core: make StateDirectory= or friends works with DynamicUser= and RootDirectory=/RootImage=
The symbolic links to private directories specified by StateDirectory= or its friends are created on the host. So, when DynamicUser= and RootDirectory=/RootImage= are set, then the executed process cannot access private directory. This makes the private directories are mounted on the non-private place when both DynamicUser= and RootDirectory=/RootImage= are set. Fixes #8965.
This commit is contained in:
parent
e4aa2c34d5
commit
5609f6888b
|
@ -2220,7 +2220,8 @@ static int compile_bind_mounts(
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
if (context->dynamic_user &&
|
if (context->dynamic_user &&
|
||||||
!IN_SET(t, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION)) {
|
!IN_SET(t, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION) &&
|
||||||
|
!(context->root_directory || context->root_image)) {
|
||||||
char *private_root;
|
char *private_root;
|
||||||
|
|
||||||
/* So this is for a dynamic user, and we need to make sure the process can access its own
|
/* So this is for a dynamic user, and we need to make sure the process can access its own
|
||||||
|
@ -2251,7 +2252,15 @@ static int compile_bind_mounts(
|
||||||
goto finish;
|
goto finish;
|
||||||
}
|
}
|
||||||
|
|
||||||
d = strdup(s);
|
if (context->dynamic_user &&
|
||||||
|
!IN_SET(t, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION) &&
|
||||||
|
(context->root_directory || context->root_image))
|
||||||
|
/* When RootDirectory= or RootImage= are set, then the symbolic link to the private
|
||||||
|
* directory is not created on the root directory. So, let's bind-mount the directory
|
||||||
|
* on the 'non-private' place. */
|
||||||
|
d = strjoin(params->prefix[t], "/", *suffix);
|
||||||
|
else
|
||||||
|
d = strdup(s);
|
||||||
if (!d) {
|
if (!d) {
|
||||||
free(s);
|
free(s);
|
||||||
r = -ENOMEM;
|
r = -ENOMEM;
|
||||||
|
|
Loading…
Reference in a new issue