diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-12-22 23:34:35 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2017-02-07 11:22:05 +0100 |
| commit | 5d997827e2ebe5d4f438748d1ac87c10c29045c6 (patch) | |
| tree | 28f9edefba7c8065ed0395d97820a47471457fcc /src/core/execute.c | |
| parent | 1eb7e08e20a329b1f074968c88fee5d8adf3bbaf (diff) | |
core: add a per-unit setting MountAPIVFS= for mounting /dev, /proc, /sys in conjunction with RootDirectory=
This adds a boolean unit file setting MountAPIVFS=. If set, the three
main API VFS mounts will be mounted for the service. This only has an
effect on RootDirectory=, which it makes a ton times more useful.
(This is basically the /dev + /proc + /sys mounting code posted in the
original #4727, but rebased on current git, and with the automatic logic
replaced by explicit logic controlled by a unit file setting)
Diffstat (limited to 'src/core/execute.c')
| -rw-r--r-- | src/core/execute.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index aa0ddb564e..54f6418c5a 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1662,6 +1662,9 @@ static bool exec_needs_mount_namespace( context->protect_control_groups) return true; + if (context->mount_apivfs) + return true; + return false; } @@ -1942,6 +1945,7 @@ static int apply_mount_namespace(Unit *u, const ExecContext *context, .protect_control_groups = context->protect_control_groups, .protect_kernel_tunables = context->protect_kernel_tunables, .protect_kernel_modules = context->protect_kernel_modules, + .mount_apivfs = context->mount_apivfs, }; assert(context); @@ -3294,6 +3298,7 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { "%sPrivateUsers: %s\n" "%sProtectHome: %s\n" "%sProtectSystem: %s\n" + "%sMountAPIVFS: %s\n" "%sIgnoreSIGPIPE: %s\n" "%sMemoryDenyWriteExecute: %s\n" "%sRestrictRealtime: %s\n", @@ -3310,6 +3315,7 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { prefix, yes_no(c->private_users), prefix, protect_home_to_string(c->protect_home), prefix, protect_system_to_string(c->protect_system), + prefix, yes_no(c->mount_apivfs), prefix, yes_no(c->ignore_sigpipe), prefix, yes_no(c->memory_deny_write_execute), prefix, yes_no(c->restrict_realtime)); |