picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src
History
Lennart Poettering 4e67759960 core: be more lenient when checking whether sandboxing is necessary 
In some containers unshare() is made unavailable entirely. Let's deal
with this that more gracefully and disable our sandboxing of services
then, so that we work in a container, under the assumption the container
manager is then responsible for sandboxing if we can't do it ourselves.

Previously, we'd insist on sandboxing as soon as any form of BindPath=
is used. With this change we only insist on it if we have a setting like
that where source and destination differ, i.e. there's a mapping
established that actually rearranges things, and thus would result in
systematically different behaviour if skipped (as opposed to mappings
that just make stuff read-only/writable that otherwise arent').

(Let's also update a test that intended to test for this behaviour with
a more specific configuration that still triggers the behaviour with
this change in place)

Fixes: #13955

(For testing purposes unshare() can easily be blocked with
systemd-nspawn --system-call-filter=~unshare.)
2019-11-20 12:30:04 +01:00
..
ac-power
activate tree-wide: clean up --help texts a bit 2019-11-18 15:14:43 +01:00
analyze tree-wide: clean up --help texts a bit 2019-11-18 15:14:43 +01:00
ask-password
backlight util-lib: move shall_restore_state() to shared/reboot-util 2019-09-16 18:08:01 +02:00
basic errno-util: add ERRNO_IS_PRIVILEGE() helper 2019-11-20 12:29:54 +01:00
binfmt tree-wide: drop string.h when string-util.h or friends are included 2019-11-04 00:30:32 +09:00
boot tree-wide: clean up --help texts a bit 2019-11-18 15:14:43 +01:00
busctl tree-wide: clean up --help texts a bit 2019-11-18 15:14:43 +01:00
cgls tree-wide: drop string.h when string-util.h or friends are included 2019-11-04 00:30:32 +09:00
cgroups-agent tree-wide: drop socket.h when socket-util.h is included 2019-11-04 00:30:32 +09:00
cgtop Remove path_compare_func() alias for path_compare() 2019-11-15 14:47:45 +01:00
core core: be more lenient when checking whether sandboxing is necessary 2019-11-20 12:30:04 +01:00
coredump tree-wide: clean up --help texts a bit 2019-11-18 15:14:43 +01:00
cryptsetup cryptsetup: use STR_IN_SET() where appropriate 2019-11-19 15:34:09 +01:00
debug-generator util-lib: move runlevel_to_target() to shared/unit-file 2019-09-16 18:08:00 +02:00
delta tree-wide: drop string.h when string-util.h or friends are included 2019-11-04 00:30:32 +09:00
detect-virt
dissect
environment-d-generator environment-d-generator: output logs in debug mode 2019-08-30 13:17:37 +02:00
escape
firstboot firstboot: drop duplicate trailing whitespace from root pw question 2019-08-11 06:13:57 +09:00
fsck tree-wide: drop stdio.h when stdio-util.h is included 2019-11-04 00:30:32 +09:00
fstab-generator Allow overriding /etc/fstab with $SYSTEMD_FSTAB 2019-11-13 22:04:51 +01:00
fuzz tree-wide: drop missing.h 2019-10-31 17:57:03 +09:00
getty-generator tree-wide: drop string.h when string-util.h or friends are included 2019-11-04 00:30:32 +09:00
gpt-auto-generator tree-wide: drop stat.h or statfs.h when stat-util.h is included 2019-11-04 00:30:32 +09:00
hibernate-resume
hostname tree-wide: clean up --help texts a bit 2019-11-18 15:14:43 +01:00
hwdb tree-wide: clean up --help texts a bit 2019-11-18 15:14:43 +01:00
id128 id128: fix initializer element is not constant 2019-11-20 10:59:25 +01:00
import include missing_fcntl.h where needed 2019-11-07 10:17:44 +00:00
initctl
journal Merge pull request #14046 from poettering/id128-uuid 2019-11-18 15:19:43 +01:00
journal-remote tree-wide: drop stdio.h when stdio-util.h is included 2019-11-04 00:30:32 +09:00
kernel-install kernel-install: do not require non-empty kernel cmdline 2019-08-27 18:30:49 +02:00
libsystemd sd-bus: invalidate connection when Hello() fails 2019-11-16 13:47:32 +01:00
libsystemd-network Merge pull request #14064 from yuwata/network-unify-send-option-and-send-raw-option 2019-11-18 22:21:37 +01:00
libudev tree-wide: drop string.h when string-util.h or friends are included 2019-11-04 00:30:32 +09:00
locale tree-wide: clean up --help texts a bit 2019-11-18 15:14:43 +01:00
login pam_systemd: prolong method call timeout when allocating session 2019-11-19 21:05:03 +01:00
machine tree-wide: clean up --help texts a bit 2019-11-18 15:14:43 +01:00
machine-id-setup machine-id-setup: avoid unexpected aborting 2019-10-25 13:35:37 +09:00
modules-load tree-wide: drop libkmod.h when module-util.h is included 2019-11-04 00:30:32 +09:00
mount basic/fs-util: change CHASE_OPEN flag into a separate output parameter 2019-10-24 22:44:24 +09:00
network Merge pull request #14064 from yuwata/network-unify-send-option-and-send-raw-option 2019-11-18 22:21:37 +01:00
notify tree-wide: get rid of strappend() 2019-07-12 14:31:12 +09:00
nspawn nspawn: Allow Capability= to overrule private network setting 2019-11-15 10:13:51 +01:00
nss-myhostname tree-wide: drop string.h when string-util.h or friends are included 2019-11-04 00:30:32 +09:00
nss-mymachines meson: make nologin path build time configurable 2019-07-18 12:46:35 +02:00
nss-resolve tree-wide: drop string.h when string-util.h or friends are included 2019-11-04 00:30:32 +09:00
nss-systemd meson: make nologin path build time configurable 2019-07-18 12:46:35 +02:00
partition tree-wide: drop signal.h when signal-util.h is included 2019-11-04 00:30:32 +09:00
path
portable tree-wide: clean up --help texts a bit 2019-11-18 15:14:43 +01:00
pstore tree-wide: drop missing.h 2019-10-31 17:57:03 +09:00
quotacheck
random-seed tree-wide: drop string.h when string-util.h or friends are included 2019-11-04 00:30:32 +09:00
rc-local-generator
remount-fs Allow overriding /etc/fstab with $SYSTEMD_FSTAB 2019-11-13 22:04:51 +01:00
reply-password tree-wide: drop socket.h when socket-util.h is included 2019-11-04 00:30:32 +09:00
resolve tree-wide: clean up --help texts a bit 2019-11-18 15:14:43 +01:00
rfkill util-lib: move shall_restore_state() to shared/reboot-util 2019-09-16 18:08:01 +02:00
run tree-wide: clean up --help texts a bit 2019-11-18 15:14:43 +01:00
run-generator
shared ask-password: skip kernel keyring logic if we see EPERM 2019-11-19 19:12:09 +01:00
shutdown umount: log on all errors 2019-11-15 14:58:06 +01:00
sleep tree-wide: drop stdio.h when stdio-util.h is included 2019-11-04 00:30:32 +09:00
socket-proxy tree-wide: drop socket.h when socket-util.h is included 2019-11-04 00:30:32 +09:00
stdio-bridge
sulogin-shell
sysctl tree-wide: drop string.h when string-util.h or friends are included 2019-11-04 00:30:32 +09:00
system-update-generator util-lib: move runlevel_to_target() to shared/unit-file 2019-09-16 18:08:00 +02:00
systemctl tree-wide: clean up --help texts a bit 2019-11-18 15:14:43 +01:00
systemd dhcp: remove struct sd_dhcp_raw_option 2019-11-18 23:37:22 +09:00
sysusers Revert "sysusers: properly mark generated accounts as locked" 2019-10-22 17:59:11 +09:00
sysv-generator tree-wide: get rid of strappend() 2019-07-12 14:31:12 +09:00
test Merge pull request #14007 from keszybz/tasks-max-dynamic 2019-11-18 22:18:33 +01:00
time-wait-sync tree-wide: drop signal.h when signal-util.h is included 2019-11-04 00:30:32 +09:00
timedate tree-wide: clean up --help texts a bit 2019-11-18 15:14:43 +01:00
timesync tree-wide: drop socket.h when socket-util.h is included 2019-11-04 00:30:32 +09:00
tmpfiles Merge pull request #13862 from zachsmith/systemd-tmpfiles-deprecate-for-force 2019-11-12 10:28:59 +01:00
tty-ask-password-agent tree-wide: drop signal.h when signal-util.h is included 2019-11-04 00:30:32 +09:00
udev udev: do not propagate error in executing PROGRAM and IMPORT{program} 2019-11-19 20:20:46 +01:00
update-done
update-utmp tree-wide: drop string.h when string-util.h or friends are included 2019-11-04 00:30:32 +09:00
user-sessions
vconsole tree-wide: drop stdio.h when stdio-util.h is included 2019-11-04 00:30:32 +09:00
veritysetup
version
volatile-root basic/fs-util: change CHASE_OPEN flag into a separate output parameter 2019-10-24 22:44:24 +09:00