diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2023-02-17 05:50:17 +0100 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2023-02-23 07:09:13 +0100 |
| commit | c2da3bf2376440526e87da6124660d22ac2079d6 (patch) | |
| tree | be6e5db0567dd6207635f4155a9c8902d0680a25 /src/core/namespace.c | |
| parent | core/namespace: introduce a new namespace mount mode PRIVATE_SYSFS (diff) | |
| download | systemd-c2da3bf2376440526e87da6124660d22ac2079d6.tar.xz systemd-c2da3bf2376440526e87da6124660d22ac2079d6.zip | |
core/namespace: mount new sysfs when new network namespace is requested
Even when a mount namespace is created, previously host's sysfs is used,
especially with RootDirectory= or RootImage=, thus service processes can
still access the properties of the network interfaces in the main network
namespace through sysfs.
This makes, sysfs is remounted with the new network namespace tag, except
when PrivateMounts= is explicitly disabled. Hence, the properties of the
network interfaces in the main network namespace cannot be accessed by
service processes through sysfs.
Fixes #26422.
Diffstat (limited to 'src/core/namespace.c')
| -rw-r--r-- | src/core/namespace.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/core/namespace.c b/src/core/namespace.c index 8e3c272f40..3b0896039b 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -1748,6 +1748,7 @@ static size_t namespace_calculate_mounts( !!log_namespace + setup_propagate + /* /run/systemd/incoming */ !!notify_socket + + ns_info->private_network + /* /sys */ ns_info->private_ipc; /* /dev/mqueue */ } @@ -2354,6 +2355,12 @@ int setup_namespace( }; } + if (ns_info->private_network) + *(m++) = (MountEntry) { + .path_const = "/sys", + .mode = PRIVATE_SYSFS, + }; + if (ns_info->private_ipc) *(m++) = (MountEntry) { .path_const = "/dev/mqueue", |