core: imply ProtectHome=read-only and ProtectSystem=strict if DynamicUser=1

Let's make sure that services that use DynamicUser=1 cannot leave files in the file system should the system accidentally have a world-writable directory somewhere. This effectively ensures that directories need to be whitelisted rather than blacklisted for access when DynamicUser=1 is set.
author: Lennart Poettering <lennart@poettering.net> 2016-08-25 16:12:46 +0200
committer: Djalal Harouni <tixxdz@opendz.org> 2016-09-25 10:42:18 +0200
commit: 63bb64a056113d4be5fefb16604accf08c8c204a (patch)
tree: de25d811ab238a0d1ad3509ffb2ffd7a1f897259 /src
parent: 3f815163ff8fdcdbd329680580df36f94e15325d (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/core/unit.c b/src/core/unit.c
index de22f657c6..5d284a359d 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -3377,8 +3377,14 @@ int unit_patch_contexts(Unit *u) {
                                         return -ENOMEM;
                         }
 
+                        /* If the dynamic user option is on, let's make sure that the unit can't leave its UID/GID
+                         * around in the file system or on IPC objects. Hence enforce a strict sandbox. */
+
                         ec->private_tmp = true;
                         ec->remove_ipc = true;
+                        ec->protect_system = PROTECT_SYSTEM_STRICT;
+                        if (ec->protect_home == PROTECT_HOME_NO)
+                                ec->protect_home = PROTECT_HOME_READ_ONLY;
                 }
         }
author	Lennart Poettering <lennart@poettering.net>	2016-08-25 16:12:46 +0200
committer	Djalal Harouni <tixxdz@opendz.org>	2016-09-25 10:42:18 +0200
commit	63bb64a056113d4be5fefb16604accf08c8c204a (patch)
tree	de25d811ab238a0d1ad3509ffb2ffd7a1f897259 /src
parent	3f815163ff8fdcdbd329680580df36f94e15325d (diff)