core:sandbox: lets make /lib/modules/ inaccessible on ProtectKernelModules=

Lets go further and make /lib/modules/ inaccessible for services that do not have business with modules, this is a minor improvment but it may help on setups with custom modules and they are limited... in regard of kernel auto-load feature. This change introduce NameSpaceInfo struct which we may embed later inside ExecContext but for now lets just reduce the argument number to setup_namespace() and merge ProtectKernelModules feature.
author: Djalal Harouni <tixxdz@opendz.org> 2016-10-12 14:11:16 +0200
committer: Djalal Harouni <tixxdz@opendz.org> 2016-10-12 14:11:16 +0200
commit: c575770b75b6cd15684fbacd249147bf5fd6ead7 (patch)
tree: 1dbde008e50d9ab2780168dd26ead86a762959dc /src/core/execute.c
parent: ac246d9868bd476297e2702e0a7ef52294f9cfa8 (diff)
1 files changed, 8 insertions, 3 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index 7a278b7d31..dc078d96f0 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1766,6 +1766,7 @@ static bool exec_needs_mount_namespace(
             context->protect_system != PROTECT_SYSTEM_NO ||
             context->protect_home != PROTECT_HOME_NO ||
             context->protect_kernel_tunables ||
+            context->protect_kernel_modules ||
             context->protect_control_groups)
                 return true;
 
@@ -2493,6 +2494,12 @@ static int exec_child(
         if (needs_mount_namespace) {
                 _cleanup_free_ char **rw = NULL;
                 char *tmp = NULL, *var = NULL;
+                NameSpaceInfo ns_info = {
+                        .private_dev = context->private_devices,
+                        .protect_control_groups = context->protect_control_groups,
+                        .protect_kernel_tunables = context->protect_kernel_tunables,
+                        .protect_kernel_modules = context->protect_kernel_modules,
+                };
 
                 /* The runtime struct only contains the parent
                  * of the private /tmp, which is
@@ -2515,14 +2522,12 @@ static int exec_child(
 
                 r = setup_namespace(
                                 (params->flags & EXEC_APPLY_CHROOT) ? context->root_directory : NULL,
+                                &ns_info,
                                 rw,
                                 context->read_only_paths,
                                 context->inaccessible_paths,
                                 tmp,
                                 var,
-                                context->private_devices,
-                                context->protect_kernel_tunables,
-                                context->protect_control_groups,
                                 context->protect_home,
                                 context->protect_system,
                                 context->mount_flags);
author	Djalal Harouni <tixxdz@opendz.org>	2016-10-12 14:11:16 +0200
committer	Djalal Harouni <tixxdz@opendz.org>	2016-10-12 14:11:16 +0200
commit	c575770b75b6cd15684fbacd249147bf5fd6ead7 (patch)
tree	1dbde008e50d9ab2780168dd26ead86a762959dc /src/core/execute.c
parent	ac246d9868bd476297e2702e0a7ef52294f9cfa8 (diff)