shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-07 18:27:04 +03:00
Code

Merge pull request #5420 from OpenDZ/tixxdz/namespace-fixes-v2

Browse Source 
Namespace: RootImage= RootDirectory= and MountAPIVFS fixes
This commit is contained in:
Lennart Poettering 2017-05-09 20:42:32 +02:00 committed by GitHub
commit 4e168f4606
3 changed files with 24 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/core/execute.c
View File

@ -1670,7 +1670,7 @@ static bool exec_needs_mount_namespace(
context->protect_control_groups) context->protect_control_groups)
return true; return true;
if (context->mount_apivfs) if (context->mount_apivfs && (context->root_image || context->root_directory))
return true; return true;
return false; return false;

28
src/core/namespace.c
View File

@ -27,6 +27,7 @@
#include <linux/fs.h> #include <linux/fs.h>
#include "alloc-util.h" #include "alloc-util.h"
#include "base-filesystem.h"
#include "dev-setup.h" #include "dev-setup.h"
#include "fd-util.h" #include "fd-util.h"
#include "fs-util.h" #include "fs-util.h"
@ -815,18 +816,24 @@ static int make_read_only(MountEntry *m, char **blacklist) {
return r; return r;
} }
static bool namespace_info_mount_apivfs(const NameSpaceInfo *ns_info) { static bool namespace_info_mount_apivfs(const char *root_directory, const NameSpaceInfo *ns_info) {
assert(ns_info); assert(ns_info);
/* ProtectControlGroups= and ProtectKernelTunables= imply MountAPIVFS=, since to protect the API VFS mounts, /*
* they need to be around in the first place... */ * ProtectControlGroups= and ProtectKernelTunables= imply MountAPIVFS=,
* since to protect the API VFS mounts, they need to be around in the
* first place... and RootDirectory= or RootImage= need to be set.
*/
return ns_info->mount_apivfs || /* root_directory should point to a mount point */
ns_info->protect_control_groups || return root_directory &&
ns_info->protect_kernel_tunables; (ns_info->mount_apivfs ||
ns_info->protect_control_groups ||
ns_info->protect_kernel_tunables);
} }
static unsigned namespace_calculate_mounts( static unsigned namespace_calculate_mounts(
const char* root_directory,
const NameSpaceInfo *ns_info, const NameSpaceInfo *ns_info,
char** read_write_paths, char** read_write_paths,
char** read_only_paths, char** read_only_paths,
@ -863,7 +870,7 @@ static unsigned namespace_calculate_mounts(
(ns_info->protect_control_groups ? 1 : 0) + (ns_info->protect_control_groups ? 1 : 0) +
(ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) + (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
protect_home_cnt + protect_system_cnt + protect_home_cnt + protect_system_cnt +
(namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0); (namespace_info_mount_apivfs(root_directory, ns_info) ? ELEMENTSOF(apivfs_table) : 0);
} }
int setup_namespace( int setup_namespace(
@ -931,6 +938,7 @@ int setup_namespace(
} }
n_mounts = namespace_calculate_mounts( n_mounts = namespace_calculate_mounts(
root_directory,
ns_info, ns_info,
read_write_paths, read_write_paths,
read_only_paths, read_only_paths,
@ -1009,7 +1017,7 @@ int setup_namespace(
if (r < 0) if (r < 0)
goto finish; goto finish;
if (namespace_info_mount_apivfs(ns_info)) { if (namespace_info_mount_apivfs(root_directory, ns_info)) {
r = append_static_mounts(&m, apivfs_table, ELEMENTSOF(apivfs_table), ns_info->ignore_protect_paths); r = append_static_mounts(&m, apivfs_table, ELEMENTSOF(apivfs_table), ns_info->ignore_protect_paths);
if (r < 0) if (r < 0)
goto finish; goto finish;
@ -1044,6 +1052,10 @@ int setup_namespace(
} }
} }
/* Try to set up the new root directory before mounting anything there */
if (root_directory)
(void) base_filesystem_create(root_directory, UID_INVALID, GID_INVALID);
if (root_image) { if (root_image) {
r = dissected_image_mount(dissected_image, root_directory, dissect_image_flags); r = dissected_image_mount(dissected_image, root_directory, dissect_image_flags);
if (r < 0) if (r < 0)

3
src/shared/base-filesystem.c
View File

@ -51,6 +51,9 @@ static const BaseFilesystem table[] = {
{ "usr", 0755, NULL, NULL }, { "usr", 0755, NULL, NULL },
{ "var", 0755, NULL, NULL }, { "var", 0755, NULL, NULL },
{ "etc", 0755, NULL, NULL }, { "etc", 0755, NULL, NULL },
{ "proc", 0755, NULL, NULL, true },
{ "sys", 0755, NULL, NULL, true },
{ "dev", 0755, NULL, NULL, true },
#if defined(__i386__) || defined(__x86_64__) #if defined(__i386__) || defined(__x86_64__)
{ "lib64", 0, "usr/lib/x86_64-linux-gnu\0" { "lib64", 0, "usr/lib/x86_64-linux-gnu\0"
"usr/lib64\0", "ld-linux-x86-64.so.2" }, "usr/lib64\0", "ld-linux-x86-64.so.2" },