From b5a33299b055714e9ead2db33243f811ea488afa Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Tue, 1 May 2018 13:33:34 +0900 Subject: [PATCH] core: disable namespace sandboxing for '+' prefixed lines Fixes #8842. --- src/core/execute.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/src/core/execute.c b/src/core/execute.c index e9d244a9ae..11bf176f6b 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2293,14 +2293,7 @@ static int apply_mount_namespace( _cleanup_strv_free_ char **empty_directories = NULL; char *tmp = NULL, *var = NULL; const char *root_dir = NULL, *root_image = NULL; - NamespaceInfo ns_info = { - .ignore_protect_paths = false, - .private_dev = context->private_devices, - .protect_control_groups = context->protect_control_groups, - .protect_kernel_tunables = context->protect_kernel_tunables, - .protect_kernel_modules = context->protect_kernel_modules, - .mount_apivfs = context->mount_apivfs, - }; + NamespaceInfo ns_info = {}; bool needs_sandboxing; BindMount *bind_mounts = NULL; size_t n_bind_mounts = 0; @@ -2340,6 +2333,16 @@ static int apply_mount_namespace( needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED); + if (needs_sandboxing) + ns_info = (NamespaceInfo) { + .ignore_protect_paths = false, + .private_dev = context->private_devices, + .protect_control_groups = context->protect_control_groups, + .protect_kernel_tunables = context->protect_kernel_tunables, + .protect_kernel_modules = context->protect_kernel_modules, + .mount_apivfs = context->mount_apivfs, + }; + r = setup_namespace(root_dir, root_image, &ns_info, context->read_write_paths, needs_sandboxing ? context->read_only_paths : NULL,