From 937ccce94cf2204a7bc78749d7b32c8ecbc71022 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 1 Aug 2017 11:44:37 +0200 Subject: [PATCH] execute: simplify needs_sandboxing checking Let's merge three if blocks that shall only run when sandboxing is applied into one. Note that this changes behaviour in one corner case: PrivateUsers=1 is now honours both PermissionsStartOnly= and the "+" modifier in ExecStart=, and not just the former, as before. This was an oversight, so let's fix this now, at a point in time the option isn't used much yet. --- src/core/execute.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/core/execute.c b/src/core/execute.c index 0f20765f22..96bf799f66 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2711,23 +2711,23 @@ static int exec_child( *exit_status = EXIT_GROUP; return r; } - } #ifdef HAVE_SELINUX - if (needs_sandboxing && needs_selinux && params->selinux_context_net && socket_fd >= 0) { - r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net); - if (r < 0) { - *exit_status = EXIT_SELINUX_CONTEXT; - return r; + if (needs_selinux && params->selinux_context_net && socket_fd >= 0) { + r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net); + if (r < 0) { + *exit_status = EXIT_SELINUX_CONTEXT; + return r; + } } - } #endif - if ((params->flags & EXEC_APPLY_SANDBOXING) && context->private_users) { - r = setup_private_users(uid, gid); - if (r < 0) { - *exit_status = EXIT_USER; - return r; + if (context->private_users) { + r = setup_private_users(uid, gid); + if (r < 0) { + *exit_status = EXIT_USER; + return r; + } } }