namespace: always use a root directory when setting up namespace
1) mv /var/tmp /var/tmp.old 2) mkdir /tmp/varrr 3) ln -s /tmp/varrr /var/tmp Now, when a service has PrivateTmp=yes, during namespace setup, /tmp is first mounted over with a new mount. Then, when /var/tmp is being resolved, it points to /tmp/varrr, which by then doesn't exist, because it had already been obscured.
This commit is contained in:
Jan Synacek
Lennart Poettering
parent
c7e6744fa8
commit
0722b35934
|
|
@ -1173,19 +1173,17 @@ int setup_namespace(
|
|||
|
||||
if (root_directory)
|
||||
root = root_directory;
|
||||
else if (root_image || n_bind_mounts > 0 || n_temporary_filesystems > 0) {
|
||||
|
||||
/* If we are booting from an image, create a mount point for the image, if it's still missing. We use
|
||||
* the same mount point for all images, which is safe, since they all live in their own namespaces
|
||||
* after all, and hence won't see each other. We also use such a root directory whenever there are bind
|
||||
* mounts configured, so that their source mounts are never obstructed by mounts we already applied
|
||||
* while we are applying them. */
|
||||
else {
|
||||
/* Always create the mount namespace in a temporary directory, instead of operating
|
||||
* directly in the root. The temporary directory prevents any mounts from being
|
||||
* potentially obscured my other mounts we already applied.
|
||||
* We use the same mount point for all images, which is safe, since they all live
|
||||
* in their own namespaces after all, and hence won't see each other. */
|
||||
|
||||
root = "/run/systemd/unit-root";
|
||||
(void) mkdir_label(root, 0700);
|
||||
require_prefix = true;
|
||||
} else
|
||||
root = NULL;
|
||||
}
|
||||
|
||||
n_mounts = namespace_calculate_mounts(
|
||||
root,
|
||||
|
|
|
|||
Loading…
Reference in New Issue