picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

namespace: Apply MountAPIVFS= only when a Root directory is set

Browse source 
The MountAPIVFS= documentation says that this options has no effect
unless used in conjunction with RootDirectory= or RootImage= ,lets fix
this and avoid to create private mount namespaces where it is not
needed.
This commit is contained in:
Djalal Harouni 2017-03-05 21:39:43 +01:00
parent 10404d52e3
commit 9c988f934b
2 changed files with 16 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/core/execute.c
View file

@ -1670,7 +1670,7 @@ static bool exec_needs_mount_namespace(
context->protect_control_groups) context->protect_control_groups)
return true; return true;
if (context->mount_apivfs) if (context->mount_apivfs && (context->root_image || context->root_directory))
return true; return true;
return false; return false;

23
src/core/namespace.c
View file

@ -816,18 +816,24 @@ static int make_read_only(MountEntry *m, char **blacklist) {
return r; return r;
} }
static bool namespace_info_mount_apivfs(const NameSpaceInfo *ns_info) { static bool namespace_info_mount_apivfs(const char *root_directory, const NameSpaceInfo *ns_info) {
assert(ns_info); assert(ns_info);
/* ProtectControlGroups= and ProtectKernelTunables= imply MountAPIVFS=, since to protect the API VFS mounts, /*
* they need to be around in the first place... */ * ProtectControlGroups= and ProtectKernelTunables= imply MountAPIVFS=,
* since to protect the API VFS mounts, they need to be around in the
* first place... and RootDirectory= or RootImage= need to be set.
*/
return ns_info->mount_apivfs || /* root_directory should point to a mount point */
ns_info->protect_control_groups || return root_directory &&
ns_info->protect_kernel_tunables; (ns_info->mount_apivfs ||
ns_info->protect_control_groups ||
ns_info->protect_kernel_tunables);
} }
static unsigned namespace_calculate_mounts( static unsigned namespace_calculate_mounts(
const char* root_directory,
const NameSpaceInfo *ns_info, const NameSpaceInfo *ns_info,
char** read_write_paths, char** read_write_paths,
char** read_only_paths, char** read_only_paths,
@ -864,7 +870,7 @@ static unsigned namespace_calculate_mounts(
(ns_info->protect_control_groups ? 1 : 0) + (ns_info->protect_control_groups ? 1 : 0) +
(ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) + (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
protect_home_cnt + protect_system_cnt + protect_home_cnt + protect_system_cnt +
(namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0); (namespace_info_mount_apivfs(root_directory, ns_info) ? ELEMENTSOF(apivfs_table) : 0);
} }
int setup_namespace( int setup_namespace(
@ -932,6 +938,7 @@ int setup_namespace(
} }
n_mounts = namespace_calculate_mounts( n_mounts = namespace_calculate_mounts(
root_directory,
ns_info, ns_info,
read_write_paths, read_write_paths,
read_only_paths, read_only_paths,
@ -1010,7 +1017,7 @@ int setup_namespace(
if (r < 0) if (r < 0)
goto finish; goto finish;
if (namespace_info_mount_apivfs(ns_info)) { if (namespace_info_mount_apivfs(root_directory, ns_info)) {
r = append_static_mounts(&m, apivfs_table, ELEMENTSOF(apivfs_table), ns_info->ignore_protect_paths); r = append_static_mounts(&m, apivfs_table, ELEMENTSOF(apivfs_table), ns_info->ignore_protect_paths);
if (r < 0) if (r < 0)
goto finish; goto finish;