core/execute: introduce exec_needs_ipc_namespace() helper function

This also fixes a missing condition in exec_runtime_make().
2025-01-27 18:04:05 +03:00 · 2023-02-18 07:07:50 +09:00 · 2023-02-18 07:07:50 +09:00 · fde36d2581
commit fde36d2581
parent fbbb9697b6
1 changed files with 11 additions and 6 deletions
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -2029,6 +2029,12 @@ bool exec_needs_network_namespace(const ExecContext *context) {
        return context->private_network || context->network_namespace_path;
 }

+static bool exec_needs_ipc_namespace(const ExecContext *context) {
+        assert(context);
+
+        return context->private_ipc || context->ipc_namespace_path;
+}
+
 bool exec_needs_mount_namespace(
                const ExecContext *context,
                const ExecParameters *params,
@ -2077,8 +2083,7 @@ bool exec_needs_mount_namespace(
            context->protect_control_groups ||
            context->protect_proc != PROTECT_PROC_DEFAULT ||
            context->proc_subset != PROC_SUBSET_ALL ||
-            context->private_ipc ||
-            context->ipc_namespace_path)
+            exec_needs_ipc_namespace(context))
                return true;

        if (context->root_directory) {
@ -3601,7 +3606,7 @@ static int apply_mount_namespace(
                        .protect_system = context->protect_system,
                        .protect_proc = context->protect_proc,
                        .proc_subset = context->proc_subset,
-                        .private_ipc = context->private_ipc || context->ipc_namespace_path,
+                        .private_ipc = exec_needs_ipc_namespace(context),
                        /* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */
                        .mount_nosuid = context->no_new_privileges && !mac_selinux_use(),
                };
@ -4847,7 +4852,7 @@ static int exec_child(
                        log_unit_warning(unit, "PrivateNetwork=yes is configured, but the kernel does not support network namespaces, ignoring.");
        }

-        if ((context->private_ipc || context->ipc_namespace_path) && runtime && runtime->ipcns_storage_socket[0] >= 0) {
+        if (exec_needs_ipc_namespace(context) && runtime && runtime->ipcns_storage_socket[0] >= 0) {

                if (ns_type_supported(NAMESPACE_IPC)) {
                        r = setup_shareable_ns(runtime->ipcns_storage_socket, CLONE_NEWIPC);
@ -6846,7 +6851,7 @@ static int exec_runtime_make(
        assert(id);

        /* It is not necessary to create ExecRuntime object. */
-        if (!exec_needs_network_namespace(c) && !c->private_ipc && !c->private_tmp) {
+        if (!exec_needs_network_namespace(c) && !exec_needs_ipc_namespace(c) && !c->private_tmp) {
                *ret = NULL;
                return 0;
        }
@ -6865,7 +6870,7 @@ static int exec_runtime_make(
                        return -errno;
        }

-        if (c->private_ipc || c->ipc_namespace_path) {
+        if (exec_needs_ipc_namespace(c)) {
                if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, ipcns_storage_socket) < 0)
                        return -errno;
        }