execute: drop group priviliges only after setting up namespace
If PrivateDevices=yes is set, the namespace code creates device nodes in /dev that should be owned by the host's root, hence let's make sure we set up the namespace before dropping group privileges.
This commit is contained in:
parent
920a7899de
commit
096424d123
|
@ -2291,14 +2291,9 @@ static int exec_child(
|
||||||
}
|
}
|
||||||
accum_env = strv_env_clean(accum_env);
|
accum_env = strv_env_clean(accum_env);
|
||||||
|
|
||||||
umask(context->umask);
|
(void) umask(context->umask);
|
||||||
|
|
||||||
if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
|
if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
|
||||||
r = enforce_groups(context, username, gid);
|
|
||||||
if (r < 0) {
|
|
||||||
*exit_status = EXIT_GROUP;
|
|
||||||
return r;
|
|
||||||
}
|
|
||||||
#ifdef HAVE_SMACK
|
#ifdef HAVE_SMACK
|
||||||
if (context->smack_process_label) {
|
if (context->smack_process_label) {
|
||||||
r = mac_smack_apply_pid(0, context->smack_process_label);
|
r = mac_smack_apply_pid(0, context->smack_process_label);
|
||||||
|
@ -2395,6 +2390,14 @@ static int exec_child(
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
|
||||||
|
r = enforce_groups(context, username, gid);
|
||||||
|
if (r < 0) {
|
||||||
|
*exit_status = EXIT_GROUP;
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (context->working_directory_home)
|
if (context->working_directory_home)
|
||||||
wd = home;
|
wd = home;
|
||||||
else if (context->working_directory)
|
else if (context->working_directory)
|
||||||
|
|
Loading…
Reference in a new issue