Alexandru Mihail wrote:
> Therefore, I recommend the source route and I'll give you all
> instructions, works on a fresh stable VM. Hope this solves your issue
> Lloyd :D (until perhaps you update to trixie when it comes out)
Hi Alex - thanks for the helpful info and detailed instructions!
I was able to easily build the package; but, the service would not
start. Several hours later I was able to identify the root cause.
Unfortunately, it appears I uncovered a new bug. :(
I run mini-httpd in chroot mode. The new systemd unit file in the
latest release explicitly blacklists chroot syscall via the @mount
syscall filter group. I've provided a patch below. However, for
clarity's sake I think it's best I resolve this bug and open a new
one.
Regards
Lloyd
--- mini-httpd.service.default
+++ mini-httpd.service.modified
@@ -14,7 +14,7 @@
ProtectSystem=full
CapabilityBoundingSet=~CAP_BPF CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CAP_SYS_TTY_CONFIG \
CAP_SYS_BOOT CAP_MAC_* CAP_SYS_NICE CAP_SYS_RESOURCE
CAP_SYS_PTRACE
-SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
@reboot @raw-io
+SystemCallFilter=~@clock @cpu-emulation @debug @module @obsolete @reboot
@raw-io
RestrictNamespaces=~uts ipc pid user cgroup
ProtectKernelTunables=yes
ProtectKernelModules=yes
@@ -27,4 +27,4 @@
LockPersonality=yes
