core: on DynamicUser= make sure that protecting sensitive paths is enforced (#4596)

This adds a variable that is always set to false to make sure that protect paths inside sandbox are always enforced and not ignored. The only case when it is set to true is on DynamicUser=no and RootDirectory=/chroot is set. This allows users to use more our sandbox features inside RootDirectory= The only exception is ProtectSystem=full|strict and when DynamicUser=yes is implied. Currently RootDirectory= is not fully compatible with these due to two reasons: * /chroot/usr|etc has to be present on ProtectSystem=full * /chroot// has to be a mount point on ProtectSystem=strict.
author: Djalal Harouni <tixxdz@opendz.org> 2016-11-06 23:31:55 +0100
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2016-11-08 21:57:32 -0500
commit: af964954c6a44bd664efe89052ced9584a966baa (patch)
tree: e54b31af3547951962576bf0486765284cc6b489 /src/core/namespace.h
parent: d85a0f802851e79efdb09acaa1ce517f7127ad28 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/src/core/namespace.h b/src/core/namespace.h
index 6310638e9a..2c278fd457 100644
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -44,6 +44,7 @@ typedef enum ProtectSystem {
 } ProtectSystem;
 
 struct NameSpaceInfo {
+        bool ignore_protect_paths:1;
         bool private_dev:1;
         bool protect_control_groups:1;
         bool protect_kernel_tunables:1;
author	Djalal Harouni <tixxdz@opendz.org>	2016-11-06 23:31:55 +0100
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2016-11-08 21:57:32 -0500
commit	af964954c6a44bd664efe89052ced9584a966baa (patch)
tree	e54b31af3547951962576bf0486765284cc6b489 /src/core/namespace.h
parent	d85a0f802851e79efdb09acaa1ce517f7127ad28 (diff)