summaryrefslogtreecommitdiff
path: root/src/core/execute.c
diff options
context:
space:
mode:
authorDjalal Harouni <tixxdz@opendz.org>2016-10-25 16:24:35 +0200
committerDjalal Harouni <tixxdz@opendz.org>2016-10-27 09:40:21 +0200
commit50b3dfb9d64872025450aa63765206720be471d6 (patch)
tree0a8a5b3feff14183e2b8b937c2c3c4dab79d8ba1 /src/core/execute.c
parent2b3c1b9e9d7a09b1f974f8d702da8ebaeff036f6 (diff)
core: lets apply working directory just after mount namespaces
This makes applying groups after applying the working directory, this may allow some flexibility but at same it is not a big deal since we don't execute or do anything between applying working directory and droping groups.
Diffstat (limited to 'src/core/execute.c')
-rw-r--r--src/core/execute.c13
1 files changed, 7 insertions, 6 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index 0b6fcc9ac7..a9e39f6fd7 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2559,6 +2559,13 @@ static int exec_child(
}
}
+ /* Apply just after mount namespace setup */
+ r = apply_working_directory(context, params, home, needs_mount_namespace);
+ if (r < 0) {
+ *exit_status = EXIT_CHROOT;
+ return r;
+ }
+
/* Drop group as early as possbile */
if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
r = enforce_groups(context, gid, supplementary_gids, ngids);
@@ -2568,12 +2575,6 @@ static int exec_child(
}
}
- r = apply_working_directory(context, params, home, needs_mount_namespace);
- if (r < 0) {
- *exit_status = EXIT_CHROOT;
- return r;
- }
-
#ifdef HAVE_SELINUX
if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
mac_selinux_use() &&