namespace: unify limit behavior on non-directory paths

Despite the name, `Read{Write,Only}Directories=` already allows for regular file paths to be masked. This commit adds the same behavior to `InaccessibleDirectories=` and makes it explicit in the doc. This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}` {dile,device}nodes and mounts on the appropriate one the paths specified in `InacessibleDirectories=`. Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
author: Alessandro Puccetti <alessandro@kinvolk.io> 2016-07-06 09:48:58 +0200
committer: Alessandro Puccetti <alessandro@kinvolk.io> 2016-07-19 17:22:02 +0200
commit: c4b41707462a74eb7008e8d12a0b4d0a0c09bff4 (patch)
tree: ff6991bfe6b79f53d501c061792cc428a8a38910 /src/core/namespace.c
parent: 14eb41b2a45f0ab56b06054c7bc40c3613b23e82 (diff)
1 files changed, 23 insertions, 8 deletions
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 203d122810..e465e825a1 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -278,6 +278,7 @@ static int apply_mount(
 
         const char *what;
         int r;
+        struct stat target;
 
         assert(m);
 
@@ -287,12 +288,22 @@ static int apply_mount(
 
                 /* First, get rid of everything that is below if there
                  * is anything... Then, overmount it with an
-                 * inaccessible directory. */
+                 * inaccessible path. */
                 umount_recursive(m->path, 0);
 
-                what = "/run/systemd/inaccessible";
-                break;
+                r = lstat(m->path, &target);
+                if (r != 0) {
+                        if (m->ignore && errno == ENOENT)
+                                return 0;
+                        return -errno;
+                }
 
+                what = mode_to_inaccessible_node(target.st_mode);
+                if (what == NULL) {
+                        log_debug("File type not supported. Note that symlinks are not allowed");
+                        return -ELOOP;
+                }
+                break;
         case READONLY:
         case READWRITE:
                 /* Nothing to mount here, we just later toggle the
@@ -317,12 +328,16 @@ static int apply_mount(
         assert(what);
 
         r = mount(what, m->path, NULL, MS_BIND|MS_REC, NULL);
-        if (r >= 0)
+        if (r >= 0) {
                 log_debug("Successfully mounted %s to %s", what, m->path);
-        else if (m->ignore && errno == ENOENT)
-                return 0;
-
-        return r;
+                return r;
+        }
+        else {
+                if (m->ignore && errno == ENOENT)
+                        return 0;
+                log_debug("Failed mounting %s to %s: %s", what, m->path, strerror(errno));
+                return -errno;
+        }
 }
 
 static int make_read_only(BindMount *m) {
author	Alessandro Puccetti <alessandro@kinvolk.io>	2016-07-06 09:48:58 +0200
committer	Alessandro Puccetti <alessandro@kinvolk.io>	2016-07-19 17:22:02 +0200
commit	c4b41707462a74eb7008e8d12a0b4d0a0c09bff4 (patch)
tree	ff6991bfe6b79f53d501c061792cc428a8a38910 /src/core/namespace.c
parent	14eb41b2a45f0ab56b06054c7bc40c3613b23e82 (diff)