shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-12 13:18:14 +03:00
Code

core: ensure that namespace tmp directories always get the correct label

Browse Source 
If a namespace with PrivateTmp=true is constructed we need to restore
the context of the namespaces /tmp directory (i.e.
/tmp/systemd-private-XXXXX/tmp) to the (default) context of /tmp .
Otherwise filetransitions might result in the namespaces tmp directory
having the wrong context.
This commit is contained in:
bauen1 2020-09-25 18:45:29 +02:00 committed by Zbigniew Jędrzejewski-Szmek
parent d99d1aaa21
commit 19cd4e1967
1 changed files with 14 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
src/core/namespace.c
View File

@ -2114,25 +2114,9 @@ static int make_tmp_prefix(const char *prefix) {
}
static int make_tmp_subdir(const char *parent, char **ret) {
_cleanup_free_ char *y = NULL;
y = path_join(parent, "/tmp");
if (!y)
return -ENOMEM;
RUN_WITH_UMASK(0000) {
if (mkdir(y, 0777 | S_ISVTX) < 0)
return -errno;
}
if (ret)
*ret = TAKE_PTR(y);
return 0;
}
static int setup_one_tmp_dir(const char *id, const char *prefix, char **path, char **tmp_path) {
_cleanup_free_ char *x = NULL;
_cleanup_free_ char *y = NULL;
char bid[SD_ID128_STRING_MAX];
sd_id128_t boot_id;
bool rw = true;
@ -2166,9 +2150,21 @@ static int setup_one_tmp_dir(const char *id, const char *prefix, char **path, ch
}
if (rw) {
r = make_tmp_subdir(x, tmp_path);
y = strjoin(x, "/tmp");
if (!y)
return -ENOMEM;
RUN_WITH_UMASK(0000) {
if (mkdir(y, 0777 | S_ISVTX) < 0)
return -errno;
}
r = label_fix_container(y, prefix, 0);
if (r < 0)
return r;
if (tmp_path)
*tmp_path = TAKE_PTR(y);
} else {
/* Trouble: we failed to create the directory. Instead of failing, let's simulate /tmp being
* read-only. This way the service will get the EROFS result as if it was writing to the real