summaryrefslogtreecommitdiff
path: root/src/core/namespace.h
diff options
context:
space:
mode:
authorDjalal Harouni <tixxdz@opendz.org>2016-10-12 14:11:16 +0200
committerDjalal Harouni <tixxdz@opendz.org>2016-10-12 14:11:16 +0200
commitc575770b75b6cd15684fbacd249147bf5fd6ead7 (patch)
tree1dbde008e50d9ab2780168dd26ead86a762959dc /src/core/namespace.h
parentac246d9868bd476297e2702e0a7ef52294f9cfa8 (diff)
core:sandbox: lets make /lib/modules/ inaccessible on ProtectKernelModules=
Lets go further and make /lib/modules/ inaccessible for services that do not have business with modules, this is a minor improvment but it may help on setups with custom modules and they are limited... in regard of kernel auto-load feature. This change introduce NameSpaceInfo struct which we may embed later inside ExecContext but for now lets just reduce the argument number to setup_namespace() and merge ProtectKernelModules feature.
Diffstat (limited to 'src/core/namespace.h')
-rw-r--r--src/core/namespace.h14
1 files changed, 11 insertions, 3 deletions
diff --git a/src/core/namespace.h b/src/core/namespace.h
index 6505bcc499..6310638e9a 100644
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -4,6 +4,7 @@
This file is part of systemd.
Copyright 2010 Lennart Poettering
+ Copyright 2016 Djalal Harouni
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
@@ -19,6 +20,8 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+typedef struct NameSpaceInfo NameSpaceInfo;
+
#include <stdbool.h>
#include "macro.h"
@@ -40,15 +43,20 @@ typedef enum ProtectSystem {
_PROTECT_SYSTEM_INVALID = -1
} ProtectSystem;
+struct NameSpaceInfo {
+ bool private_dev:1;
+ bool protect_control_groups:1;
+ bool protect_kernel_tunables:1;
+ bool protect_kernel_modules:1;
+};
+
int setup_namespace(const char *chroot,
+ const NameSpaceInfo *ns_info,
char **read_write_paths,
char **read_only_paths,
char **inaccessible_paths,
const char *tmp_dir,
const char *var_tmp_dir,
- bool private_dev,
- bool protect_sysctl,
- bool protect_cgroups,
ProtectHome protect_home,
ProtectSystem protect_system,
unsigned long mount_flags);