shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-11 09:18:07 +03:00
Code

namespace: convert ProtectHostname= logic to a static table

Browse Source 
Let's simplify things, and make them more alike handling more similar to
the other ProtectXYZ= settings.
This commit is contained in:
Lennart Poettering 2023-10-16 10:36:17 +02:00
parent 063c977a79
commit 3d1b999b53
1 changed files with 17 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
src/core/namespace.c
View File

@ -194,13 +194,10 @@ static const MountEntry protect_system_full_table[] = {
{ "/etc", READONLY, false }, { "/etc", READONLY, false },
}; };
/* /* ProtectSystem=strict table. In this strict mode, we mount everything read-only, except for /proc, /dev,
* ProtectSystem=strict table. In this strict mode, we mount everything * /sys which are the kernel API VFS, which are left writable, but PrivateDevices= + ProtectKernelTunables=
* read-only, except for /proc, /dev, /sys which are the kernel API VFS, * protect those, and these options should be fully orthogonal. (And of course /home and friends are also
* which are left writable, but PrivateDevices= + ProtectKernelTunables= * left writable, as ProtectHome= shall manage those, orthogonally).
* protect those, and these options should be fully orthogonal.
* (And of course /home and friends are also left writable, as ProtectHome=
* shall manage those, orthogonally).
*/ */
static const MountEntry protect_system_strict_table[] = { static const MountEntry protect_system_strict_table[] = {
{ "/", READONLY, false }, { "/", READONLY, false },
@ -212,6 +209,12 @@ static const MountEntry protect_system_strict_table[] = {
{ "/root", READWRITE_IMPLICIT, true }, /* ProtectHome= */ { "/root", READWRITE_IMPLICIT, true }, /* ProtectHome= */
}; };
/* ProtectHostname=yes able */
static const MountEntry protect_hostname_table[] = {
{ "/proc/sys/kernel/hostname", READONLY, false },
{ "/proc/sys/kernel/domainname", READONLY, false },
};
static const char * const mount_mode_table[_MOUNT_MODE_MAX] = { static const char * const mount_mode_table[_MOUNT_MODE_MAX] = {
[INACCESSIBLE] = "inaccessible", [INACCESSIBLE] = "inaccessible",
[OVERLAY_MOUNT] = "overlay", [OVERLAY_MOUNT] = "overlay",
@ -2279,25 +2282,13 @@ int setup_namespace(const NamespaceParameters *p, char **error_path) {
/* Note, if proc is mounted with subset=pid then neither of the two paths will exist, i.e. they are /* Note, if proc is mounted with subset=pid then neither of the two paths will exist, i.e. they are
* implicitly protected by the mount option. */ * implicitly protected by the mount option. */
if (p->protect_hostname) { if (p->protect_hostname) {
MountEntry *me = mount_list_extend(&ml); r = append_static_mounts(
if (!me) &ml,
return log_oom_debug(); protect_hostname_table,
ELEMENTSOF(protect_hostname_table),
*me = (MountEntry) { ignore_protect_proc);
.path_const = "/proc/sys/kernel/hostname", if (r < 0)
.mode = READONLY, return r;
.ignore = ignore_protect_proc,
};
me = mount_list_extend(&ml);
if (!me)
return log_oom_debug();
*me = (MountEntry) {
.path_const = "/proc/sys/kernel/domainname",
.mode = READONLY,
.ignore = ignore_protect_proc,
};
} }
if (p->private_network) { if (p->private_network) {