namespace: invoke unshare() only after checking all parameters
Let's create the new namespace only after we validated and processed all parameters, right before we start with actually mounting things. This way, the window where we can roll back is larger (not that it matters IRL...)
This commit is contained in:
parent
096424d123
commit
1e4e94c881
|
@ -462,9 +462,6 @@ int setup_namespace(
|
|||
if (mount_flags == 0)
|
||||
mount_flags = MS_SHARED;
|
||||
|
||||
if (unshare(CLONE_NEWNS) < 0)
|
||||
return -errno;
|
||||
|
||||
n = !!tmp_dir + !!var_tmp_dir +
|
||||
strv_length(read_write_paths) +
|
||||
strv_length(read_only_paths) +
|
||||
|
@ -606,6 +603,9 @@ int setup_namespace(
|
|||
drop_nop(mounts, &n);
|
||||
}
|
||||
|
||||
if (unshare(CLONE_NEWNS) < 0)
|
||||
return -errno;
|
||||
|
||||
if (n > 0 || root_directory) {
|
||||
/* Remount / as SLAVE so that nothing now mounted in the namespace
|
||||
shows up in the parent */
|
||||
|
|
Loading…
Reference in a new issue