diff options
author | Djalal Harouni <tixxdz@opendz.org> | 2016-10-12 14:11:16 +0200 |
---|---|---|
committer | Djalal Harouni <tixxdz@opendz.org> | 2016-10-12 14:11:16 +0200 |
commit | c575770b75b6cd15684fbacd249147bf5fd6ead7 (patch) | |
tree | 1dbde008e50d9ab2780168dd26ead86a762959dc /src/core/namespace.h | |
parent | ac246d9868bd476297e2702e0a7ef52294f9cfa8 (diff) |
core:sandbox: lets make /lib/modules/ inaccessible on ProtectKernelModules=
Lets go further and make /lib/modules/ inaccessible for services that do
not have business with modules, this is a minor improvment but it may
help on setups with custom modules and they are limited... in regard of
kernel auto-load feature.
This change introduce NameSpaceInfo struct which we may embed later
inside ExecContext but for now lets just reduce the argument number to
setup_namespace() and merge ProtectKernelModules feature.
Diffstat (limited to 'src/core/namespace.h')
-rw-r--r-- | src/core/namespace.h | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/src/core/namespace.h b/src/core/namespace.h index 6505bcc499..6310638e9a 100644 --- a/src/core/namespace.h +++ b/src/core/namespace.h @@ -4,6 +4,7 @@ This file is part of systemd. Copyright 2010 Lennart Poettering + Copyright 2016 Djalal Harouni systemd is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by @@ -19,6 +20,8 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>. ***/ +typedef struct NameSpaceInfo NameSpaceInfo; + #include <stdbool.h> #include "macro.h" @@ -40,15 +43,20 @@ typedef enum ProtectSystem { _PROTECT_SYSTEM_INVALID = -1 } ProtectSystem; +struct NameSpaceInfo { + bool private_dev:1; + bool protect_control_groups:1; + bool protect_kernel_tunables:1; + bool protect_kernel_modules:1; +}; + int setup_namespace(const char *chroot, + const NameSpaceInfo *ns_info, char **read_write_paths, char **read_only_paths, char **inaccessible_paths, const char *tmp_dir, const char *var_tmp_dir, - bool private_dev, - bool protect_sysctl, - bool protect_cgroups, ProtectHome protect_home, ProtectSystem protect_system, unsigned long mount_flags); |