Merge pull request #31210 from poettering/chdir-hardening

WorkingDirectory= hardening
author: Luca Boccassi <bluca@debian.org> 2024-02-06 13:41:43 +0100
committer: GitHub <noreply@github.com> 2024-02-06 13:41:43 +0100
commit: d50f58d641d32cddeb1fef550445724cafdae2f3 (patch)
tree: e5b6e7db428288c8c9aaeba3c78048c587fbd7b4 /src/basic/mountpoint-util.c
parent: Merge pull request #31205 from YHNdnzj/path-is-mount-point (diff)
parent: nspawn: and also add comment, making clear chdir() should come late (diff)
download: systemd-d50f58d641d32cddeb1fef550445724cafdae2f3.tar.xz
systemd-d50f58d641d32cddeb1fef550445724cafdae2f3.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/src/basic/mountpoint-util.c b/src/basic/mountpoint-util.c
index 8014e91dc5..0fb146f0cf 100644
--- a/src/basic/mountpoint-util.c
+++ b/src/basic/mountpoint-util.c
@@ -784,3 +784,10 @@ int mount_option_supported(const char *fstype, const char *key, const char *valu
 
         return true; /* works! */
 }
+
+bool path_below_api_vfs(const char *p) {
+        assert(p);
+
+        /* API VFS are either directly mounted on any of these three paths, or below it. */
+        return PATH_STARTSWITH_SET(p, "/dev", "/sys", "/proc");
+}
author	Luca Boccassi <bluca@debian.org>	2024-02-06 13:41:43 +0100
committer	GitHub <noreply@github.com>	2024-02-06 13:41:43 +0100
commit	d50f58d641d32cddeb1fef550445724cafdae2f3 (patch)
tree	e5b6e7db428288c8c9aaeba3c78048c587fbd7b4 /src/basic/mountpoint-util.c
parent	Merge pull request #31205 from YHNdnzj/path-is-mount-point (diff)
parent	nspawn: and also add comment, making clear chdir() should come late (diff)
download	systemd-d50f58d641d32cddeb1fef550445724cafdae2f3.tar.xz systemd-d50f58d641d32cddeb1fef550445724cafdae2f3.zip