summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-06-06 14:48:51 +0200
committerLennart Poettering <lennart@poettering.net>2014-06-06 14:48:51 +0200
commit051be1f71c9ab82a88da8f33e95882aa386a5541 (patch)
tree2fb81ff083191de1452405f1bb0d37323c76920d
parent3c52ad9237ead4fc26888348f3da74d896fb06ab (diff)
namespace: cover /boot with ProtectSystem= again
Now that we properly exclude autofs mounts from ProtectSystem= we can include it in the effect of ProtectSystem= again.
-rw-r--r--src/core/namespace.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/core/namespace.c b/src/core/namespace.c
index f11065ee4b..3b5402b7cd 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -367,7 +367,7 @@ int setup_namespace(
strv_length(inaccessible_dirs) +
private_dev +
(protect_home != PROTECT_HOME_NO ? 3 : 0) +
- (protect_system != PROTECT_SYSTEM_NO ? 1 : 0) +
+ (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
(protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
if (n > 0) {
@@ -409,7 +409,7 @@ int setup_namespace(
}
if (protect_system != PROTECT_SYSTEM_NO) {
- r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "/etc") : STRV_MAKE("/usr"), READONLY);
+ r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "-/boot", "/etc") : STRV_MAKE("/usr", "-/boot"), READONLY);
if (r < 0)
return r;
}