the hint in the ProtectKernelModules description that it makes /usr/lib/modules inaccessible.

Not fully sure, but it seems to me that it's not possible to allow read-only access to this path with the setting of ReadOnlyPaths= as it mentions that the InaccessiblePathsdon't support nested ReadOnlyPaths.

So only optin seems to disable ProtectKernelModules in order to backup /usr/lib/modules.

@csteinforth You are right, I overlooked the hint in the [ProtectKernelModules](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=) description that it makes `/usr/lib/modules` inaccessible. Not fully sure, but it seems to me that it's not possible to allow read-only access to this path with the setting of [`ReadOnlyPaths=`](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=) as it mentions that the `InaccessiblePaths`don't support nested `ReadOnlyPaths`. So only optin seems to disable ProtectKernelModules in order to backup `/usr/lib/modules`.
👍 1
witten commented 2020-12-09 18:09:17 +00:00
Owner
Copy Link

do you think it would be a good idea to add a comment on this to the system example file?

Good idea.. Done! I'll mark this ticket as resolved.. Let me know if there's anything else. Thanks @palto42 for fielding it.

> do you think it would be a good idea to add a comment on this to the system example file? Good idea.. Done! I'll mark this ticket as resolved.. Let me know if there's anything else. Thanks @palto42 for fielding it.
witten added the
question / support
 label 2020-12-09 18:10:31 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
spot-check
1.8.10
1.8.9
1.8.8
1.8.7
1.8.6
1.8.5
1.8.4
1.8.3
1.8.2
1.8.1
1.8.0
1.7.15
1.7.14
1.7.13
1.7.12
1.7.11
1.7.10
1.7.9
1.7.8
1.7.7
1.7.6
1.7.5
1.7.4
1.7.3
1.7.2
1.7.1
1.7.0
1.6.6
1.6.5
1.6.4
1.6.3
1.6.2
1.6.1
1.6.0
1.5.24
1.5.23
1.5.22
1.5.21
1.5.20
1.5.19
1.5.18
1.5.17
1.5.16
1.5.15
1.5.14
1.5.13
1.5.12
1.5.11
1.5.10
1.5.9
1.5.8
1.5.7
1.5.7.dev0
1.5.6
1.5.5
1.5.4
1.5.3
1.5.2
1.5.1
1.5.0
1.4.22
1.4.21
1.4.20
1.4.19
1.4.18
1.4.17
1.4.16
1.4.15
1.4.14
1.4.13
1.4.12
1.4.11
1.4.10
1.4.9
1.4.8
1.4.7
1.4.6
1.4.5
1.4.4
1.4.3
1.4.2
1.4.1
1.4.0
1.3.26
1.3.25
1.3.24
1.3.23
1.3.22
1.3.21
1.3.20
1.3.19
1.3.18
1.3.17
1.3.16
1.3.15
1.3.14
1.3.13
1.3.12
1.3.11
1.3.10
1.3.9
1.3.8
1.3.7
1.3.6
1.3.5
1.3.4
1.3.3
1.3.2
1.3.1
1.3.0
1.2.18
1.2.17
1.2.16
1.2.15
1.2.14
1.2.13
1.2.12
1.2.11
1.2.10
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.15
1.1.14
1.1.13
1.1.12
1.1.11
1.1.10
1.1.9
1.1.7
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0
0.1.8
0.1.7
0.1.6
0.1.5
0.1.4
0.1.3
0.1.2
0.1.1
0.1.0
0.0.7
0.0.6
0.0.5
0.0.4
0.0.3
0.0.2
Labels
Clear labels   
bug

   
data loss

   
design finalized

   
good first issue

   
new feature area

   
question / support

   
security

   
waiting for response
No Label
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: borgmatic-collective/borgmatic#378
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?