picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

core/namespace: drop conditions depends on root is empty or not

Browse source 
After 0722b35934, the variable `root`
is always set.
This commit is contained in:
Yu Watanabe 2018-07-29 00:38:36 +09:00
parent 685499007f
commit 9b68367b3a
1 changed files with 20 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
src/core/namespace.c
View file

@ -1029,24 +1029,21 @@ static int make_read_only(const MountEntry *m, char **blacklist, FILE *proc_self
return r; return r;
} }
static bool namespace_info_mount_apivfs(const char *root_directory, const NamespaceInfo *ns_info) { static bool namespace_info_mount_apivfs(const NamespaceInfo *ns_info) {
assert(ns_info); assert(ns_info);
/* /*
* ProtectControlGroups= and ProtectKernelTunables= imply MountAPIVFS=, * ProtectControlGroups= and ProtectKernelTunables= imply MountAPIVFS=,
* since to protect the API VFS mounts, they need to be around in the * since to protect the API VFS mounts, they need to be around in the
* first place... and RootDirectory= or RootImage= need to be set. * first place...
*/ */
/* root_directory should point to a mount point */ return ns_info->mount_apivfs ||
return root_directory && ns_info->protect_control_groups ||
(ns_info->mount_apivfs || ns_info->protect_kernel_tunables;
ns_info->protect_control_groups ||
ns_info->protect_kernel_tunables);
} }
static size_t namespace_calculate_mounts( static size_t namespace_calculate_mounts(
const char* root_directory,
const NamespaceInfo *ns_info, const NamespaceInfo *ns_info,
char** read_write_paths, char** read_write_paths,
char** read_only_paths, char** read_only_paths,
@ -1088,10 +1085,11 @@ static size_t namespace_calculate_mounts(
(ns_info->protect_control_groups ? 1 : 0) + (ns_info->protect_control_groups ? 1 : 0) +
(ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) + (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
protect_home_cnt + protect_system_cnt + protect_home_cnt + protect_system_cnt +
(namespace_info_mount_apivfs(root_directory, ns_info) ? ELEMENTSOF(apivfs_table) : 0); (namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0);
} }
static void normalize_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) { static void normalize_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) {
assert(root_directory);
assert(n_mounts); assert(n_mounts);
assert(mounts || *n_mounts == 0); assert(mounts || *n_mounts == 0);
@ -1127,11 +1125,9 @@ int setup_namespace(
_cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL; _cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
_cleanup_free_ void *root_hash = NULL; _cleanup_free_ void *root_hash = NULL;
MountEntry *m, *mounts = NULL; MountEntry *m, *mounts = NULL;
size_t root_hash_size = 0; size_t n_mounts, root_hash_size = 0;
const char *root;
size_t n_mounts;
bool make_slave;
bool require_prefix = false; bool require_prefix = false;
const char *root;
int r = 0; int r = 0;
assert(ns_info); assert(ns_info);
@ -1181,7 +1177,6 @@ int setup_namespace(
} }
n_mounts = namespace_calculate_mounts( n_mounts = namespace_calculate_mounts(
root,
ns_info, ns_info,
read_write_paths, read_write_paths,
read_only_paths, read_only_paths,
@ -1192,9 +1187,6 @@ int setup_namespace(
tmp_dir, var_tmp_dir, tmp_dir, var_tmp_dir,
protect_home, protect_system); protect_home, protect_system);
/* Set mount slave mode */
make_slave = root || n_mounts > 0 || ns_info->private_mounts;
if (n_mounts > 0) { if (n_mounts > 0) {
m = mounts = (MountEntry *) alloca0(n_mounts * sizeof(MountEntry)); m = mounts = (MountEntry *) alloca0(n_mounts * sizeof(MountEntry));
r = append_access_mounts(&m, read_write_paths, READWRITE, require_prefix); r = append_access_mounts(&m, read_write_paths, READWRITE, require_prefix);
@ -1271,7 +1263,7 @@ int setup_namespace(
if (r < 0) if (r < 0)
goto finish; goto finish;
if (namespace_info_mount_apivfs(root, ns_info)) { if (namespace_info_mount_apivfs(ns_info)) {
r = append_static_mounts(&m, apivfs_table, ELEMENTSOF(apivfs_table), ns_info->ignore_protect_paths); r = append_static_mounts(&m, apivfs_table, ELEMENTSOF(apivfs_table), ns_info->ignore_protect_paths);
if (r < 0) if (r < 0)
goto finish; goto finish;
@ -1292,13 +1284,11 @@ int setup_namespace(
goto finish; goto finish;
} }
if (make_slave) { /* Remount / as SLAVE so that nothing now mounted in the namespace
/* Remount / as SLAVE so that nothing now mounted in the namespace * shows up in the parent */
shows up in the parent */ if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) { r = -errno;
r = -errno; goto finish;
goto finish;
}
} }
if (root_image) { if (root_image) {
@ -1328,7 +1318,7 @@ int setup_namespace(
} }
} }
} else if (root) { } else {
/* Let's mount the main root directory to the root directory to use */ /* Let's mount the main root directory to the root directory to use */
if (mount("/", root, NULL, MS_BIND|MS_REC, NULL) < 0) { if (mount("/", root, NULL, MS_BIND|MS_REC, NULL) < 0) {
@ -1402,12 +1392,10 @@ int setup_namespace(
} }
} }
if (root) { /* MS_MOVE does not work on MS_SHARED so the remount MS_SHARED will be done later */
/* MS_MOVE does not work on MS_SHARED so the remount MS_SHARED will be done later */ r = mount_move_root(root);
r = mount_move_root(root); if (r < 0)
if (r < 0) goto finish;
goto finish;
}
/* Remount / as the desired mode. Note that this will not /* Remount / as the desired mode. Note that this will not
* reestablish propagation from our side to the host, since * reestablish propagation from our side to the host, since