diff options
| author | Alban Crequy <alban@endocode.com> | 2015-05-18 12:20:28 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2015-05-18 18:47:45 +0200 |
| commit | ee818b89f4890b3a00e93772249fce810f60811e (patch) | |
| tree | 0bda24d838ca13d87f40eba0dc3f582731bf9396 /src/core/execute.c | |
| parent | a363680faa063dbcb624a6dfc4798cff0a4ba9d5 (diff) | |
core: Private*/Protect* options with RootDirectory
When a service is chrooted with the option RootDirectory=/opt/..., then
the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must
mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}.
The test-ns tool can test setup_namespace() with and without chroot:
$ sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns
$ sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns
Diffstat (limited to 'src/core/execute.c')
| -rw-r--r-- | src/core/execute.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 0cca4813a8..97498b23d7 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1307,6 +1307,7 @@ static int exec_child( uid_t uid = UID_INVALID; gid_t gid = GID_INVALID; int i, r; + bool needs_mount_namespace; assert(unit); assert(command); @@ -1585,7 +1586,9 @@ static int exec_child( } } - if (exec_needs_mount_namespace(context, params, runtime)) { + needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime); + + if (needs_mount_namespace) { char *tmp = NULL, *var = NULL; /* The runtime struct only contains the parent @@ -1602,6 +1605,7 @@ static int exec_child( } r = setup_namespace( + params->apply_chroot ? context->root_directory : NULL, context->read_write_dirs, context->read_only_dirs, context->inaccessible_dirs, @@ -1627,7 +1631,7 @@ static int exec_child( } if (params->apply_chroot) { - if (context->root_directory) + if (!needs_mount_namespace && context->root_directory) if (chroot(context->root_directory) < 0) { *exit_status = EXIT_CHROOT; return -errno; |