shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-28 02:50:16 +03:00
Code

core: insist on sandboxing if ExtensionImages/Directories are configured

Browse Source 
Same as other image mounting in the namespace
This commit is contained in:
Luca Boccassi 2022-03-17 23:37:29 +00:00 committed by Lennart Poettering
parent 827f865063
commit 4355c04fef
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/core/execute.c
View File

@ -3415,6 +3415,9 @@ static bool insist_on_sandboxing(
if (context->dynamic_user)
return true;
if (context->n_extension_images > 0 || !strv_isempty(context->extension_directories))
return true;
/* If there are any bind mounts set that don't map back onto themselves, fs namespacing becomes
* essential. */
for (size_t i = 0; i < n_bind_mounts; i++)