diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-06-06 14:48:51 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-06-06 14:48:51 +0200 |
commit | 051be1f71c9ab82a88da8f33e95882aa386a5541 (patch) | |
tree | 2fb81ff083191de1452405f1bb0d37323c76920d | |
parent | 3c52ad9237ead4fc26888348f3da74d896fb06ab (diff) |
namespace: cover /boot with ProtectSystem= again
Now that we properly exclude autofs mounts from ProtectSystem= we can
include it in the effect of ProtectSystem= again.
-rw-r--r-- | src/core/namespace.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/core/namespace.c b/src/core/namespace.c index f11065ee4b..3b5402b7cd 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -367,7 +367,7 @@ int setup_namespace( strv_length(inaccessible_dirs) + private_dev + (protect_home != PROTECT_HOME_NO ? 3 : 0) + - (protect_system != PROTECT_SYSTEM_NO ? 1 : 0) + + (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) + (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0); if (n > 0) { @@ -409,7 +409,7 @@ int setup_namespace( } if (protect_system != PROTECT_SYSTEM_NO) { - r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "/etc") : STRV_MAKE("/usr"), READONLY); + r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "-/boot", "/etc") : STRV_MAKE("/usr", "-/boot"), READONLY); if (r < 0) return r; } |