summaryrefslogtreecommitdiffstats
path: root/src/test
diff options
context:
space:
mode:
authorDjalal Harouni <tixxdz@opendz.org>2016-10-12 14:11:16 +0200
committerDjalal Harouni <tixxdz@opendz.org>2016-10-12 14:11:16 +0200
commitc575770b75b6cd15684fbacd249147bf5fd6ead7 (patch)
tree1dbde008e50d9ab2780168dd26ead86a762959dc /src/test
parentdoc: minor hint about InaccessiblePaths= in regard of ProtectKernelTunables= (diff)
downloadsystemd-c575770b75b6cd15684fbacd249147bf5fd6ead7.tar.xz
systemd-c575770b75b6cd15684fbacd249147bf5fd6ead7.zip
core:sandbox: lets make /lib/modules/ inaccessible on ProtectKernelModules=
Lets go further and make /lib/modules/ inaccessible for services that do not have business with modules, this is a minor improvment but it may help on setups with custom modules and they are limited... in regard of kernel auto-load feature. This change introduce NameSpaceInfo struct which we may embed later inside ExecContext but for now lets just reduce the argument number to setup_namespace() and merge ProtectKernelModules feature.
Diffstat (limited to '')
-rw-r--r--src/test/test-ns.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/src/test/test-ns.c b/src/test/test-ns.c
index c4d4da6d05..da7a8b0565 100644
--- a/src/test/test-ns.c
+++ b/src/test/test-ns.c
@@ -45,6 +45,14 @@ int main(int argc, char *argv[]) {
"/home/lennart/projects",
NULL
};
+
+ static const NameSpaceInfo ns_info = {
+ .private_dev = true,
+ .protect_control_groups = true,
+ .protect_kernel_tunables = true,
+ .protect_kernel_modules = true,
+ };
+
char *root_directory;
char *projects_directory;
int r;
@@ -69,14 +77,12 @@ int main(int argc, char *argv[]) {
log_info("Not chrooted");
r = setup_namespace(root_directory,
+ &ns_info,
(char **) writable,
(char **) readonly,
(char **) inaccessible,
tmp_dir,
var_tmp_dir,
- true,
- true,
- true,
PROTECT_HOME_NO,
PROTECT_SYSTEM_NO,
0);