diff options
author | Lennart Poettering <lennart@poettering.net> | 2011-08-02 05:24:58 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2011-08-02 05:24:58 +0200 |
commit | ff01d048b4c1455241c894cf7982662c9d28fd34 (patch) | |
tree | 025e54f24e3e4879898e4be84b4e082367902f6a /src/execute.c | |
parent | 4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16 (diff) |
exec: introduce PrivateNetwork= process option to turn off network access to specific services
Diffstat (limited to 'src/execute.c')
-rw-r--r-- | src/execute.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/src/execute.c b/src/execute.c index 668bf9d0f0..c73b0c6c04 100644 --- a/src/execute.c +++ b/src/execute.c @@ -56,6 +56,7 @@ #include "missing.h" #include "utmp-wtmp.h" #include "def.h" +#include "loopback-setup.h" /* This assumes there is a 'tty' group */ #define TTY_MODE 0620 @@ -1208,6 +1209,14 @@ int exec_spawn(ExecCommand *command, } } #endif + if (context->private_network) { + if (unshare(CLONE_NEWNET) < 0) { + r = EXIT_NETWORK; + goto fail_child; + } + + loopback_setup(); + } if (strv_length(context->read_write_dirs) > 0 || strv_length(context->read_only_dirs) > 0 || @@ -1594,13 +1603,15 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { "%sRootDirectory: %s\n" "%sNonBlocking: %s\n" "%sPrivateTmp: %s\n" - "%sControlGroupModify: %s\n", + "%sControlGroupModify: %s\n" + "%sPrivateNetwork: %s\n", prefix, c->umask, prefix, c->working_directory ? c->working_directory : "/", prefix, c->root_directory ? c->root_directory : "/", prefix, yes_no(c->non_blocking), prefix, yes_no(c->private_tmp), - prefix, yes_no(c->control_group_modify)); + prefix, yes_no(c->control_group_modify), + prefix, yes_no(c->private_network)); STRV_FOREACH(e, c->environment) fprintf(f, "%sEnvironment: %s\n", prefix, *e); |