core: make StateDirectory= or friends works with DynamicUser= and RootDirectory=/RootImage=
The symbolic links to private directories specified by StateDirectory= or its friends are created on the host. So, when DynamicUser= and RootDirectory=/RootImage= are set, then the executed process cannot access private directory. This makes the private directories are mounted on the non-private place when both DynamicUser= and RootDirectory=/RootImage= are set. Fixes #8965.
This commit is contained in:
parent
e4aa2c34d5
commit
5609f6888b
|
@ -2220,7 +2220,8 @@ static int compile_bind_mounts(
|
|||
continue;
|
||||
|
||||
if (context->dynamic_user &&
|
||||
!IN_SET(t, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION)) {
|
||||
!IN_SET(t, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION) &&
|
||||
!(context->root_directory || context->root_image)) {
|
||||
char *private_root;
|
||||
|
||||
/* So this is for a dynamic user, and we need to make sure the process can access its own
|
||||
|
@ -2251,7 +2252,15 @@ static int compile_bind_mounts(
|
|||
goto finish;
|
||||
}
|
||||
|
||||
d = strdup(s);
|
||||
if (context->dynamic_user &&
|
||||
!IN_SET(t, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION) &&
|
||||
(context->root_directory || context->root_image))
|
||||
/* When RootDirectory= or RootImage= are set, then the symbolic link to the private
|
||||
* directory is not created on the root directory. So, let's bind-mount the directory
|
||||
* on the 'non-private' place. */
|
||||
d = strjoin(params->prefix[t], "/", *suffix);
|
||||
else
|
||||
d = strdup(s);
|
||||
if (!d) {
|
||||
free(s);
|
||||
r = -ENOMEM;
|
||||
|
|
Loading…
Reference in New Issue