diff options
author | Djalal Harouni <tixxdz@opendz.org> | 2016-10-25 16:24:35 +0200 |
---|---|---|
committer | Djalal Harouni <tixxdz@opendz.org> | 2016-10-27 09:40:21 +0200 |
commit | 50b3dfb9d64872025450aa63765206720be471d6 (patch) | |
tree | 0a8a5b3feff14183e2b8b937c2c3c4dab79d8ba1 /src/core/execute.c | |
parent | 2b3c1b9e9d7a09b1f974f8d702da8ebaeff036f6 (diff) |
core: lets apply working directory just after mount namespaces
This makes applying groups after applying the working directory, this
may allow some flexibility but at same it is not a big deal since we
don't execute or do anything between applying working directory and
droping groups.
Diffstat (limited to 'src/core/execute.c')
-rw-r--r-- | src/core/execute.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 0b6fcc9ac7..a9e39f6fd7 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2559,6 +2559,13 @@ static int exec_child( } } + /* Apply just after mount namespace setup */ + r = apply_working_directory(context, params, home, needs_mount_namespace); + if (r < 0) { + *exit_status = EXIT_CHROOT; + return r; + } + /* Drop group as early as possbile */ if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) { r = enforce_groups(context, gid, supplementary_gids, ngids); @@ -2568,12 +2575,6 @@ static int exec_child( } } - r = apply_working_directory(context, params, home, needs_mount_namespace); - if (r < 0) { - *exit_status = EXIT_CHROOT; - return r; - } - #ifdef HAVE_SELINUX if ((params->flags & EXEC_APPLY_PERMISSIONS) && mac_selinux_use() && |