core: add ability to define arbitrary bind mounts for services

This adds two new settings BindPaths= and BindReadOnlyPaths=. They allow defining arbitrary bind mounts specific to particular services. This is particularly useful for services with RootDirectory= set as this permits making specific bits of the host directory available to chrooted services. The two new settings follow the concepts nspawn already possess in --bind= and --bind-ro=, as well as the .nspawn settings Bind= and BindReadOnly= (and these latter options should probably be renamed to BindPaths= and BindReadOnlyPaths= too). Fixes: #3439
author: Lennart Poettering <lennart@poettering.net> 2016-11-23 22:21:40 +0100
committer: Lennart Poettering <lennart@poettering.net> 2016-12-14 00:54:10 +0100
commit: d2d6c096f6373a76f3b303a7a116e7cfe7139c4d (patch)
tree: 090a728bbf4f98d5758806f6c21f958a8d9e982c /src/core/execute.c
parent: 8fceda937f3a177d9e27b403fb5e1b34138b05f5 (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index 07ab067c05..2ee8c9a416 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1826,6 +1826,9 @@ static bool exec_needs_mount_namespace(
             !strv_isempty(context->inaccessible_paths))
                 return true;
 
+        if (context->n_bind_mounts > 0)
+                return true;
+
         if (context->mount_flags != 0)
                 return true;
 
@@ -2147,6 +2150,8 @@ static int apply_mount_namespace(Unit *u, const ExecContext *context,
         r = setup_namespace(root_dir, &ns_info, rw,
                             context->read_only_paths,
                             context->inaccessible_paths,
+                            context->bind_mounts,
+                            context->n_bind_mounts,
                             tmp,
                             var,
                             context->protect_home,
@@ -3086,6 +3091,8 @@ void exec_context_done(ExecContext *c) {
         c->read_write_paths = strv_free(c->read_write_paths);
         c->inaccessible_paths = strv_free(c->inaccessible_paths);
 
+        bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
+
         if (c->cpuset)
                 CPU_FREE(c->cpuset);
 
@@ -3569,6 +3576,15 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                 fputs("\n", f);
         }
 
+        if (c->n_bind_mounts > 0)
+                for (i = 0; i < c->n_bind_mounts; i++) {
+                        fprintf(f, "%s%s: %s:%s:%s\n", prefix,
+                                c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
+                                c->bind_mounts[i].source,
+                                c->bind_mounts[i].destination,
+                                c->bind_mounts[i].recursive ? "rbind" : "norbind");
+                }
+
         if (c->utmp_id)
                 fprintf(f,
                         "%sUtmpIdentifier: %s\n",
author	Lennart Poettering <lennart@poettering.net>	2016-11-23 22:21:40 +0100
committer	Lennart Poettering <lennart@poettering.net>	2016-12-14 00:54:10 +0100
commit	d2d6c096f6373a76f3b303a7a116e7cfe7139c4d (patch)
tree	090a728bbf4f98d5758806f6c21f958a8d9e982c /src/core/execute.c
parent	8fceda937f3a177d9e27b403fb5e1b34138b05f5 (diff)