diff options
| author | Lennart Poettering <lennart@poettering.net> | 2023-04-12 13:46:08 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-12 13:46:08 +0200 |
| commit | 3af48a86d99b3117a44bc22258ab4d34d0ba7655 (patch) | |
| tree | 594af3dadad0f5a0febfb73137689eea7503fe83 /src/core/execute.c | |
| parent | Merge pull request #27165 from poettering/fdstore-envvar (diff) | |
| parent | update TODO (diff) | |
| download | systemd-3af48a86d99b3117a44bc22258ab4d34d0ba7655.tar.xz systemd-3af48a86d99b3117a44bc22258ab4d34d0ba7655.zip | |
Merge pull request #25608 from poettering/dissect-moar
dissect: add dissection policies
Diffstat (limited to 'src/core/execute.c')
| -rw-r--r-- | src/core/execute.c | 71 |
1 files changed, 41 insertions, 30 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 93024b1ce4..8b09794089 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3799,36 +3799,43 @@ static int apply_mount_namespace( if (asprintf(&extension_dir, "/run/user/" UID_FMT "/systemd/unit-extensions", geteuid()) < 0) return -ENOMEM; - r = setup_namespace(root_dir, root_image, context->root_image_options, - &ns_info, read_write_paths, - needs_sandboxing ? context->read_only_paths : NULL, - needs_sandboxing ? context->inaccessible_paths : NULL, - needs_sandboxing ? context->exec_paths : NULL, - needs_sandboxing ? context->no_exec_paths : NULL, - empty_directories, - symlinks, - bind_mounts, - n_bind_mounts, - context->temporary_filesystems, - context->n_temporary_filesystems, - context->mount_images, - context->n_mount_images, - tmp_dir, - var_tmp_dir, - creds_path, - context->log_namespace, - context->mount_propagation_flag, - context->root_hash, context->root_hash_size, context->root_hash_path, - context->root_hash_sig, context->root_hash_sig_size, context->root_hash_sig_path, - context->root_verity, - context->extension_images, - context->n_extension_images, - context->extension_directories, - propagate_dir, - incoming_dir, - extension_dir, - root_dir || root_image ? params->notify_socket : NULL, - error_path); + r = setup_namespace( + root_dir, + root_image, + context->root_image_options, + context->root_image_policy ?: &image_policy_service, + &ns_info, + read_write_paths, + needs_sandboxing ? context->read_only_paths : NULL, + needs_sandboxing ? context->inaccessible_paths : NULL, + needs_sandboxing ? context->exec_paths : NULL, + needs_sandboxing ? context->no_exec_paths : NULL, + empty_directories, + symlinks, + bind_mounts, + n_bind_mounts, + context->temporary_filesystems, + context->n_temporary_filesystems, + context->mount_images, + context->n_mount_images, + context->mount_image_policy ?: &image_policy_service, + tmp_dir, + var_tmp_dir, + creds_path, + context->log_namespace, + context->mount_propagation_flag, + context->root_hash, context->root_hash_size, context->root_hash_path, + context->root_hash_sig, context->root_hash_sig_size, context->root_hash_sig_path, + context->root_verity, + context->extension_images, + context->n_extension_images, + context->extension_image_policy ?: &image_policy_sysext, + context->extension_directories, + propagate_dir, + incoming_dir, + extension_dir, + root_dir || root_image ? params->notify_socket : NULL, + error_path); /* If we couldn't set up the namespace this is probably due to a missing capability. setup_namespace() reports * that with a special, recognizable error ENOANO. In this case, silently proceed, but only if exclusively @@ -5767,6 +5774,10 @@ void exec_context_done(ExecContext *c) { c->load_credentials = hashmap_free(c->load_credentials); c->set_credentials = hashmap_free(c->set_credentials); + + c->root_image_policy = image_policy_free(c->root_image_policy); + c->mount_image_policy = image_policy_free(c->mount_image_policy); + c->extension_image_policy = image_policy_free(c->extension_image_policy); } int exec_context_destroy_runtime_directory(const ExecContext *c, const char *runtime_prefix) { |