shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-12-28 11:21:59 +03:00
Code

core:namespace: put paths protected by ProtectKernelTunables= in

Browse Source 
Instead of having all these paths everywhere, put the ones that are
protected by ProtectKernelTunables= into their own table. This way it
is easy to add paths and track which ones are protected.
This commit is contained in:
Djalal Harouni 2016-09-25 11:16:44 +02:00
parent 9c94d52e09
commit 11a30cec2a
1 changed files with 35 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
src/core/namespace.c
View File

@ -61,9 +61,23 @@ typedef struct BindMount {
const char *path; /* stack memory, doesn't need to be freed explicitly */ const char *path; /* stack memory, doesn't need to be freed explicitly */
char *chased; /* malloc()ed memory, needs to be freed */ char *chased; /* malloc()ed memory, needs to be freed */
MountMode mode; MountMode mode;
bool ignore; bool ignore; /* Ignore if path does not exist */
} BindMount; } BindMount;
typedef struct TargetMount {
const char *path;
MountMode mode;
bool ignore; /* Ignore if path does not exist */
} TargetMount;
/* ProtectKernelTunables= option and the related filesystem APIs */
static const TargetMount protect_kernel_tunables_table[] = {
{ "/proc/sys", READONLY, false },
{ "/proc/sysrq-trigger", READONLY, true },
{ "/sys", READONLY, false },
{ "/sys/fs/cgroup", READWRITE, false }, /* READONLY is set by ProtectControlGroups= option */
};
static int append_mounts(BindMount **p, char **strv, MountMode mode) { static int append_mounts(BindMount **p, char **strv, MountMode mode) {
char **i; char **i;
@ -89,6 +103,20 @@ static int append_mounts(BindMount **p, char **strv, MountMode mode) {
return 0; return 0;
} }
static void append_protect_kernel_tunables(BindMount **p, const char *root_directory) {
unsigned int i;
assert(p);
for (i = 0; i < ELEMENTSOF(protect_kernel_tunables_table); i++) {
const TargetMount *t = &protect_kernel_tunables_table[i];
(*p)->path = prefix_roota(root_directory, t->path);
(*p)->mode = t->mode;
(*p)->ignore = t->ignore;
(*p)++;
}
}
static int mount_path_compare(const void *a, const void *b) { static int mount_path_compare(const void *a, const void *b) {
const BindMount *p = a, *q = b; const BindMount *p = a, *q = b;
int d; int d;
@ -514,8 +542,8 @@ int setup_namespace(
strv_length(read_only_paths) + strv_length(read_only_paths) +
strv_length(inaccessible_paths) + strv_length(inaccessible_paths) +
private_dev + private_dev +
(protect_sysctl ? 3 : 0) + (protect_sysctl ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
(protect_cgroups != protect_sysctl) + (protect_cgroups ? 1 : 0) +
(protect_home != PROTECT_HOME_NO || protect_system == PROTECT_SYSTEM_STRICT ? 3 : 0) + (protect_home != PROTECT_HOME_NO || protect_system == PROTECT_SYSTEM_STRICT ? 3 : 0) +
(protect_system == PROTECT_SYSTEM_STRICT ? (protect_system == PROTECT_SYSTEM_STRICT ?
(2 + !private_dev + !protect_sysctl) : (2 + !private_dev + !protect_sysctl) :
@ -557,24 +585,12 @@ int setup_namespace(
m++; m++;
} }
if (protect_sysctl) { if (protect_sysctl)
m->path = prefix_roota(root_directory, "/proc/sys"); append_protect_kernel_tunables(&m, root_directory);
m->mode = READONLY;
m++;
m->path = prefix_roota(root_directory, "/proc/sysrq-trigger"); if (protect_cgroups) {
m->mode = READONLY;
m->ignore = true; /* Not always compiled into the kernel */
m++;
m->path = prefix_roota(root_directory, "/sys");
m->mode = READONLY;
m++;
}
if (protect_cgroups != protect_sysctl) {
m->path = prefix_roota(root_directory, "/sys/fs/cgroup"); m->path = prefix_roota(root_directory, "/sys/fs/cgroup");
m->mode = protect_cgroups ? READONLY : READWRITE; m->mode = READONLY;
m++; m++;
} }