diff options
| author | Mike Yuan <me@yhndnzj.com> | 2024-09-04 15:36:52 +0200 |
|---|---|---|
| committer | Mike Yuan <me@yhndnzj.com> | 2024-09-04 21:44:24 +0200 |
| commit | 95f9e85aaae5835de8f3ef9d74d460ae2ad13f0f (patch) | |
| tree | 524e38af413986cb492f41d62383c703611c4a1a /src/core/namespace.c | |
| parent | core/exec-invoke: use bind_mount_add() where appropriate (diff) | |
| download | systemd-95f9e85aaae5835de8f3ef9d74d460ae2ad13f0f.tar.xz systemd-95f9e85aaae5835de8f3ef9d74d460ae2ad13f0f.zip | |
core/namespace: make bind mounted journal sockets nosuid + noexec + nodev
Addresses https://github.com/systemd/systemd/pull/32487#discussion_r1743464797
Diffstat (limited to 'src/core/namespace.c')
| -rw-r--r-- | src/core/namespace.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/core/namespace.c b/src/core/namespace.c index 940052b045..026018438c 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -121,9 +121,9 @@ typedef struct MountList { } MountList; static const BindMount bind_journal_sockets_table[] = { - { (char*) "/run/systemd/journal/socket", (char*) "/run/systemd/journal/socket", .read_only = true, .ignore_enoent = true }, - { (char*) "/run/systemd/journal/stdout", (char*) "/run/systemd/journal/stdout", .read_only = true, .ignore_enoent = true }, - { (char*) "/run/systemd/journal/dev-log", (char*) "/run/systemd/journal/dev-log", .read_only = true, .ignore_enoent = true }, + { (char*) "/run/systemd/journal/socket", (char*) "/run/systemd/journal/socket", .read_only = true, .nosuid = true, .noexec = true, .nodev = true, .ignore_enoent = true }, + { (char*) "/run/systemd/journal/stdout", (char*) "/run/systemd/journal/stdout", .read_only = true, .nosuid = true, .noexec = true, .nodev = true, .ignore_enoent = true }, + { (char*) "/run/systemd/journal/dev-log", (char*) "/run/systemd/journal/dev-log", .read_only = true, .nosuid = true, .noexec = true, .nodev = true, .ignore_enoent = true }, }; /* If MountAPIVFS= is used, let's mount /sys, /proc, /dev and /run into the it, but only as a fallback if the user hasn't mounted @@ -447,6 +447,8 @@ static int append_bind_mounts(MountList *ml, const BindMount *binds, size_t n) { .mode = b->recursive ? MOUNT_BIND_RECURSIVE : MOUNT_BIND, .read_only = b->read_only, .nosuid = b->nosuid, + .noexec = b->noexec, + .flags = b->nodev ? MS_NODEV : 0, .source_const = b->source, .ignore = b->ignore_enoent, }; @@ -2797,7 +2799,9 @@ int bind_mount_add(BindMount **b, size_t *n, const BindMount *item) { .source = TAKE_PTR(s), .destination = TAKE_PTR(d), .read_only = item->read_only, + .nodev = item->nodev, .nosuid = item->nosuid, + .noexec = item->noexec, .recursive = item->recursive, .ignore_enoent = item->ignore_enoent, }; |