diff options
| author | Lennart Poettering <lennart@poettering.net> | 2017-02-12 06:44:46 +0100 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2017-02-12 00:44:46 -0500 |
| commit | 6818c54ca6663c008fad77d2677c61758c7215f5 (patch) | |
| tree | 16af39cd1181b044b2968a04a2ff83a74680a115 /Makefile.am | |
| parent | 963e3d8373a94af8093e3ca674452b366c12ac09 (diff) | |
core: skip ReadOnlyPaths= and other permission-related mounts on PermissionsStartOnly= (#5309)
ReadOnlyPaths=, ProtectHome=, InaccessiblePaths= and ProtectSystem= are
about restricting access and little more, hence they should be disabled
if PermissionsStartOnly= is used or ExecStart= lines are prefixed with a
"+". Do that.
(Note that we will still create namespaces and stuff, since that's about
a lot more than just permissions. We'll simply disable the effect of
the four options mentioned above, but nothing else mount related.)
This also adds a test for this, to ensure this works as intended.
No documentation updates, as the documentation are already vague enough
to support the new behaviour ("If true, the permission-related execution
options…"). We could clarify this further, but I think we might want to
extend the switches' behaviour a bit more in future, hence leave it at
this for now.
Fixes: #5308
Diffstat (limited to 'Makefile.am')
| -rw-r--r-- | Makefile.am | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index 447cf00d07..77e5aa7402 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1730,6 +1730,7 @@ EXTRA_DIST += \ test/test-execute/exec-restrict-namespaces-yes.service \ test/test-execute/exec-restrict-namespaces-mnt.service \ test/test-execute/exec-restrict-namespaces-mnt-blacklist.service \ + test/test-execute/exec-read-only-path-succeed.service \ test/bus-policy/hello.conf \ test/bus-policy/methods.conf \ test/bus-policy/ownerships.conf \ |