From d2d6c096f6373a76f3b303a7a116e7cfe7139c4d Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 23 Nov 2016 22:21:40 +0100
Subject: core: add ability to define arbitrary bind mounts for services

This adds two new settings BindPaths= and BindReadOnlyPaths=. They allow
defining arbitrary bind mounts specific to particular services. This is
particularly useful for services with RootDirectory= set as this permits making
specific bits of the host directory available to chrooted services.

The two new settings follow the concepts nspawn already possess in --bind= and
--bind-ro=, as well as the .nspawn settings Bind= and BindReadOnly= (and these
latter options should probably be renamed to BindPaths= and BindReadOnlyPaths=
too).

Fixes: #3439
---
 src/core/execute.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'src/core/execute.c')

diff --git a/src/core/execute.c b/src/core/execute.c
index 07ab067c05..2ee8c9a416 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1826,6 +1826,9 @@ static bool exec_needs_mount_namespace(
             !strv_isempty(context->inaccessible_paths))
                 return true;
 
+        if (context->n_bind_mounts > 0)
+                return true;
+
         if (context->mount_flags != 0)
                 return true;
 
@@ -2147,6 +2150,8 @@ static int apply_mount_namespace(Unit *u, const ExecContext *context,
         r = setup_namespace(root_dir, &ns_info, rw,
                             context->read_only_paths,
                             context->inaccessible_paths,
+                            context->bind_mounts,
+                            context->n_bind_mounts,
                             tmp,
                             var,
                             context->protect_home,
@@ -3086,6 +3091,8 @@ void exec_context_done(ExecContext *c) {
         c->read_write_paths = strv_free(c->read_write_paths);
         c->inaccessible_paths = strv_free(c->inaccessible_paths);
 
+        bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
+
         if (c->cpuset)
                 CPU_FREE(c->cpuset);
 
@@ -3569,6 +3576,15 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                 fputs("\n", f);
         }
 
+        if (c->n_bind_mounts > 0)
+                for (i = 0; i < c->n_bind_mounts; i++) {
+                        fprintf(f, "%s%s: %s:%s:%s\n", prefix,
+                                c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
+                                c->bind_mounts[i].source,
+                                c->bind_mounts[i].destination,
+                                c->bind_mounts[i].recursive ? "rbind" : "norbind");
+                }
+
         if (c->utmp_id)
                 fprintf(f,
                         "%sUtmpIdentifier: %s\n",
-- 
cgit v1.2.3-54-g00ecf