mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
core/namespace: several fixes for recently merged PRs (#35580)
Fixes #35546. Fixes #35566.
This commit is contained in:
commit
5575bf5fac
@ -78,6 +78,7 @@ wrap=(
|
||||
su
|
||||
tar
|
||||
tgtd
|
||||
unshare
|
||||
useradd
|
||||
userdel
|
||||
veritysetup
|
||||
@ -100,7 +101,7 @@ for bin in "${wrap[@]}"; do
|
||||
|
||||
cat >"$BUILDROOT/$target" <<EOF
|
||||
#!/bin/bash
|
||||
# Preload the ASan runtime DSO, otherwise ASAn will complain
|
||||
# Preload the ASan runtime DSO, otherwise ASan will complain
|
||||
export LD_PRELOAD="$ASAN_RT_PATH"
|
||||
# Disable LSan to speed things up, since we don't care about leak reports
|
||||
# from 'external' binaries
|
||||
|
@ -3449,16 +3449,12 @@ static int apply_mount_namespace(
|
||||
.protect_kernel_tunables = needs_sandboxing && context->protect_kernel_tunables,
|
||||
.protect_kernel_modules = needs_sandboxing && context->protect_kernel_modules,
|
||||
.protect_kernel_logs = needs_sandboxing && context->protect_kernel_logs,
|
||||
/* Only mount /proc/sys/kernel/hostname and domainname read-only if ProtectHostname=yes. Otherwise, ProtectHostname=no
|
||||
* allows changing hostname for the host and ProtectHostname=private allows changing the hostname in the unit's UTS
|
||||
* namespace. */
|
||||
.protect_hostname = needs_sandboxing && context->protect_hostname == PROTECT_HOSTNAME_YES,
|
||||
|
||||
.private_dev = needs_sandboxing && context->private_devices,
|
||||
.private_network = needs_sandboxing && exec_needs_network_namespace(context),
|
||||
.private_ipc = needs_sandboxing && exec_needs_ipc_namespace(context),
|
||||
.private_pids = needs_sandboxing && exec_needs_pid_namespace(context) ? context->private_pids : PRIVATE_PIDS_NO,
|
||||
.private_tmp = needs_sandboxing ? context->private_tmp : false,
|
||||
.private_tmp = needs_sandboxing ? context->private_tmp : PRIVATE_TMP_NO,
|
||||
|
||||
.mount_apivfs = needs_sandboxing && exec_context_get_effective_mount_apivfs(context),
|
||||
.bind_log_sockets = needs_sandboxing && exec_context_get_effective_bind_log_sockets(context),
|
||||
@ -3466,10 +3462,11 @@ static int apply_mount_namespace(
|
||||
/* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */
|
||||
.mount_nosuid = needs_sandboxing && context->no_new_privileges && !mac_selinux_use(),
|
||||
|
||||
.protect_home = needs_sandboxing ? context->protect_home : false,
|
||||
.protect_system = needs_sandboxing ? context->protect_system : false,
|
||||
.protect_proc = needs_sandboxing ? context->protect_proc : false,
|
||||
.proc_subset = needs_sandboxing ? context->proc_subset : false,
|
||||
.protect_home = needs_sandboxing ? context->protect_home : PROTECT_HOME_NO,
|
||||
.protect_hostname = needs_sandboxing ? context->protect_hostname : PROTECT_HOSTNAME_NO,
|
||||
.protect_system = needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO,
|
||||
.protect_proc = needs_sandboxing ? context->protect_proc : PROTECT_PROC_DEFAULT,
|
||||
.proc_subset = needs_sandboxing ? context->proc_subset : PROC_SUBSET_ALL,
|
||||
};
|
||||
|
||||
r = setup_namespace(¶meters, reterr_path);
|
||||
|
@ -2645,9 +2645,11 @@ int setup_namespace(const NamespaceParameters *p, char **reterr_path) {
|
||||
return r;
|
||||
}
|
||||
|
||||
/* Note, if proc is mounted with subset=pid then neither of the two paths will exist, i.e. they are
|
||||
* implicitly protected by the mount option. */
|
||||
if (p->protect_hostname) {
|
||||
/* Only mount /proc/sys/kernel/hostname and domainname read-only if ProtectHostname=yes. Otherwise,
|
||||
* ProtectHostname=no allows changing hostname for the host, and ProtectHostname=private allows
|
||||
* changing the hostname in the unit's UTS namespace. Note, if proc is mounted with subset=pid then
|
||||
* neither of the two paths will exist, i.e. they are implicitly protected by the mount option. */
|
||||
if (p->protect_hostname == PROTECT_HOSTNAME_YES) {
|
||||
r = append_static_mounts(
|
||||
&ml,
|
||||
protect_hostname_yes_table,
|
||||
|
@ -182,7 +182,6 @@ struct NamespaceParameters {
|
||||
bool protect_kernel_tunables;
|
||||
bool protect_kernel_modules;
|
||||
bool protect_kernel_logs;
|
||||
bool protect_hostname;
|
||||
|
||||
bool private_dev;
|
||||
bool private_network;
|
||||
@ -194,6 +193,7 @@ struct NamespaceParameters {
|
||||
|
||||
ProtectControlGroups protect_control_groups;
|
||||
ProtectHome protect_home;
|
||||
ProtectHostname protect_hostname;
|
||||
ProtectSystem protect_system;
|
||||
ProtectProc protect_proc;
|
||||
ProcSubset proc_subset;
|
||||
|
Loading…
Reference in New Issue
Block a user