From ee818b89f4890b3a00e93772249fce810f60811e Mon Sep 17 00:00:00 2001 From: Alban Crequy Date: Mon, 18 May 2015 12:20:28 +0200 Subject: core: Private*/Protect* options with RootDirectory When a service is chrooted with the option RootDirectory=/opt/..., then the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}. The test-ns tool can test setup_namespace() with and without chroot: $ sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns $ sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns --- src/core/execute.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'src/core/execute.c') diff --git a/src/core/execute.c b/src/core/execute.c index 0cca4813a8..97498b23d7 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1307,6 +1307,7 @@ static int exec_child( uid_t uid = UID_INVALID; gid_t gid = GID_INVALID; int i, r; + bool needs_mount_namespace; assert(unit); assert(command); @@ -1585,7 +1586,9 @@ static int exec_child( } } - if (exec_needs_mount_namespace(context, params, runtime)) { + needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime); + + if (needs_mount_namespace) { char *tmp = NULL, *var = NULL; /* The runtime struct only contains the parent @@ -1602,6 +1605,7 @@ static int exec_child( } r = setup_namespace( + params->apply_chroot ? context->root_directory : NULL, context->read_write_dirs, context->read_only_dirs, context->inaccessible_dirs, @@ -1627,7 +1631,7 @@ static int exec_child( } if (params->apply_chroot) { - if (context->root_directory) + if (!needs_mount_namespace && context->root_directory) if (chroot(context->root_directory) < 0) { *exit_status = EXIT_CHROOT; return -errno; -- cgit v1.2.3-54-g00ecf