picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

namespace: move protect_{home|system} into NamespaceInfo

Browse source 
it's not entirely clear what shall be passed via parameter and what via
struct, but these two definitely fit well with the other protect_xyz
fields, hence let's move them over.

We probably should move a lot more more fields into the structure
actuall (most? all even?).
This commit is contained in:
Lennart Poettering 2020-08-06 11:32:53 +02:00
parent 68dd195c1b
commit 52b3d6523f
5 changed files with 16 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/core/execute.c
View file

@ -2650,6 +2650,8 @@ static int apply_mount_namespace(
.protect_hostname = context->protect_hostname,
.mount_apivfs = context->mount_apivfs,
.private_mounts = context->private_mounts,
.protect_home = context->protect_home,
.protect_system = context->protect_system,
};
} else if (!context->dynamic_user && root_dir)
/*
@ -2680,8 +2682,6 @@ static int apply_mount_namespace(
tmp_dir,
var_tmp_dir,
context->log_namespace,
needs_sandboxing ? context->protect_home : PROTECT_HOME_NO,
needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO,
context->mount_flags,
context->root_hash, context->root_hash_size, context->root_hash_path,
context->root_hash_sig, context->root_hash_sig_size, context->root_hash_sig_path,

29
src/core/namespace.c
View file

@ -1233,25 +1233,23 @@ static size_t namespace_calculate_mounts(
size_t n_mount_images,
const char* tmp_dir,
const char* var_tmp_dir,
const char* log_namespace,
ProtectHome protect_home,
ProtectSystem protect_system) {
const char* log_namespace) {
size_t protect_home_cnt;
size_t protect_system_cnt =
(protect_system == PROTECT_SYSTEM_STRICT ?
(ns_info->protect_system == PROTECT_SYSTEM_STRICT ?
ELEMENTSOF(protect_system_strict_table) :
((protect_system == PROTECT_SYSTEM_FULL) ?
((ns_info->protect_system == PROTECT_SYSTEM_FULL) ?
ELEMENTSOF(protect_system_full_table) :
((protect_system == PROTECT_SYSTEM_YES) ?
((ns_info->protect_system == PROTECT_SYSTEM_YES) ?
ELEMENTSOF(protect_system_yes_table) : 0)));
protect_home_cnt =
(protect_home == PROTECT_HOME_YES ?
(ns_info->protect_home == PROTECT_HOME_YES ?
ELEMENTSOF(protect_home_yes_table) :
((protect_home == PROTECT_HOME_READ_ONLY) ?
((ns_info->protect_home == PROTECT_HOME_READ_ONLY) ?
ELEMENTSOF(protect_home_read_only_table) :
((protect_home == PROTECT_HOME_TMPFS) ?
((ns_info->protect_home == PROTECT_HOME_TMPFS) ?
ELEMENTSOF(protect_home_tmpfs_table) : 0)));
return !!tmp_dir + !!var_tmp_dir +
@ -1355,8 +1353,6 @@ int setup_namespace(
const char* tmp_dir,
const char* var_tmp_dir,
const char *log_namespace,
ProtectHome protect_home,
ProtectSystem protect_system,
unsigned long mount_flags,
const void *root_hash,
size_t root_hash_size,
@ -1389,10 +1385,10 @@ int setup_namespace(
/* Make the whole image read-only if we can determine that we only access it in a read-only fashion. */
if (root_read_only(read_only_paths,
protect_system) &&
ns_info->protect_system) &&
home_read_only(read_only_paths, inaccessible_paths, empty_directories,
bind_mounts, n_bind_mounts, temporary_filesystems, n_temporary_filesystems,
protect_home) &&
ns_info->protect_home) &&
strv_isempty(read_write_paths))
dissect_image_flags |= DISSECT_IMAGE_READ_ONLY;
@ -1461,8 +1457,7 @@ int setup_namespace(
n_temporary_filesystems,
n_mount_images,
tmp_dir, var_tmp_dir,
log_namespace,
protect_home, protect_system);
log_namespace);
if (n_mounts > 0) {
m = mounts = new0(MountEntry, n_mounts);
@ -1559,11 +1554,11 @@ int setup_namespace(
};
}
r = append_protect_home(&m, protect_home, ns_info->ignore_protect_paths);
r = append_protect_home(&m, ns_info->protect_home, ns_info->ignore_protect_paths);
if (r < 0)
goto finish;
r = append_protect_system(&m, protect_system, false);
r = append_protect_system(&m, ns_info->protect_system, false);
if (r < 0)
goto finish;

4
src/core/namespace.h
View file

@ -57,6 +57,8 @@ struct NamespaceInfo {
bool protect_kernel_logs:1;
bool mount_apivfs:1;
bool protect_hostname:1;
ProtectHome protect_home;
ProtectSystem protect_system;
};
struct BindMount {
@ -98,8 +100,6 @@ int setup_namespace(
const char *tmp_dir,
const char *var_tmp_dir,
const char *log_namespace,
ProtectHome protect_home,
ProtectSystem protect_system,
unsigned long mount_flags,
const void *root_hash,
size_t root_hash_size,

2
src/test/test-namespace.c
View file

@ -163,8 +163,6 @@ static void test_protect_kernel_logs(void) {
NULL,
NULL,
NULL,
PROTECT_HOME_NO,
PROTECT_SYSTEM_NO,
0,
NULL,
0,

2
src/test/test-ns.c
View file

@ -76,8 +76,6 @@ int main(int argc, char *argv[]) {
tmp_dir,
var_tmp_dir,
NULL,
PROTECT_HOME_NO,
PROTECT_SYSTEM_NO,
0,
NULL,
0,