shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-09-13 05:44:40 +03:00
Code Activity

Merge pull request #32490 from YHNdnzj/namespace-cleanup

Browse Source 
core: trivial cleanups for setup_namespace
This commit is contained in:
Daan De Meyer
2024-04-26 08:29:32 +02:00
committed by GitHub
parent ae68d27a7e 01a0896f3c
commit 469fdfbc97
3 changed files with 33 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
src/core/exec-invoke.c
View File

@@ -2292,10 +2292,10 @@ static int setup_exec_directory(
gid = 0; gid = 0;
} }
for (size_t i = 0; i < context->directories[type].n_items; i++) { FOREACH_ARRAY(i, context->directories[type].items, context->directories[type].n_items) {
_cleanup_free_ char *p = NULL, *pp = NULL; _cleanup_free_ char *p = NULL, *pp = NULL;
p = path_join(params->prefix[type], context->directories[type].items[i].path); p = path_join(params->prefix[type], i->path);
if (!p) { if (!p) {
r = -ENOMEM; r = -ENOMEM;
goto fail; goto fail;
@@ -2332,9 +2332,9 @@ static int setup_exec_directory(
* under the configuration hierarchy. */ * under the configuration hierarchy. */
if (type == EXEC_DIRECTORY_STATE) if (type == EXEC_DIRECTORY_STATE)
q = path_join(params->prefix[EXEC_DIRECTORY_CONFIGURATION], context->directories[type].items[i].path); q = path_join(params->prefix[EXEC_DIRECTORY_CONFIGURATION], i->path);
else if (type == EXEC_DIRECTORY_LOGS) else if (type == EXEC_DIRECTORY_LOGS)
q = path_join(params->prefix[EXEC_DIRECTORY_CONFIGURATION], "log", context->directories[type].items[i].path); q = path_join(params->prefix[EXEC_DIRECTORY_CONFIGURATION], "log", i->path);
else else
assert_not_reached(); assert_not_reached();
if (!q) { if (!q) {
@@ -2397,7 +2397,7 @@ static int setup_exec_directory(
if (r < 0) if (r < 0)
goto fail; goto fail;
if (!path_extend(&pp, context->directories[type].items[i].path)) { if (!path_extend(&pp, i->path)) {
r = -ENOMEM; r = -ENOMEM;
goto fail; goto fail;
} }
@@ -2431,7 +2431,7 @@ static int setup_exec_directory(
goto fail; goto fail;
} }
if (!context->directories[type].items[i].only_create) { if (!i->only_create) {
/* And link it up from the original place. /* And link it up from the original place.
* Notes * Notes
* 1) If a mount namespace is going to be used, then this symlink remains on * 1) If a mount namespace is going to be used, then this symlink remains on
@@ -2468,7 +2468,7 @@ static int setup_exec_directory(
if (r < 0) if (r < 0)
goto fail; goto fail;
q = path_join(params->prefix[type], "private", context->directories[type].items[i].path); q = path_join(params->prefix[type], "private", i->path);
if (!q) { if (!q) {
r = -ENOMEM; r = -ENOMEM;
goto fail; goto fail;
@@ -2522,7 +2522,7 @@ static int setup_exec_directory(
params, params,
"%s \'%s\' already exists but the mode is different. " "%s \'%s\' already exists but the mode is different. "
"(File system: %o %sMode: %o)", "(File system: %o %sMode: %o)",
exec_directory_type_to_string(type), context->directories[type].items[i].path, exec_directory_type_to_string(type), i->path,
st.st_mode & 07777, exec_directory_type_to_string(type), context->directories[type].mode & 07777); st.st_mode & 07777, exec_directory_type_to_string(type), context->directories[type].mode & 07777);
continue; continue;
@@ -2553,10 +2553,8 @@ static int setup_exec_directory(
/* If we are not going to run in a namespace, set up the symlinks - otherwise /* If we are not going to run in a namespace, set up the symlinks - otherwise
* they are set up later, to allow configuring empty var/run/etc. */ * they are set up later, to allow configuring empty var/run/etc. */
if (!needs_mount_namespace) if (!needs_mount_namespace)
for (size_t i = 0; i < context->directories[type].n_items; i++) { FOREACH_ARRAY(i, context->directories[type].items, context->directories[type].n_items) {
r = create_many_symlinks(params->prefix[type], r = create_many_symlinks(params->prefix[type], i->path, i->symlinks);
context->directories[type].items[i].path,
context->directories[type].items[i].symlinks);
if (r < 0) if (r < 0)
goto fail; goto fail;
} }
@@ -2623,8 +2621,8 @@ static int compile_bind_mounts(
if (!params->prefix[t]) if (!params->prefix[t])
continue; continue;
for (size_t i = 0; i < context->directories[t].n_items; i++) FOREACH_ARRAY(i, context->directories[t].items, context->directories[t].n_items)
n += !context->directories[t].items[i].only_create; n += !i->only_create;
} }
if (n <= 0) { if (n <= 0) {
@@ -2638,8 +2636,7 @@ static int compile_bind_mounts(
if (!bind_mounts) if (!bind_mounts)
return -ENOMEM; return -ENOMEM;
for (size_t i = 0; i < context->n_bind_mounts; i++) { FOREACH_ARRAY(item, context->bind_mounts, context->n_bind_mounts) {
BindMount *item = context->bind_mounts + i;
_cleanup_free_ char *s = NULL, *d = NULL; _cleanup_free_ char *s = NULL, *d = NULL;
s = strdup(item->source); s = strdup(item->source);
@@ -2683,18 +2680,18 @@ static int compile_bind_mounts(
return r; return r;
} }
for (size_t i = 0; i < context->directories[t].n_items; i++) { FOREACH_ARRAY(i, context->directories[t].items, context->directories[t].n_items) {
_cleanup_free_ char *s = NULL, *d = NULL; _cleanup_free_ char *s = NULL, *d = NULL;
/* When one of the parent directories is in the list, we cannot create the symlink /* When one of the parent directories is in the list, we cannot create the symlink
* for the child directory. See also the comments in setup_exec_directory(). */ * for the child directory. See also the comments in setup_exec_directory(). */
if (context->directories[t].items[i].only_create) if (i->only_create)
continue; continue;
if (exec_directory_is_private(context, t)) if (exec_directory_is_private(context, t))
s = path_join(params->prefix[t], "private", context->directories[t].items[i].path); s = path_join(params->prefix[t], "private", i->path);
else else
s = path_join(params->prefix[t], context->directories[t].items[i].path); s = path_join(params->prefix[t], i->path);
if (!s) if (!s)
return -ENOMEM; return -ENOMEM;
@@ -2703,7 +2700,7 @@ static int compile_bind_mounts(
/* When RootDirectory= or RootImage= are set, then the symbolic link to the private /* When RootDirectory= or RootImage= are set, then the symbolic link to the private
* directory is not created on the root directory. So, let's bind-mount the directory * directory is not created on the root directory. So, let's bind-mount the directory
* on the 'non-private' place. */ * on the 'non-private' place. */
d = path_join(params->prefix[t], context->directories[t].items[i].path); d = path_join(params->prefix[t], i->path);
else else
d = strdup(s); d = strdup(s);
if (!d) if (!d)
@@ -2712,10 +2709,8 @@ static int compile_bind_mounts(
bind_mounts[h++] = (BindMount) { bind_mounts[h++] = (BindMount) {
.source = TAKE_PTR(s), .source = TAKE_PTR(s),
.destination = TAKE_PTR(d), .destination = TAKE_PTR(d),
.read_only = false,
.nosuid = context->dynamic_user, /* don't allow suid/sgid when DynamicUser= is on */ .nosuid = context->dynamic_user, /* don't allow suid/sgid when DynamicUser= is on */
.recursive = true, .recursive = true,
.ignore_enoent = false,
}; };
} }
} }
@@ -2745,14 +2740,14 @@ static int compile_symlinks(
assert(params); assert(params);
assert(ret_symlinks); assert(ret_symlinks);
for (ExecDirectoryType dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) { for (ExecDirectoryType dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++)
for (size_t i = 0; i < context->directories[dt].n_items; i++) { FOREACH_ARRAY(i, context->directories[dt].items, context->directories[dt].n_items) {
_cleanup_free_ char *private_path = NULL, *path = NULL; _cleanup_free_ char *private_path = NULL, *path = NULL;
STRV_FOREACH(symlink, context->directories[dt].items[i].symlinks) { STRV_FOREACH(symlink, i->symlinks) {
_cleanup_free_ char *src_abs = NULL, *dst_abs = NULL; _cleanup_free_ char *src_abs = NULL, *dst_abs = NULL;
src_abs = path_join(params->prefix[dt], context->directories[dt].items[i].path); src_abs = path_join(params->prefix[dt], i->path);
dst_abs = path_join(params->prefix[dt], *symlink); dst_abs = path_join(params->prefix[dt], *symlink);
if (!src_abs || !dst_abs) if (!src_abs || !dst_abs)
return -ENOMEM; return -ENOMEM;
@@ -2764,14 +2759,14 @@ static int compile_symlinks(
if (!exec_directory_is_private(context, dt) || if (!exec_directory_is_private(context, dt) ||
exec_context_with_rootfs(context) || exec_context_with_rootfs(context) ||
context->directories[dt].items[i].only_create) i->only_create)
continue; continue;
private_path = path_join(params->prefix[dt], "private", context->directories[dt].items[i].path); private_path = path_join(params->prefix[dt], "private", i->path);
if (!private_path) if (!private_path)
return -ENOMEM; return -ENOMEM;
path = path_join(params->prefix[dt], context->directories[dt].items[i].path); path = path_join(params->prefix[dt], i->path);
if (!path) if (!path)
return -ENOMEM; return -ENOMEM;
@@ -2779,7 +2774,6 @@ static int compile_symlinks(
if (r < 0) if (r < 0)
return r; return r;
} }
}
/* We make the host's os-release available via a symlink, so that we can copy it atomically /* We make the host's os-release available via a symlink, so that we can copy it atomically
* and readers will never get a half-written version. Note that, while the paths specified here are * and readers will never get a half-written version. Note that, while the paths specified here are
@@ -2830,8 +2824,8 @@ static bool insist_on_sandboxing(
/* If there are any bind mounts set that don't map back onto themselves, fs namespacing becomes /* If there are any bind mounts set that don't map back onto themselves, fs namespacing becomes
* essential. */ * essential. */
for (size_t i = 0; i < n_bind_mounts; i++) FOREACH_ARRAY(i, bind_mounts, n_bind_mounts)
if (!path_equal(bind_mounts[i].source, bind_mounts[i].destination)) if (!path_equal(i->source, i->destination))
return true; return true;
if (context->log_namespace) if (context->log_namespace)

8
src/core/namespace.c
View File

@@ -1474,6 +1474,8 @@ static int follow_symlink(
_cleanup_free_ char *target = NULL; _cleanup_free_ char *target = NULL;
int r; int r;
assert(m);
/* Let's chase symlinks, but only one step at a time. That's because depending where the symlink points we /* Let's chase symlinks, but only one step at a time. That's because depending where the symlink points we
* might need to change the order in which we mount stuff. Hence: let's normalize piecemeal, and do one step at * might need to change the order in which we mount stuff. Hence: let's normalize piecemeal, and do one step at
* a time by specifying CHASE_STEP. This function returns 0 if we resolved one step, and > 0 if we reached the * a time by specifying CHASE_STEP. This function returns 0 if we resolved one step, and > 0 if we reached the
@@ -1614,13 +1616,13 @@ static int apply_one_mount(
host_os_release_id, host_os_release_id,
host_os_release_version_id, host_os_release_version_id,
host_os_release_level, host_os_release_level,
/* host_extension_scope */ NULL, /* Leave empty, we need to accept both system and portable */ /* host_extension_scope = */ NULL, /* Leave empty, we need to accept both system and portable */
extension_release, extension_release,
class); class);
if (r == 0)
return log_debug_errno(SYNTHETIC_ERRNO(ESTALE), "Directory %s extension-release metadata does not match the root's", extension_name);
if (r < 0) if (r < 0)
return log_debug_errno(r, "Failed to compare directory %s extension-release metadata with the root's os-release: %m", extension_name); return log_debug_errno(r, "Failed to compare directory %s extension-release metadata with the root's os-release: %m", extension_name);
if (r == 0)
return log_debug_errno(SYNTHETIC_ERRNO(ESTALE), "Directory %s extension-release metadata does not match the root's", extension_name);
_fallthrough_; _fallthrough_;
} }

2
src/shared/mount-setup.c
View File

@@ -69,7 +69,7 @@ static bool check_recursiveprot_supported(void) {
r = mount_option_supported("cgroup2", "memory_recursiveprot", NULL); r = mount_option_supported("cgroup2", "memory_recursiveprot", NULL);
if (r < 0) if (r < 0)
log_debug_errno(r, "Failed to determiner whether the 'memory_recursiveprot' mount option is supported, assuming not: %m"); log_debug_errno(r, "Failed to determine whether the 'memory_recursiveprot' mount option is supported, assuming not: %m");
else if (r == 0) else if (r == 0)
log_debug("This kernel version does not support 'memory_recursiveprot', not using mount option."); log_debug("This kernel version does not support 'memory_recursiveprot', not using mount option.");