From 50b3dfb9d64872025450aa63765206720be471d6 Mon Sep 17 00:00:00 2001
From: Djalal Harouni <tixxdz@opendz.org>
Date: Tue, 25 Oct 2016 16:24:35 +0200
Subject: core: lets apply working directory just after mount namespaces

This makes applying groups after applying the working directory, this
may allow some flexibility but at same it is not a big deal since we
don't execute or do anything between applying working directory and
droping groups.
---
 src/core/execute.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'src/core/execute.c')

diff --git a/src/core/execute.c b/src/core/execute.c
index 0b6fcc9ac7..a9e39f6fd7 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2559,6 +2559,13 @@ static int exec_child(
                 }
         }
 
+        /* Apply just after mount namespace setup */
+        r = apply_working_directory(context, params, home, needs_mount_namespace);
+        if (r < 0) {
+                *exit_status = EXIT_CHROOT;
+                return r;
+        }
+
         /* Drop group as early as possbile */
         if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
                 r = enforce_groups(context, gid, supplementary_gids, ngids);
@@ -2568,12 +2575,6 @@ static int exec_child(
                 }
         }
 
-        r = apply_working_directory(context, params, home, needs_mount_namespace);
-        if (r < 0) {
-                *exit_status = EXIT_CHROOT;
-                return r;
-        }
-
 #ifdef HAVE_SELINUX
         if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
             mac_selinux_use() &&
-- 
cgit v1.2.3-54-g00ecf