mirror of
https://github.com/systemd/systemd.git
synced 2024-11-01 09:21:26 +03:00
execute: simplify needs_sandboxing checking
Let's merge three if blocks that shall only run when sandboxing is applied into one. Note that this changes behaviour in one corner case: PrivateUsers=1 is now honours both PermissionsStartOnly= and the "+" modifier in ExecStart=, and not just the former, as before. This was an oversight, so let's fix this now, at a point in time the option isn't used much yet.
This commit is contained in:
parent
1703fa41a7
commit
937ccce94c
@ -2711,10 +2711,9 @@ static int exec_child(
|
|||||||
*exit_status = EXIT_GROUP;
|
*exit_status = EXIT_GROUP;
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef HAVE_SELINUX
|
#ifdef HAVE_SELINUX
|
||||||
if (needs_sandboxing && needs_selinux && params->selinux_context_net && socket_fd >= 0) {
|
if (needs_selinux && params->selinux_context_net && socket_fd >= 0) {
|
||||||
r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
|
r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
*exit_status = EXIT_SELINUX_CONTEXT;
|
*exit_status = EXIT_SELINUX_CONTEXT;
|
||||||
@ -2723,13 +2722,14 @@ static int exec_child(
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if ((params->flags & EXEC_APPLY_SANDBOXING) && context->private_users) {
|
if (context->private_users) {
|
||||||
r = setup_private_users(uid, gid);
|
r = setup_private_users(uid, gid);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
*exit_status = EXIT_USER;
|
*exit_status = EXIT_USER;
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* We repeat the fd closing here, to make sure that
|
/* We repeat the fd closing here, to make sure that
|
||||||
* nothing is leaked from the PAM modules. Note that
|
* nothing is leaked from the PAM modules. Note that
|
||||||
|
Loading…
Reference in New Issue
Block a user