On 7/6/2023 11:31:53 PM, "Daniel Black via discuss" <discuss@lists.mariadb.org> wrote:
For confidence look at strace -fe trace=openat mariabackup and you'll see the datadir files are opened O_RDONLY.
I'm not a C programmer but I guess that means the openat(2) calls we can see mariabackup make aren't reckless, which is good. In general I trust [Mm]aria* more than I trust myself, which points to the other problem: my script...
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#BindPaths... It's also possible to make the /var/lib/mysql readonly for this service without affecting mariadbd.
Interesting. bind mounts are handy trick in lxc too. systemd is full of nutritious goodness. I keep meaning to read the manual but it's so long.
Selinux rules can make a tighter constraint, though would impede the copyback functionality when a restore occurs. Though could be enforeced on the backup context - https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SELinuxCo...
Many years ago I promised myself a special reward in heaven if I can get to my grave without having engaged with Selinux. Thanks for your interest, Daniel Tom