1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

core/namespace: several fixes for recently merged PRs (#35580)

Fixes #35546.
Fixes #35566.
This commit is contained in:
Daan De Meyer 2024-12-13 12:34:11 +00:00 committed by GitHub
commit 5575bf5fac
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 14 additions and 14 deletions

View File

@ -78,6 +78,7 @@ wrap=(
su
tar
tgtd
unshare
useradd
userdel
veritysetup
@ -100,7 +101,7 @@ for bin in "${wrap[@]}"; do
cat >"$BUILDROOT/$target" <<EOF
#!/bin/bash
# Preload the ASan runtime DSO, otherwise ASAn will complain
# Preload the ASan runtime DSO, otherwise ASan will complain
export LD_PRELOAD="$ASAN_RT_PATH"
# Disable LSan to speed things up, since we don't care about leak reports
# from 'external' binaries

View File

@ -3449,16 +3449,12 @@ static int apply_mount_namespace(
.protect_kernel_tunables = needs_sandboxing && context->protect_kernel_tunables,
.protect_kernel_modules = needs_sandboxing && context->protect_kernel_modules,
.protect_kernel_logs = needs_sandboxing && context->protect_kernel_logs,
/* Only mount /proc/sys/kernel/hostname and domainname read-only if ProtectHostname=yes. Otherwise, ProtectHostname=no
* allows changing hostname for the host and ProtectHostname=private allows changing the hostname in the unit's UTS
* namespace. */
.protect_hostname = needs_sandboxing && context->protect_hostname == PROTECT_HOSTNAME_YES,
.private_dev = needs_sandboxing && context->private_devices,
.private_network = needs_sandboxing && exec_needs_network_namespace(context),
.private_ipc = needs_sandboxing && exec_needs_ipc_namespace(context),
.private_pids = needs_sandboxing && exec_needs_pid_namespace(context) ? context->private_pids : PRIVATE_PIDS_NO,
.private_tmp = needs_sandboxing ? context->private_tmp : false,
.private_tmp = needs_sandboxing ? context->private_tmp : PRIVATE_TMP_NO,
.mount_apivfs = needs_sandboxing && exec_context_get_effective_mount_apivfs(context),
.bind_log_sockets = needs_sandboxing && exec_context_get_effective_bind_log_sockets(context),
@ -3466,10 +3462,11 @@ static int apply_mount_namespace(
/* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */
.mount_nosuid = needs_sandboxing && context->no_new_privileges && !mac_selinux_use(),
.protect_home = needs_sandboxing ? context->protect_home : false,
.protect_system = needs_sandboxing ? context->protect_system : false,
.protect_proc = needs_sandboxing ? context->protect_proc : false,
.proc_subset = needs_sandboxing ? context->proc_subset : false,
.protect_home = needs_sandboxing ? context->protect_home : PROTECT_HOME_NO,
.protect_hostname = needs_sandboxing ? context->protect_hostname : PROTECT_HOSTNAME_NO,
.protect_system = needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO,
.protect_proc = needs_sandboxing ? context->protect_proc : PROTECT_PROC_DEFAULT,
.proc_subset = needs_sandboxing ? context->proc_subset : PROC_SUBSET_ALL,
};
r = setup_namespace(&parameters, reterr_path);

View File

@ -2645,9 +2645,11 @@ int setup_namespace(const NamespaceParameters *p, char **reterr_path) {
return r;
}
/* Note, if proc is mounted with subset=pid then neither of the two paths will exist, i.e. they are
* implicitly protected by the mount option. */
if (p->protect_hostname) {
/* Only mount /proc/sys/kernel/hostname and domainname read-only if ProtectHostname=yes. Otherwise,
* ProtectHostname=no allows changing hostname for the host, and ProtectHostname=private allows
* changing the hostname in the unit's UTS namespace. Note, if proc is mounted with subset=pid then
* neither of the two paths will exist, i.e. they are implicitly protected by the mount option. */
if (p->protect_hostname == PROTECT_HOSTNAME_YES) {
r = append_static_mounts(
&ml,
protect_hostname_yes_table,

View File

@ -182,7 +182,6 @@ struct NamespaceParameters {
bool protect_kernel_tunables;
bool protect_kernel_modules;
bool protect_kernel_logs;
bool protect_hostname;
bool private_dev;
bool private_network;
@ -194,6 +193,7 @@ struct NamespaceParameters {
ProtectControlGroups protect_control_groups;
ProtectHome protect_home;
ProtectHostname protect_hostname;
ProtectSystem protect_system;
ProtectProc protect_proc;
ProcSubset proc_subset;