From 10404d52e3402cd312a487fb88c23939ba35234a Mon Sep 17 00:00:00 2001 From: Djalal Harouni Date: Sun, 5 Mar 2017 21:19:29 +0100 Subject: [PATCH] namespace: create base-filesystem directories if RootImage= or RootDirectory= are set When a service is started with its own file system image, always try to create the base-filesystem directories that are needed. This implicitly covers the directories handled by MountAPIVFS= {/proc|/sys|/dev}. Mount protections or MountAPIVFS= mounts were never applied if we changed the root directory and the related paths were not present under the new root. The mounts were silently. Fix this by creating those directories if they are missing. Closes https://github.com/systemd/systemd/issues/5488 --- src/core/namespace.c | 5 +++++ src/shared/base-filesystem.c | 3 +++ 2 files changed, 8 insertions(+) diff --git a/src/core/namespace.c b/src/core/namespace.c index 4f29217bc4..673b836489 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -27,6 +27,7 @@ #include #include "alloc-util.h" +#include "base-filesystem.h" #include "dev-setup.h" #include "fd-util.h" #include "fs-util.h" @@ -1044,6 +1045,10 @@ int setup_namespace( } } + /* Try to set up the new root directory before mounting anything there */ + if (root_directory) + (void) base_filesystem_create(root_directory, UID_INVALID, GID_INVALID); + if (root_image) { r = dissected_image_mount(dissected_image, root_directory, dissect_image_flags); if (r < 0) diff --git a/src/shared/base-filesystem.c b/src/shared/base-filesystem.c index 127cbe44e3..5cbb2ec3dd 100644 --- a/src/shared/base-filesystem.c +++ b/src/shared/base-filesystem.c @@ -51,6 +51,9 @@ static const BaseFilesystem table[] = { { "usr", 0755, NULL, NULL }, { "var", 0755, NULL, NULL }, { "etc", 0755, NULL, NULL }, + { "proc", 0755, NULL, NULL, true }, + { "sys", 0755, NULL, NULL, true }, + { "dev", 0755, NULL, NULL, true }, #if defined(__i386__) || defined(__x86_64__) { "lib64", 0, "usr/lib/x86_64-linux-gnu\0" "usr/lib64\0", "ld-linux-x86-64.so.2" },