1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-07 18:27:04 +03:00

Merge pull request #5420 from OpenDZ/tixxdz/namespace-fixes-v2

Namespace: RootImage= RootDirectory= and MountAPIVFS fixes
This commit is contained in:
Lennart Poettering 2017-05-09 20:42:32 +02:00 committed by GitHub
commit 4e168f4606
3 changed files with 24 additions and 9 deletions

View File

@ -1670,7 +1670,7 @@ static bool exec_needs_mount_namespace(
context->protect_control_groups)
return true;
if (context->mount_apivfs)
if (context->mount_apivfs && (context->root_image || context->root_directory))
return true;
return false;

View File

@ -27,6 +27,7 @@
#include <linux/fs.h>
#include "alloc-util.h"
#include "base-filesystem.h"
#include "dev-setup.h"
#include "fd-util.h"
#include "fs-util.h"
@ -815,18 +816,24 @@ static int make_read_only(MountEntry *m, char **blacklist) {
return r;
}
static bool namespace_info_mount_apivfs(const NameSpaceInfo *ns_info) {
static bool namespace_info_mount_apivfs(const char *root_directory, const NameSpaceInfo *ns_info) {
assert(ns_info);
/* ProtectControlGroups= and ProtectKernelTunables= imply MountAPIVFS=, since to protect the API VFS mounts,
* they need to be around in the first place... */
/*
* ProtectControlGroups= and ProtectKernelTunables= imply MountAPIVFS=,
* since to protect the API VFS mounts, they need to be around in the
* first place... and RootDirectory= or RootImage= need to be set.
*/
return ns_info->mount_apivfs ||
/* root_directory should point to a mount point */
return root_directory &&
(ns_info->mount_apivfs ||
ns_info->protect_control_groups ||
ns_info->protect_kernel_tunables;
ns_info->protect_kernel_tunables);
}
static unsigned namespace_calculate_mounts(
const char* root_directory,
const NameSpaceInfo *ns_info,
char** read_write_paths,
char** read_only_paths,
@ -863,7 +870,7 @@ static unsigned namespace_calculate_mounts(
(ns_info->protect_control_groups ? 1 : 0) +
(ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
protect_home_cnt + protect_system_cnt +
(namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0);
(namespace_info_mount_apivfs(root_directory, ns_info) ? ELEMENTSOF(apivfs_table) : 0);
}
int setup_namespace(
@ -931,6 +938,7 @@ int setup_namespace(
}
n_mounts = namespace_calculate_mounts(
root_directory,
ns_info,
read_write_paths,
read_only_paths,
@ -1009,7 +1017,7 @@ int setup_namespace(
if (r < 0)
goto finish;
if (namespace_info_mount_apivfs(ns_info)) {
if (namespace_info_mount_apivfs(root_directory, ns_info)) {
r = append_static_mounts(&m, apivfs_table, ELEMENTSOF(apivfs_table), ns_info->ignore_protect_paths);
if (r < 0)
goto finish;
@ -1044,6 +1052,10 @@ int setup_namespace(
}
}
/* Try to set up the new root directory before mounting anything there */
if (root_directory)
(void) base_filesystem_create(root_directory, UID_INVALID, GID_INVALID);
if (root_image) {
r = dissected_image_mount(dissected_image, root_directory, dissect_image_flags);
if (r < 0)

View File

@ -51,6 +51,9 @@ static const BaseFilesystem table[] = {
{ "usr", 0755, NULL, NULL },
{ "var", 0755, NULL, NULL },
{ "etc", 0755, NULL, NULL },
{ "proc", 0755, NULL, NULL, true },
{ "sys", 0755, NULL, NULL, true },
{ "dev", 0755, NULL, NULL, true },
#if defined(__i386__) || defined(__x86_64__)
{ "lib64", 0, "usr/lib/x86_64-linux-gnu\0"
"usr/lib64\0", "ld-linux-x86-64.so.2" },