summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-08-25 17:30:47 +0200
committerDjalal Harouni <tixxdz@opendz.org>2016-09-25 10:42:18 +0200
commit1e4e94c8819e2fe3a7217690c0590dba8ab0be9e (patch)
tree0757abb0cbf7672a2d80298ff20facdc257fd3ed
parent096424d1230e0a0339735c51b43949809e972430 (diff)
namespace: invoke unshare() only after checking all parameters
Let's create the new namespace only after we validated and processed all parameters, right before we start with actually mounting things. This way, the window where we can roll back is larger (not that it matters IRL...)
-rw-r--r--src/core/namespace.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 498cd139bf..356d3c8121 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -462,9 +462,6 @@ int setup_namespace(
if (mount_flags == 0)
mount_flags = MS_SHARED;
- if (unshare(CLONE_NEWNS) < 0)
- return -errno;
-
n = !!tmp_dir + !!var_tmp_dir +
strv_length(read_write_paths) +
strv_length(read_only_paths) +
@@ -606,6 +603,9 @@ int setup_namespace(
drop_nop(mounts, &n);
}
+ if (unshare(CLONE_NEWNS) < 0)
+ return -errno;
+
if (n > 0 || root_directory) {
/* Remount / as SLAVE so that nothing now mounted in the namespace
shows up in the parent */