diff options
| author | Lennart Poettering <lennart@poettering.net> | 2024-02-05 17:11:12 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-02-06 11:13:28 +0100 |
| commit | 83d5dab4de8a143e2380f09b1091551a7e33bd5b (patch) | |
| tree | 94d980cb8490200fe0a74e8440e68b68a5c08bbb /src/nspawn/nspawn.c | |
| parent | nspawn: also refuse paths below API VFS in nspawn's --chdir= field (diff) | |
| download | systemd-83d5dab4de8a143e2380f09b1091551a7e33bd5b.tar.xz systemd-83d5dab4de8a143e2380f09b1091551a7e33bd5b.zip | |
nspawn: and also add comment, making clear chdir() should come late
Diffstat (limited to 'src/nspawn/nspawn.c')
| -rw-r--r-- | src/nspawn/nspawn.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 957bc58217..48394a3100 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3522,6 +3522,9 @@ static int inner_child( if (!barrier_place_and_sync(barrier)) /* #5 */ return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "Parent died too early"); + /* Note, this should be done this late (💣 and not moved earlier! 💣), so that all namespacing + * changes are already in effect by now, so that any resolved paths here definitely reference + * resources inside the container, and not outside of them. */ if (arg_chdir) if (chdir(arg_chdir) < 0) return log_error_errno(errno, "Failed to change to specified working directory %s: %m", arg_chdir); |