namespace: Apply MountAPIVFS= only when a Root directory is set
The MountAPIVFS= documentation says that this options has no effect unless used in conjunction with RootDirectory= or RootImage= ,lets fix this and avoid to create private mount namespaces where it is not needed.
This commit is contained in:
parent
10404d52e3
commit
9c988f934b
|
@ -1670,7 +1670,7 @@ static bool exec_needs_mount_namespace(
|
||||||
context->protect_control_groups)
|
context->protect_control_groups)
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
if (context->mount_apivfs)
|
if (context->mount_apivfs && (context->root_image || context->root_directory))
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
|
|
|
@ -816,18 +816,24 @@ static int make_read_only(MountEntry *m, char **blacklist) {
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool namespace_info_mount_apivfs(const NameSpaceInfo *ns_info) {
|
static bool namespace_info_mount_apivfs(const char *root_directory, const NameSpaceInfo *ns_info) {
|
||||||
assert(ns_info);
|
assert(ns_info);
|
||||||
|
|
||||||
/* ProtectControlGroups= and ProtectKernelTunables= imply MountAPIVFS=, since to protect the API VFS mounts,
|
/*
|
||||||
* they need to be around in the first place... */
|
* ProtectControlGroups= and ProtectKernelTunables= imply MountAPIVFS=,
|
||||||
|
* since to protect the API VFS mounts, they need to be around in the
|
||||||
|
* first place... and RootDirectory= or RootImage= need to be set.
|
||||||
|
*/
|
||||||
|
|
||||||
return ns_info->mount_apivfs ||
|
/* root_directory should point to a mount point */
|
||||||
ns_info->protect_control_groups ||
|
return root_directory &&
|
||||||
ns_info->protect_kernel_tunables;
|
(ns_info->mount_apivfs ||
|
||||||
|
ns_info->protect_control_groups ||
|
||||||
|
ns_info->protect_kernel_tunables);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned namespace_calculate_mounts(
|
static unsigned namespace_calculate_mounts(
|
||||||
|
const char* root_directory,
|
||||||
const NameSpaceInfo *ns_info,
|
const NameSpaceInfo *ns_info,
|
||||||
char** read_write_paths,
|
char** read_write_paths,
|
||||||
char** read_only_paths,
|
char** read_only_paths,
|
||||||
|
@ -864,7 +870,7 @@ static unsigned namespace_calculate_mounts(
|
||||||
(ns_info->protect_control_groups ? 1 : 0) +
|
(ns_info->protect_control_groups ? 1 : 0) +
|
||||||
(ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
|
(ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
|
||||||
protect_home_cnt + protect_system_cnt +
|
protect_home_cnt + protect_system_cnt +
|
||||||
(namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0);
|
(namespace_info_mount_apivfs(root_directory, ns_info) ? ELEMENTSOF(apivfs_table) : 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
int setup_namespace(
|
int setup_namespace(
|
||||||
|
@ -932,6 +938,7 @@ int setup_namespace(
|
||||||
}
|
}
|
||||||
|
|
||||||
n_mounts = namespace_calculate_mounts(
|
n_mounts = namespace_calculate_mounts(
|
||||||
|
root_directory,
|
||||||
ns_info,
|
ns_info,
|
||||||
read_write_paths,
|
read_write_paths,
|
||||||
read_only_paths,
|
read_only_paths,
|
||||||
|
@ -1010,7 +1017,7 @@ int setup_namespace(
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto finish;
|
goto finish;
|
||||||
|
|
||||||
if (namespace_info_mount_apivfs(ns_info)) {
|
if (namespace_info_mount_apivfs(root_directory, ns_info)) {
|
||||||
r = append_static_mounts(&m, apivfs_table, ELEMENTSOF(apivfs_table), ns_info->ignore_protect_paths);
|
r = append_static_mounts(&m, apivfs_table, ELEMENTSOF(apivfs_table), ns_info->ignore_protect_paths);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto finish;
|
goto finish;
|
||||||
|
|
Loading…
Reference in a new issue