summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/core/namespace.c46
1 files changed, 34 insertions, 12 deletions
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 13f6aeba51..8aa8b83c88 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -515,6 +515,32 @@ static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned
return 0;
}
+static unsigned namespace_calculate_mounts(
+ char** read_write_paths,
+ char** read_only_paths,
+ char** inaccessible_paths,
+ const char* tmp_dir,
+ const char* var_tmp_dir,
+ bool private_dev,
+ bool protect_sysctl,
+ bool protect_cgroups,
+ ProtectHome protect_home,
+ ProtectSystem protect_system) {
+
+ return !!tmp_dir + !!var_tmp_dir +
+ strv_length(read_write_paths) +
+ strv_length(read_only_paths) +
+ strv_length(inaccessible_paths) +
+ private_dev +
+ (protect_sysctl ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
+ (protect_cgroups ? 1 : 0) +
+ (protect_home != PROTECT_HOME_NO || protect_system == PROTECT_SYSTEM_STRICT ? 3 : 0) +
+ (protect_system == PROTECT_SYSTEM_STRICT ?
+ (2 + !private_dev + !protect_sysctl) :
+ ((protect_system != PROTECT_SYSTEM_NO ? 3 : 0) +
+ (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0)));
+}
+
int setup_namespace(
const char* root_directory,
char** read_write_paths,
@@ -537,19 +563,15 @@ int setup_namespace(
if (mount_flags == 0)
mount_flags = MS_SHARED;
- n = !!tmp_dir + !!var_tmp_dir +
- strv_length(read_write_paths) +
- strv_length(read_only_paths) +
- strv_length(inaccessible_paths) +
- private_dev +
- (protect_sysctl ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
- (protect_cgroups ? 1 : 0) +
- (protect_home != PROTECT_HOME_NO || protect_system == PROTECT_SYSTEM_STRICT ? 3 : 0) +
- (protect_system == PROTECT_SYSTEM_STRICT ?
- (2 + !private_dev + !protect_sysctl) :
- ((protect_system != PROTECT_SYSTEM_NO ? 3 : 0) +
- (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0)));
+ n = namespace_calculate_mounts(read_write_paths,
+ read_only_paths,
+ inaccessible_paths,
+ tmp_dir, var_tmp_dir,
+ private_dev, protect_sysctl,
+ protect_cgroups, protect_home,
+ protect_system);
+ /* Set mount slave mode */
if (root_directory || n > 0)
make_slave = true;