diff options
| author | Luca Boccassi <bluca@debian.org> | 2023-10-19 19:59:22 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-10-19 19:59:22 +0200 |
| commit | 759cca0348e3c1331cc8218394423461e2cc0d52 (patch) | |
| tree | 27d3221d8b57c78eecdce93e1f91bcb32c5ca86f | |
| parent | Merge pull request #29623 from YHNdnzj/core-followup (diff) | |
| parent | Update TODO (diff) | |
| download | systemd-759cca0348e3c1331cc8218394423461e2cc0d52.tar.xz systemd-759cca0348e3c1331cc8218394423461e2cc0d52.zip | |
Merge pull request #29629 from bluca/mount_tunnel_pidref
mount tunnel: use PidRef
| -rw-r--r-- | TODO | 2 | ||||
| -rw-r--r-- | src/core/dbus-service.c | 4 | ||||
| -rw-r--r-- | src/machine/machine-dbus.c | 2 | ||||
| -rw-r--r-- | src/shared/mount-util.c | 17 | ||||
| -rw-r--r-- | src/shared/mount-util.h | 5 |
5 files changed, 17 insertions, 13 deletions
@@ -244,8 +244,6 @@ Features: - cg_pid_get_xyz() - pid_from_same_root_fs() - get_ctty_devnr() - - mount_image_in_namespace() - - bind_mount_in_namespace() - pid1: sd_notify() receiver should use SCM_PIDFD to authenticate client - actually wait for POLLIN on pidref's pidfd in service logic - exec_spawn() + safe_fork() diff --git a/src/core/dbus-service.c b/src/core/dbus-service.c index 5bc487bc39..41f4ee399e 100644 --- a/src/core/dbus-service.c +++ b/src/core/dbus-service.c @@ -198,7 +198,7 @@ static int bus_service_method_mount(sd_bus_message *message, void *userdata, sd_ propagate_directory = strjoina("/run/systemd/propagate/", u->id); if (is_image) r = mount_image_in_namespace( - unit_pid->pid, + unit_pid, propagate_directory, "/run/systemd/incoming/", src, dest, @@ -208,7 +208,7 @@ static int bus_service_method_mount(sd_bus_message *message, void *userdata, sd_ c->mount_image_policy ?: &image_policy_service); else r = bind_mount_in_namespace( - unit_pid->pid, + unit_pid, propagate_directory, "/run/systemd/incoming/", src, dest, diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c index 6341335c4d..347cc9b0c0 100644 --- a/src/machine/machine-dbus.c +++ b/src/machine/machine-dbus.c @@ -881,7 +881,7 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu propagate_directory = strjoina("/run/systemd/nspawn/propagate/", m->name); r = bind_mount_in_namespace( - m->leader.pid, + &m->leader, propagate_directory, "/run/host/incoming/", src, dest, diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c index b6d2b6b615..e385f21777 100644 --- a/src/shared/mount-util.c +++ b/src/shared/mount-util.c @@ -1067,7 +1067,7 @@ finish: } static int mount_in_namespace( - pid_t target, + PidRef *target, const char *propagate_path, const char *incoming_path, const char *src, @@ -1087,24 +1087,29 @@ static int mount_in_namespace( pid_t child; int r; - assert(target > 0); assert(propagate_path); assert(incoming_path); assert(src); assert(dest); assert(!options || is_image); - r = namespace_open(target, &pidns_fd, &mntns_fd, NULL, NULL, &root_fd); + if (!pidref_is_set(target)) + return -ESRCH; + + r = namespace_open(target->pid, &pidns_fd, &mntns_fd, NULL, NULL, &root_fd); if (r < 0) return log_debug_errno(r, "Failed to retrieve FDs of the target process' namespace: %m"); - r = in_same_namespace(target, 0, NAMESPACE_MOUNT); + r = in_same_namespace(target->pid, 0, NAMESPACE_MOUNT); if (r < 0) return log_debug_errno(r, "Failed to determine if mount namespaces are equal: %m"); /* We can't add new mounts at runtime if the process wasn't started in a namespace */ if (r > 0) return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to activate bind mount in target, not running in a mount namespace"); + if (pidref_verify(target) < 0) + return log_debug_errno(SYNTHETIC_ERRNO(ESRCH), "Failed to verify target process '" PID_FMT "': %m", target->pid); + r = chase(src, NULL, 0, &chased_src_path, &chased_src_fd); if (r < 0) return log_debug_errno(r, "Failed to resolve source path of %s: %m", src); @@ -1241,7 +1246,7 @@ static int mount_in_namespace( } int bind_mount_in_namespace( - pid_t target, + PidRef * target, const char *propagate_path, const char *incoming_path, const char *src, @@ -1253,7 +1258,7 @@ int bind_mount_in_namespace( } int mount_image_in_namespace( - pid_t target, + PidRef * target, const char *propagate_path, const char *incoming_path, const char *src, diff --git a/src/shared/mount-util.h b/src/shared/mount-util.h index 7c0189480e..f06fd6de8c 100644 --- a/src/shared/mount-util.h +++ b/src/shared/mount-util.h @@ -10,6 +10,7 @@ #include "dissect-image.h" #include "errno-util.h" #include "macro.h" +#include "pidref.h" int repeat_unmount(const char *path, int flags); @@ -98,8 +99,8 @@ static inline char *umount_and_free(char *p) { } DEFINE_TRIVIAL_CLEANUP_FUNC(char*, umount_and_free); -int bind_mount_in_namespace(pid_t target, const char *propagate_path, const char *incoming_path, const char *src, const char *dest, bool read_only, bool make_file_or_directory); -int mount_image_in_namespace(pid_t target, const char *propagate_path, const char *incoming_path, const char *src, const char *dest, bool read_only, bool make_file_or_directory, const MountOptions *options, const ImagePolicy *image_policy); +int bind_mount_in_namespace(PidRef *target, const char *propagate_path, const char *incoming_path, const char *src, const char *dest, bool read_only, bool make_file_or_directory); +int mount_image_in_namespace(PidRef *target, const char *propagate_path, const char *incoming_path, const char *src, const char *dest, bool read_only, bool make_file_or_directory, const MountOptions *options, const ImagePolicy *image_policy); int make_mount_point(const char *path); int fd_make_mount_point(int fd); |