namespace: move protect_{home|system} into NamespaceInfo
it's not entirely clear what shall be passed via parameter and what via struct, but these two definitely fit well with the other protect_xyz fields, hence let's move them over. We probably should move a lot more more fields into the structure actuall (most? all even?).
This commit is contained in:
parent
68dd195c1b
commit
52b3d6523f
|
@ -2650,6 +2650,8 @@ static int apply_mount_namespace(
|
|||
.protect_hostname = context->protect_hostname,
|
||||
.mount_apivfs = context->mount_apivfs,
|
||||
.private_mounts = context->private_mounts,
|
||||
.protect_home = context->protect_home,
|
||||
.protect_system = context->protect_system,
|
||||
};
|
||||
} else if (!context->dynamic_user && root_dir)
|
||||
/*
|
||||
|
@ -2680,8 +2682,6 @@ static int apply_mount_namespace(
|
|||
tmp_dir,
|
||||
var_tmp_dir,
|
||||
context->log_namespace,
|
||||
needs_sandboxing ? context->protect_home : PROTECT_HOME_NO,
|
||||
needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO,
|
||||
context->mount_flags,
|
||||
context->root_hash, context->root_hash_size, context->root_hash_path,
|
||||
context->root_hash_sig, context->root_hash_sig_size, context->root_hash_sig_path,
|
||||
|
|
|
@ -1233,25 +1233,23 @@ static size_t namespace_calculate_mounts(
|
|||
size_t n_mount_images,
|
||||
const char* tmp_dir,
|
||||
const char* var_tmp_dir,
|
||||
const char* log_namespace,
|
||||
ProtectHome protect_home,
|
||||
ProtectSystem protect_system) {
|
||||
const char* log_namespace) {
|
||||
|
||||
size_t protect_home_cnt;
|
||||
size_t protect_system_cnt =
|
||||
(protect_system == PROTECT_SYSTEM_STRICT ?
|
||||
(ns_info->protect_system == PROTECT_SYSTEM_STRICT ?
|
||||
ELEMENTSOF(protect_system_strict_table) :
|
||||
((protect_system == PROTECT_SYSTEM_FULL) ?
|
||||
((ns_info->protect_system == PROTECT_SYSTEM_FULL) ?
|
||||
ELEMENTSOF(protect_system_full_table) :
|
||||
((protect_system == PROTECT_SYSTEM_YES) ?
|
||||
((ns_info->protect_system == PROTECT_SYSTEM_YES) ?
|
||||
ELEMENTSOF(protect_system_yes_table) : 0)));
|
||||
|
||||
protect_home_cnt =
|
||||
(protect_home == PROTECT_HOME_YES ?
|
||||
(ns_info->protect_home == PROTECT_HOME_YES ?
|
||||
ELEMENTSOF(protect_home_yes_table) :
|
||||
((protect_home == PROTECT_HOME_READ_ONLY) ?
|
||||
((ns_info->protect_home == PROTECT_HOME_READ_ONLY) ?
|
||||
ELEMENTSOF(protect_home_read_only_table) :
|
||||
((protect_home == PROTECT_HOME_TMPFS) ?
|
||||
((ns_info->protect_home == PROTECT_HOME_TMPFS) ?
|
||||
ELEMENTSOF(protect_home_tmpfs_table) : 0)));
|
||||
|
||||
return !!tmp_dir + !!var_tmp_dir +
|
||||
|
@ -1355,8 +1353,6 @@ int setup_namespace(
|
|||
const char* tmp_dir,
|
||||
const char* var_tmp_dir,
|
||||
const char *log_namespace,
|
||||
ProtectHome protect_home,
|
||||
ProtectSystem protect_system,
|
||||
unsigned long mount_flags,
|
||||
const void *root_hash,
|
||||
size_t root_hash_size,
|
||||
|
@ -1389,10 +1385,10 @@ int setup_namespace(
|
|||
|
||||
/* Make the whole image read-only if we can determine that we only access it in a read-only fashion. */
|
||||
if (root_read_only(read_only_paths,
|
||||
protect_system) &&
|
||||
ns_info->protect_system) &&
|
||||
home_read_only(read_only_paths, inaccessible_paths, empty_directories,
|
||||
bind_mounts, n_bind_mounts, temporary_filesystems, n_temporary_filesystems,
|
||||
protect_home) &&
|
||||
ns_info->protect_home) &&
|
||||
strv_isempty(read_write_paths))
|
||||
dissect_image_flags |= DISSECT_IMAGE_READ_ONLY;
|
||||
|
||||
|
@ -1461,8 +1457,7 @@ int setup_namespace(
|
|||
n_temporary_filesystems,
|
||||
n_mount_images,
|
||||
tmp_dir, var_tmp_dir,
|
||||
log_namespace,
|
||||
protect_home, protect_system);
|
||||
log_namespace);
|
||||
|
||||
if (n_mounts > 0) {
|
||||
m = mounts = new0(MountEntry, n_mounts);
|
||||
|
@ -1559,11 +1554,11 @@ int setup_namespace(
|
|||
};
|
||||
}
|
||||
|
||||
r = append_protect_home(&m, protect_home, ns_info->ignore_protect_paths);
|
||||
r = append_protect_home(&m, ns_info->protect_home, ns_info->ignore_protect_paths);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
|
||||
r = append_protect_system(&m, protect_system, false);
|
||||
r = append_protect_system(&m, ns_info->protect_system, false);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
|
||||
|
|
|
@ -57,6 +57,8 @@ struct NamespaceInfo {
|
|||
bool protect_kernel_logs:1;
|
||||
bool mount_apivfs:1;
|
||||
bool protect_hostname:1;
|
||||
ProtectHome protect_home;
|
||||
ProtectSystem protect_system;
|
||||
};
|
||||
|
||||
struct BindMount {
|
||||
|
@ -98,8 +100,6 @@ int setup_namespace(
|
|||
const char *tmp_dir,
|
||||
const char *var_tmp_dir,
|
||||
const char *log_namespace,
|
||||
ProtectHome protect_home,
|
||||
ProtectSystem protect_system,
|
||||
unsigned long mount_flags,
|
||||
const void *root_hash,
|
||||
size_t root_hash_size,
|
||||
|
|
|
@ -163,8 +163,6 @@ static void test_protect_kernel_logs(void) {
|
|||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
PROTECT_HOME_NO,
|
||||
PROTECT_SYSTEM_NO,
|
||||
0,
|
||||
NULL,
|
||||
0,
|
||||
|
|
|
@ -76,8 +76,6 @@ int main(int argc, char *argv[]) {
|
|||
tmp_dir,
|
||||
var_tmp_dir,
|
||||
NULL,
|
||||
PROTECT_HOME_NO,
|
||||
PROTECT_SYSTEM_NO,
|
||||
0,
|
||||
NULL,
|
||||
0,
|
||||
|
|
Loading…
Reference in a new issue