diff options
| author | Luca Boccassi <luca.boccassi@microsoft.com> | 2022-01-24 14:04:23 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-24 14:04:23 +0100 |
| commit | cb94b8acc593c39bdfed83875f7d088dc04c2593 (patch) | |
| tree | e7083bb25e14e56b072572f340211242a49fd87e /src/core | |
| parent | Merge pull request #22231 from yuwata/resolve-synthesize (diff) | |
| parent | core/namespace: s/normalize_mounts()/drop_unused_mounts() (diff) | |
| download | systemd-cb94b8acc593c39bdfed83875f7d088dc04c2593.tar.xz systemd-cb94b8acc593c39bdfed83875f7d088dc04c2593.zip | |
Merge pull request #22203 from brauner/2022-01-21.procsubset.pid
core/namespace: allow using ProtectSubset=pid and ProtectHostname=tru…
Diffstat (limited to 'src/core')
| -rw-r--r-- | src/core/namespace.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/src/core/namespace.c b/src/core/namespace.c index 088cb09ac9..f3c6b58f86 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -1682,7 +1682,14 @@ static size_t namespace_calculate_mounts( ns_info->private_ipc; /* /dev/mqueue */ } -static void normalize_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) { +/* Walk all mount entries and dropping any unused mounts. This affects all + * mounts: + * - that are implicitly protected by a path that has been rendered inaccessible + * - whose immediate parent requests the same protection mode as the mount itself + * - that are outside of the relevant root directory + * - which are duplicates + */ +static void drop_unused_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) { assert(root_directory); assert(n_mounts); assert(mounts || *n_mounts == 0); @@ -1788,7 +1795,7 @@ static int apply_mounts( if (!again) break; - normalize_mounts(root, mounts, n_mounts); + drop_unused_mounts(root, mounts, n_mounts); } /* Now that all filesystems have been set up, but before the @@ -2263,14 +2270,19 @@ int setup_namespace( goto finish; } + /* Note, if proc is mounted with subset=pid then neither of the + * two paths will exist, i.e. they are implicitly protected by + * the mount option. */ if (ns_info->protect_hostname) { *(m++) = (MountEntry) { .path_const = "/proc/sys/kernel/hostname", .mode = READONLY, + .ignore = ignore_protect_proc, }; *(m++) = (MountEntry) { .path_const = "/proc/sys/kernel/domainname", .mode = READONLY, + .ignore = ignore_protect_proc, }; } @@ -2351,7 +2363,7 @@ int setup_namespace( if (r < 0) goto finish; - normalize_mounts(root, mounts, &n_mounts); + drop_unused_mounts(root, mounts, &n_mounts); } /* All above is just preparation, figuring out what to do. Let's now actually start doing something. */ |